Hi, On Fri, May 28, 2021 at 1:44 PM Piotr Lobacz <piotr.lobacz@xxxxxxxxxxxx> wrote: > > Ok, i have found out that dotnet OpenSsl library has it's own code for verification is key private. For this it needs the whole data of private key from which this method: > > static int HasNoPrivateKey(RSA* rsa) > > which is in ./src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.c of dotnet verifies occurence of all private parameters. Unfortunately from what i know private keys are not extractable from tokens because of CKA_EXTRACTABLE=false parameter. > > Correct me if i'm wrong but from what i know about openssl, when i'm switching to a closed engine the whole cryptography is being made by the engine module. I think that there should be some other method verifing if key is private. Maybe somebody could give me a hint? Its not verifying, but signing operation that is failing. This sounds like something wrong in the way you are using the dotnet interface or possibly a bug in (or limitation of) that implementation itself. Like its not meant to be used when keys are "external". I have no idea having never used C#. But you are right, when the private key is loaded through the pkcs11 engine the key is external (can stay non-extractable), and the signing operation gets delegated to the engine. Are you sure that the pkey returned by the ENGINE_get_private_key() and rsa handle generated from that pkey are valid? I see no error checks in your code unless dotnet will automatically trigger exceptions on error. You may get more relevant help in the dotnet community. Selva
