WCF: HSM Modules and Signing of WCF Messages

Thursday, May 24, 2012

HSM Security WCF

I had recently have to implement a solution where RSA keys used to sign WCF messages where stored externally (not in Windows Certificate Store).

Keys stored externally were not supposed to be extracted or exportable by any means from the security database where they were stored. The module storing RSA keys has also the ability to sign or encrypt messages, so one could not get a private key out of it (this kind of modules are also known as HSM).

The solution I’ve came out with uses a custom RSAPKCS1SignatureFormatter to do the actual signing of the message.

Download the code from here.

Enjoy!

2 Comments

Hello Javier,

Thank you for your great solution, we are trying to implement with our HSM and we get the following error after selecting an HSM certificate:

"The certificate ' OU=PrivateServer, O=ARX, , L=Petah Tikva, CN=Amit Dor' must have a private key. The process must have access rights for the private key."

can you please assist?

Amit - Wednesday, June 27, 2012 8:59:05 AM

Hi Amit,
Sounds that you are trying to use the public key for signing. You will need to use the HSM for signing, not trying to retrieve the key from it. There should be "sign" method in your HSM API that recieves a Key Handle to your private key.

What HSM interface are you using?

javarg - Thursday, July 5, 2012 5:21:10 PM

Comments have been disabled for this content.