Pkcs#11 异常：未找到带有序列号和标签的令牌

Posted 2023-02-22

【中文标题】Pkcs#11 异常：未找到带有序列号和标签的令牌

【英文标题】：Pkcs#11 exception: Token with serial and label was not found

【发布时间】：2019-12-19 06:57:20

【问题描述】：

我尝试使用@jariq (here) 的 Pkcs11Interop 和 Pkcs11Interop.PDF 扩展名来签署 pdf 文档。有时（并非总是如此），我收到一条异常消息：找不到带有序列号和标签的令牌，然后重试，没有抛出异常。请告诉我为什么。我的设备是 SafeNet Luna Network HSM，这是我的代码：

        Using pkcs11 As Pkcs11RsaSignature = New Pkcs11RsaSignature(LIBRARY_PATH, partitionSerial, partitionAlias, pin, privateKeyAlias, Nothing, Net.Pkcs11Interop.PDF.HashAlgorithm.SHA256)
            Dim signingCertificate As Byte() = pkcs11.GetSigningCertificate()
            Dim otherCertificates As List(Of Byte()) = pkcs11.GetAllCertificates()
            Dim certPath As ICollection(Of Org.BouncyCastle.X509.X509Certificate) = CertUtils.BuildCertPath(signingCertificate, otherCertificates)

            Using reader As New PdfReader(tempFile)
                Using os As New FileStream(absolutePath, FileMode.Create)
                    Using stamper = PdfStamper.CreateSignature(reader, os, ControlChars.NullChar)
                        appearance = stamper.SignatureAppearance
                        appearance.SignDate = IIf(signDate = Nothing, DateTime.Now, signDate)
                        appearance.SetVisibleSignature(New iTextSharp.text.Rectangle(380, 60, 560, 120), reader.NumberOfPages, "sign_name")
                        appearance.CertificationLevel = PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED
                        Dim bf As BaseFont = BaseFont.CreateFont("C:\Windows\Fonts\times.ttf", BaseFont.IDENTITY_H, BaseFont.EMBEDDED)
                        appearance.Layer2Font = New iTextSharp.text.Font(bf, 9, Font.NORMAL, iTextSharp.text.BaseColor.RED)
                        MakeSignature.SignDetached(appearance, pkcs11, certPath, Nothing, Nothing, Nothing, 0, CryptoStandard.CADES)
                    End Using
                End Using
            End Using
        End Using

【参考方案1】：

Pkcs11Interop 从您的 HSM 供应商提供的非托管 PKCS#11 库中请求插槽/令牌列表。然后它在该列表中搜索并查找与提供的序列/标签标准匹配的插槽/令牌。如果它说未找到此类令牌，​​则非托管 PKCS#11 库很可能没有返回此类插槽，您需要向 HSM 供应商寻求帮助。

如果您想检查是否是这种情况，您需要记录您的 PKCS#11 库的所有 PKCS#11 调用/响应。启用此类日志记录所需的确切步骤应包含在 PKCS#11 库供应商提供的文档中。或者，您可以使用PKCS11-LOGGER。