Cannot delete imported private key from SmartCard-HSM

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Cannot delete imported private key from SmartCard-HSM

Marek Szuba
Hello,

A while ago I tried to import several existing X.509 certificates and
its corresponding private key into my SmartCard-HSM, using OpenSC-0.14.
It turned out that I could do that - which surprised me a bit because
later on I read on-line importing shouldn't work for this card - but
only for one certificate at a time, with each subsequent import
overwriting the previous one. I then decided that I'd rather have no
software-generated certificates on the card than have just one and
proceeded to delete the imported data, using pkcs11-tool. The cert and
the pubkey both went without trouble, however whenever I attempt to
delete the private key I get an error:

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so -l --delete-object
--type privkey --id 11ac7c18d526f536d80520d4c03b71f4923d4553
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
error: PKCS11 function C_DestroyObject() failed: rv = CKR_GENERAL_ERROR
(0x5)

The same happens now with OpenSC-0.15.

Is there any way I could get rid of this key from the card without
reinitialising it?

Yours sincerely,
--
MS


------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cannot delete imported private key from SmartCard-HSM

Andreas Schwier (ML)
Hi Marek,

What does pkcs15-tool -D show ?

In the SmartCard-HSM there is a file identifier for the key (0xCC00 +
keyid) and an EF with the PKCS#15 description of the key (0xC400 +
keyid). For a certificate related to the private key, an EF with 0xCE00
+ keyid is allocated. An unrelated certificate (i.e. a CA certificate)
is placed in 0xCA00 + index with the meta data in 0xC800 + index.

Data objects are placed in either 0xCF00 + index or 0xCD00 + index with
meta data in 0xC800 + index. The range 0xCF00 is used for data objects
that can be read always, 0xCD00 is used for data protected by the user PIN.

The code enumerates file identifier and creates a key object for each
key in the range 0xCC01 to 0xCCFF with the meta data from the related EF
in the range 0xC401 to 0xC4FF. So if pkcs15-tool still shows the key,
then an key object and the meta data are present.

You can manually erase the key file and/or meta data file after PIN
verification using opensc-tool or a script for the Smart Card Shell.

Andreas


On 10/13/2015 12:33 PM, Marek Szuba wrote:

> Hello,
>
> A while ago I tried to import several existing X.509 certificates and
> its corresponding private key into my SmartCard-HSM, using OpenSC-0.14.
> It turned out that I could do that - which surprised me a bit because
> later on I read on-line importing shouldn't work for this card - but
> only for one certificate at a time, with each subsequent import
> overwriting the previous one. I then decided that I'd rather have no
> software-generated certificates on the card than have just one and
> proceeded to delete the imported data, using pkcs11-tool. The cert and
> the pubkey both went without trouble, however whenever I attempt to
> delete the private key I get an error:
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so -l --delete-object
> --type privkey --id 11ac7c18d526f536d80520d4c03b71f4923d4553
> Using slot 1 with a present token (0x1)
> Logging in to "SmartCard-HSM (UserPIN)".
> Please enter User PIN:
> error: PKCS11 function C_DestroyObject() failed: rv = CKR_GENERAL_ERROR
> (0x5)
>
> The same happens now with OpenSC-0.15.
>
> Is there any way I could get rid of this key from the card without
> reinitialising it?
>
> Yours sincerely,
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot delete imported private key from SmartCard-HSM

Marek Szuba
On 2015-10-19 11:30, Andreas Schwier wrote:

> What does pkcs15-tool -D show ?
It shows a private-key object with the label I gave it during the import
attempt, key ref 0 and usage flags 0x4 (the import source had more) but
otherwise identical to the card-generated keys. Yes, including "native"
set to yes.

> You can manually erase the key file and/or meta data file after PIN
> verification using opensc-tool or a script for the Smart Card Shell.
I've just managed to delete 0xC400 using opensc-explorer (I did not know
how to do it using opensc-tool) and, as expected, the imported key has
disappeared from the pkcs15-tool -D output. Thanks! I couldn't delete
0xCC00 though, even if I verify the SO PIN instead of the user PIN I get
the "not allowed" error. Will the presence of a key object without the
corresponding metadata on the card cause problems in the future?

--
MS


------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cannot delete imported private key from SmartCard-HSM

Andreas Schwier (ML)
On 10/20/2015 11:54 AM, Marek Szuba wrote:
> On 2015-10-19 11:30, Andreas Schwier wrote:
> I've just managed to delete 0xC400 using opensc-explorer (I did not know
> how to do it using opensc-tool) and, as expected, the imported key has
> disappeared from the pkcs15-tool -D output. Thanks! I couldn't delete
> 0xCC00 though, even if I verify the SO PIN instead of the user PIN I get
> the "not allowed" error. Will the presence of a key object without the
> corresponding metadata on the card cause problems in the future?
The file identifier CC00 is reserved for the device authentication key
and can not be removed.

A key object without meta data is not a problem: The key will simply not
show up at the PKCS#11 interface.

The meta data is only required for the PKCS#11 module and is not used
internally in the device.

>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot delete imported private key from SmartCard-HSM

Marek Szuba
On 2015-10-20 12:04, Andreas Schwier wrote:

> The file identifier CC00 is reserved for the device authentication key
> and can not be removed.
Would this mean that the attempted import resulted in metadata of the
imported private key getting attached to the device-authentication key?

Either way, thanks for your help.

--
MS


------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cannot delete imported private key from SmartCard-HSM

Andreas Schwier (ML)
Yes, that caused the problem.

The code did not reject the key import but returned SC_SUCCESS when
writing the private key, thus the meta data was written for key id 0
(the device authentication key).

Andreas

On 10/20/2015 12:34 PM, Marek Szuba wrote:

> On 2015-10-20 12:04, Andreas Schwier wrote:
>
>> The file identifier CC00 is reserved for the device
>> authentication key and can not be removed.
> Would this mean that the attempted import resulted in metadata of
> the imported private key getting attached to the
> device-authentication key?
>
> Either way, thanks for your help.
>
>
>
> ------------------------------------------------------------------------------
>
>
>
>
> _______________________________________________ Opensc-devel
> mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel