SmartCardHSM problems with imported key

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SmartCardHSM problems with imported key

PASZTOR Miklos

 Hi,

 I have a Cardcontact (SmardCardHSM) token. I try to use it with opensc
 obtained from github (a399905d234d3d6d2a9aa8501a4c8ba1224c6b31).

 I am able to initialize the token, and I can transfer a privkey to it:

pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -w 1234.der -y privkey -d 1234 -a 1234

 The key appears on the token as expected. I see it with -O:

Using slot 1 with a present token (0x1)
Private Key Object; RSA
  label:      1234
  ID:         1234
  Usage:      sign


 However this is pretty much the only thing I can do with the key.

 1. I can't delete the key:

pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -b -d 1234 -y privkey
Using slot 1 with a present token (0x1)
error: PKCS11 function C_DestroyObject() failed: rv = CKR_GENERAL_ERROR (0x5)

Aborting.

 2. I cannot sign with the key:

pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -s -m RSA-PKCS -d 1234 --input-file /etc/issue --output-file /tmp/56
Using slot 1 with a present token (0x1)
Using signature algorithm RSA-PKCS
error: PKCS11 function C_SignFinal failed: rv = CKR_DATA_INVALID (0x20)

Aborting.

 3. I can't use this key with OpenDnssec.

 4. I can't write another key to the token so that this key does not
 disappear. It seems that if I write another key to the token, it
 *replaces* the first (-d 1234) key.

 Note that keys *generated* (pkcs11-tool -k) do not seem to have these
 problems.  I also have success with an Aladdin token: the commands with
 imported keys above work fine. So apparently the problem is SmartCardHSM
 related. I tried several versions of pcscd, operating systems to no avail.

 Please help. Thanks in advance,
 Miklós
--

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SmartCardHSM problems with imported key

Douglas E Engert

On 3/31/2014 9:43 AM, PASZTOR Miklos wrote:

>   Hi,
>
>   I have a Cardcontact (SmardCardHSM) token. I try to use it with opensc
>   obtained from github (a399905d234d3d6d2a9aa8501a4c8ba1224c6b31).
>
>   I am able to initialize the token, and I can transfer a privkey to it:
>
> pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -w 1234.der -y privkey -d 1234 -a 1234
>
>   The key appears on the token as expected. I see it with -O:
>
> Using slot 1 with a present token (0x1)
> Private Key Object; RSA
>    label:      1234
>    ID:         1234
>    Usage:      sign

Are you sure you can use PKCS#11 to write a private key to the hsm?
The fix may be that it is not supported.

https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#init

talks about using pkcs11-tool to generate a key on the card, write data and cert objects, but not private keys.
It does provide for exporting a generated key, using a  DKEK, for backup,  restore and escrow, but uses the sc-hsm-tool.


>
>   However this is pretty much the only thing I can do with the key.
>
>   1. I can't delete the key:
>
> pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -b -d 1234 -y privkey
> Using slot 1 with a present token (0x1)
> error: PKCS11 function C_DestroyObject() failed: rv = CKR_GENERAL_ERROR (0x5)
>
> Aborting.
>
>   2. I cannot sign with the key:
>
> pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -s -m RSA-PKCS -d 1234 --input-file /etc/issue --output-file /tmp/56
> Using slot 1 with a present token (0x1)
> Using signature algorithm RSA-PKCS
> error: PKCS11 function C_SignFinal failed: rv = CKR_DATA_INVALID (0x20)
>
> Aborting.
>
>   3. I can't use this key with OpenDnssec.
>
>   4. I can't write another key to the token so that this key does not
>   disappear. It seems that if I write another key to the token, it
>   *replaces* the first (-d 1234) key.
>
>   Note that keys *generated* (pkcs11-tool -k) do not seem to have these
>   problems.  I also have success with an Aladdin token: the commands with
>   imported keys above work fine. So apparently the problem is SmartCardHSM
>   related. I tried several versions of pcscd, operating systems to no avail.
>
>   Please help. Thanks in advance,
>   Miklós
> --
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

--

  Douglas E. Engert  <[hidden email]>
 


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SmartCardHSM problems with imported key

Andreas Schwier (ML)
Hi Miklós,

Douglas is right, the SmartCard-HSM does not allow a plain key import.
The recommended way is to generate the key in the SmartCard-HSM and - if
required - export/import the key under the Device Key Encryption Key.

This has been done to ensure the randomness of private keys. The
SmartCard-HSM uses the internal random number generator which has been
and CC-certified (AIS31-K3/DRNG2 Level).

Andreas



On 03/31/2014 06:22 PM, Douglas E Engert wrote:

>
> On 3/31/2014 9:43 AM, PASZTOR Miklos wrote:
>>   Hi,
>>
>>   I have a Cardcontact (SmardCardHSM) token. I try to use it with opensc
>>   obtained from github (a399905d234d3d6d2a9aa8501a4c8ba1224c6b31).
>>
>>   I am able to initialize the token, and I can transfer a privkey to it:
>>
>> pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -w 1234.der -y privkey -d 1234 -a 1234
>>
>>   The key appears on the token as expected. I see it with -O:
>>
>> Using slot 1 with a present token (0x1)
>> Private Key Object; RSA
>>    label:      1234
>>    ID:         1234
>>    Usage:      sign
>
> Are you sure you can use PKCS#11 to write a private key to the hsm?
> The fix may be that it is not supported.
>
> https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#init
>
> talks about using pkcs11-tool to generate a key on the card, write data and cert objects, but not private keys.
> It does provide for exporting a generated key, using a  DKEK, for backup,  restore and escrow, but uses the sc-hsm-tool.
>
>
>>
>>   However this is pretty much the only thing I can do with the key.
>>
>>   1. I can't delete the key:
>>
>> pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -b -d 1234 -y privkey
>> Using slot 1 with a present token (0x1)
>> error: PKCS11 function C_DestroyObject() failed: rv = CKR_GENERAL_ERROR (0x5)
>>
>> Aborting.
>>
>>   2. I cannot sign with the key:
>>
>> pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -s -m RSA-PKCS -d 1234 --input-file /etc/issue --output-file /tmp/56
>> Using slot 1 with a present token (0x1)
>> Using signature algorithm RSA-PKCS
>> error: PKCS11 function C_SignFinal failed: rv = CKR_DATA_INVALID (0x20)
>>
>> Aborting.
>>
>>   3. I can't use this key with OpenDnssec.
>>
>>   4. I can't write another key to the token so that this key does not
>>   disappear. It seems that if I write another key to the token, it
>>   *replaces* the first (-d 1234) key.
>>
>>   Note that keys *generated* (pkcs11-tool -k) do not seem to have these
>>   problems.  I also have success with an Aladdin token: the commands with
>>   imported keys above work fine. So apparently the problem is SmartCardHSM
>>   related. I tried several versions of pcscd, operating systems to no avail.
>>
>>   Please help. Thanks in advance,
>>   Miklós
>> --
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SmartCardHSM problems with imported key

PASZTOR Miklos
On 14-04-01 11:44, Andreas Schwier wrote:
> Hi Miklós,
>
> Douglas is right, the SmartCard-HSM does not allow a plain key import.
> The recommended way is to generate the key in the SmartCard-HSM and - if
> required - export/import the key under the Device Key Encryption Key.

 I am really surprised. I thought that 'pkcs11 support' implies that
 C_Create_Object and C_Destroy_Object should work with RSA keys.  It is
 also strange that key import *seems* to work.  Besides
 https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM reads:

| Starting with version 0.13, the OpenSC driver has read/write support for
| RSA and ECC keys, certificates, public and private data objects.

 This seems to be an explicit statement about e.g. key import. Now I know
 that this means only DKEK backup and restore.

 Anyway thanks for your answer!

 Cheers,
 Miklós
--
P.S.: It would have saved me a week, if I knew this earlier. Sigh.

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel