-
Notifications
You must be signed in to change notification settings - Fork 729
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SC-HSM: Support for storing of ECDSA keys #3065
Comments
The OpenSC stack, in general, allows storing a private key the way you want it. In the case of SC-HSM, however, this has never been implemented. Honestly, I doubt that it would be possible to implement this for sc-hsm, because the import procedure is more complex using a Device Key Encryption Key. Please see the Examples from |
The Smart Card Shell has a mechanism to import RSA and EC keys into a SmartCard-HSM from a PKCS#12 container. |
Thanks, i was hoping to do import of P12 files from within a script. Anyone tried to use scsh3 (non-GUI) with command line arguments to import a P12 file? |
@CardContact Is this supported? If so, how? Is it documented? |
One could write a small script that basically implements the P12 import from the importp12-plugin located in the keymanager/plugin directory of the Smart Card Shell installation. Arguments could be passed using environment variables (There is no concept for command line arguments in JavaScript). |
Problem Description
I don't believe this is a bug but a decision to not support loading of pre-issued ECDSA keys on to a PKCS12 (token). I see in sc_hsm_store_key() just has a noop and supports logging. It returns SC_ERROR_NOT_SUPPORTED. Earlier in opensc it seems that a known curve like those standardized from NIST (e.g. P-384) that opensc is able to recognize and even fix the params, but then it runs into this "not supported" error.
The impact of not supporting is very broad and is most felt by people trying to improve security by using an HSM with ECDSA keys. In many cases, unfortunately the keys already exist so need to be stored onto the HSM via the above calls. The result is people are being forced to use Java (e.g. smartcard gui) to load P12 objects on to their HSM. This really should be possible via the opensc stack.
Proposed Resolution
Just requesting the support be added to opensc. I found a reference that blames GNUtls for the lack of support, but they mention arbitrary curves. Why can't we have support for the standard NIST curves and other popular named curves (even if other curves are put off for a future release). I believe this is the initial spot for the feature addition...
static int sc_hsm_store_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card,
sc_pkcs15_object_t *obj, sc_pkcs15_prkey_t *key)
{
LOG_FUNC_CALLED(p15card->card->ctx);
LOG_FUNC_RETURN(p15card->card->ctx, SC_ERROR_NOT_SUPPORTED);
}
Steps to reproduce
Initially the system needs a configured HSM (can be soft HSM but in my case i'm trying the Nitrokey HSM).
p11tool --provider <opensc-pkcs11.so path> --write --login --label --load_privkey --mark-private
Logs
P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-lib.c:775:sc_pkcs15init_finalize_profile: sc_pkcs15init_finalize_profile() returns 0
P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-lib.c:776:sc_pkcs15init_finalize_profile: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-lib.c:458:sc_pkcs15init_set_p15card: called
P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-lib.c:491:sc_pkcs15init_set_p15card: sc_pkcs15init_set_p15card() returns
P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-pubkey.c:1517:sc_pkcs15_fix_ec_parameters: called
P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-pubkey.c:1541:sc_pkcs15_fix_ec_parameters: Found known curve 'secp384r1'
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-pubkey.c:1547:sc_pkcs15_fix_ec_parameters: Curve name: 'secp384r1'
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-pubkey.c:1554:sc_pkcs15_fix_ec_parameters: Curve length 384
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-pubkey.c:1582:sc_pkcs15_fix_ec_parameters: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:1770:sc_pkcs15init_store_private_key: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2691:prkey_bits: Private EC key length 384
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2521:check_key_compatibility: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2555:check_key_compatibility: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2755:sc_pkcs15init_select_intrinsic_id: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2764:sc_pkcs15init_select_intrinsic_id: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:1234:sc_pkcs15init_init_prkdf: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2862:select_id: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2872:select_id: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2994:select_object_path: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:3018:select_object_path: key-domain.private-key @e82b0601040181c31f0201:: (auth_id.len=1)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] profile.c:687:sc_profile_instantiate_template: Template key-domain not found
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:3031:select_object_path: get instance 0 of 'template-private-key'
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] profile.c:575:sc_profile_get_file_instance: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] profile.c:576:sc_profile_get_file_instance: try to get 'template-private-key' file instance
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] profile.c:579:sc_profile_get_file_instance: returning with: -1201 (File not found)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:3034:select_object_path: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:1363:sc_pkcs15init_init_prkdf: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1202:sc_pkcs15init_encode_prvkey_content: called
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1214:sc_pkcs15init_encode_prvkey_content: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1474:_pkcd15init_set_aux_md_data: called
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1477:_pkcd15init_set_aux_md_data: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-sc-hsm.c:116:sc_hsm_create_key: called
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-sc-hsm.c:117:sc_hsm_create_key: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-sc-hsm.c:125:sc_hsm_store_key: called
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-sc-hsm.c:126:sc_hsm_store_key: returning with: -1408 (Not supported)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1817:sc_pkcs15init_store_private_key: Card specific 'store key' failed: -1408 (Not supported)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1842:sc_pkcs15init_store_private_key: returning with: -1408 (Not supported)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] misc.c:71:sc_to_cryptoki_error_common: libopensc return value: -1408 (Not supported)
The text was updated successfully, but these errors were encountered: