-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Import Generic Key #2954
Comments
This will likely depend on the card driver. What card driver do you use? Or what PKCS#11 module do you use? |
@Jakuje : in the example above SoftHSM But my ultime goal is use it with Optee PKCS#11 TA ( same behaviour as for SoftHSM) |
The PKCS11 generic secret has no algorithms. But it can be used as a seed for a AES key for example, since it usually comes from a derive operation, where both parties will have the same secret. pkcs11-tool just shows how it can be created from a derive operation. . In you case case |
@dengert sorry I don't get your point : if I import the key as --key-type AES:32 I cannot use it for HMAC Sign/Verify:
If I create a GENERIC:32 within the PKCS11:
My goal is to import a Generic Key to PKCS#11 on different devices to allow HMAC Sign/Verify |
It looks like it works with So unless you can extract the key and write it to second device you are back to the original problem. Writing may only work with some modules and some devices. Search for: HMAC Sign/Verify with secret key But the secret key needs to be in two places on both parties one to sign and and the other to do the verify. But you could use a CKK_EC key and do CKM_ECDH1_DERIVE. Here each device has its own CKK_EC. The derivation used the private key on the device of one with the public key of the other (peer) to derive the same generic secret key which you could use with HMAC Sign/Verify Or use as an AES key. So each device needs only one private key. |
it does not work. I gave the example with --key-type GENERIC:32 just to show that HMAC Sign/Verify is working in this case but doesn't work with imported Key. I like to share the same key on multiple devices so there is no way to do so unless I import the key. I would like to avoid key derivation as it doesn't fit my use case. |
As I wrote I use SoftHSM as module |
Problem maybe in pkcs11-tool or in the SoftHSM trying to create a generic key on device. Best way to see where problem is by using opensc-spy. Its an PKCS11 module that loads a PKCS11 module and logs PKCS11 calls and responses. It can be used to load any PKCS11 module. See: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy If you use the OpenSC PKCS11 module, get a debug log too. |
Here is a test script:
|
here is the output:
|
it's weird that it looks for CKO_PRIVATE_KEY ?! shoudn't be CKO_SECRET_KEY |
Yes it's I built the HEAD of OpenSC I get different output:
|
I think that pkcs11-tool doesn't set CK_KEY_TYPE to CKK_GENERIC_SECRET |
with the following patch it's working:
It's bug in pkcs11-tool, it need to be improved to provide an option to import GENERIC key or possibility to overwrite CK_KEY_TYPE for an AES Key |
with this [PR] (#2955) it works as expected:
|
What is the proper way to import Generic key That want to use with HMAC Sign/Verify ?
I tried this :
The text was updated successfully, but these errors were encountered: