AES Key generation


#1

I am trying to generate an AES KEY using PKCS#11 and Nitrokey HSM
but I get an unsupported function error:

9: C_GenerateKey
2018-09-24 13:03:59.333
[in] hSession = 0xc11dc0
pMechanism->type=CKM_AES_KEY_GEN
[in] pTemplate[13]:
CKA_CLASS CKO_SECRET_KEY
CKA_KEY_TYPE CKK_AES
CKA_VALUE_LEN 00007ffff01c9468 / 8
00000000 20 00 00 00 00 00 00 00 …
CKA_LABEL 00007ffff01c9420 / 21
4F4B5620 31322E32 2048534D 20526F6F 74204B65 79
O K V . 1 2 . 2 . H S M . R o o t . K e y
CKA_ID 00007ffff01c9470 / 4
00000000 00 00 00 01 …
CKA_TOKEN True
CKA_PRIVATE True
CKA_SENSITIVE True
CKA_ENCRYPT True
CKA_DECRYPT True
CKA_WRAP True
CKA_UNWRAP True
CKA_EXTRACTABLE True
Returned: 84 CKR_FUNCTION_NOT_SUPPORTED

Is it unsupported from the PKCS#11 opensc-pkcs11.so library or
from the Nitrokey HSM?
Thanks
Paolo


#2

Hey,

the HSM only supports RSA and ECC, but not AES key generation.

Kind regards
Alex


#3

An “easy” way to identify what is supported could be done with opensc-tool --list-algorithms. - just in case you are looking for that information


#4

Unfortunately, this is not entirely true. The command will always only show the algorithms currently in use. Due to specifications of the internal card, the Nitrokey has no way to tell which algorithms are supported - no way other than trying them (the card will just reject them). Therefore, the OpenSC tool can not actually list all available algorithms.


#5

Yes, looks like

opensc-tool --list-algoriths

is showing “something” as possibilities, but not something real. It also doesn’t look like keys or algorithms, that have been used or are in use.

pkcs11-tool --list-mechanism

comes a bit closer, but also not ideal to find out what will work as the line for generating a ECDSA Keypair is not EC: instead it is EC: prime256v1

is there any cmd-line to find out the capabilities of the actual smart card ?


#6

This is a limitation by the card or it is better to say of the card’s specification. This is not possible at all. So it’s not a software problem.