Hi! The Nitrokey 3A NFC advertises that it has secp256k1 support, but when you try and use it it says Key length/algorithm not supported by card. From the store page:
Elliptic curves: NIST P-256, P-384, P-521 (secp256r1/prime256v1, secp384r1/prime384v1, secp521r1/prime521v1), Ed25519/Curve25519, Koblitz (192-256 bit), brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
That 256-bit Koblitz curve is what I’m looking for. But when I try and import such a certificate with pkcs15-init, it doesn’t work:
pkcs15-init \
--delete-objects privkey,pubkey \
--id 01 \
--store-private-key secp256k1.p12 \
--format pkcs12 \
--auth-id 3 \
--verify-pin \
--pin 12345678
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
NOTE: couldn't find privkey 01 to delete
NOTE: couldn't find pubkey 01 to delete
Deleted 0 objects
Importing 1 certificates:
0: /C=US/ST=CA/L=Somewhere/O=Aquareum/CN=Cert Testing
Failed to store private key: Key length/algorithm not supported by card
By contrast, a prime256v1 key works just fine:
pkcs15-init \
--delete-objects privkey,pubkey \
--id 03 \
--store-private-key prime256v1.p12 \
--format pkcs12 \
--auth-id 3 \
--verify-pin \
--pin 12345678
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
NOTE: couldn't find privkey 03 to delete
NOTE: couldn't find pubkey 03 to delete
Deleted 0 objects
Importing 1 certificates:
0: /C=US/ST=CA/L=Somewhere/O=Aquareum/CN=Cert Testing
pkcs11-tool \
--sign \
-m ECDSA \
--id 03 \
--pin 123456 \
-f openssl \
--input-file data.txt.sha256 \
--output-file data.txt.prime256v1.sig
Using slot 0 with a present token (0x0)
Using signature algorithm ECDSA
openssl pkeyutl \
-verify \
-in data.txt \
-sigfile data.txt.prime256v1.sig \
-inkey prime256v1-pub.pem \
-pubin \
-rawin
Signature Verified Successfully
How can I use an secp256k1 key?
