Extract public key

Chesnet · January 9, 2026, 10:31am

Hello,

We generate EC key pairs using smart card shell like this:

function main() {
    card.reset(Card.RESET_COLD);
    var sc = new SmartCardHSM(card);
    assert(sc.queryUserPINStatus() != 0x6984, "SmartCard-HSM is not initialized");

    var pin = Dialog.prompt("Enter PIN code", "000000");
    sc.verifyUserPIN(new ByteString(pin, ASCII));

    var ks = new HSMKeyStore(sc);
    var keys = ks.enumerateKeys();
    if (keys.length != 0) {
        var erasekeys = Dialog.prompt("<html><p>The HSM is already initialised with somes keys:</p><p>- " + keys + ".</p><p>We need to erase all keys to continue.</p><p>Do you want to continue ?</p></html>");
        assert(erasekeys == "OK", "Impossible to continue, exit!");
        for (var i = 0; i < keys.length; i++) {
            print("Erasing '" + keys[i] + "'...");
            ks.deleteKey(keys[i]);
        }
    }
    
    var crypto = new Crypto();
    var dkek = new DKEK(crypto);
    dkek.importDKEKShare(km.inputDKEKShare());

    const prime256v1 = "1.2.840.10045.3.1.7";
    
    print("Creating 'root_of_trust_key' EC Key Pair...");
    ks.generateECCKeyPair("root_of_trust_key", prime256v1);
    
    print("Finish!");
}

main();

We need to extract the public key, with pkcs15-tool it doesn’t see any public key so we can’t extract them,

With pkcs11-tool i always get “Object not found” error

I have read this: HSM: is it possible to derive a public key from a RSA private key but unfortunately even creating a certificat seems to be impossible.

After some test i see that I have no issues to export a public key, when it is generated by pkcs11-tool like this :

$ pkcs11-tool \
  --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so \
  --login --pin 000000 \
  --keypairgen \
  --key-type EC:prime256v1 \
  --label "test1" \
  --id 08 \
  --usage-sign
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; EC
  label:      test1
  ID:         08
  Usage:      sign, signRecover
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   0441043e58383ad8f3f54c0dd8c8abfcd795eb5b747c123d04faca938e8cdbbf04f98a54cbc63ff95f60d04c883436496fc99867e02982d6f9d5f1994aaad2e1145e94
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      test1
  ID:         08
  Usage:      verify, verifyRecover
  Access:     none

but the important thing here is that when the key pair is generated by pkcs11-tool, the public key appear in pkcs11-tool or pkcs15-tool but not when it is created with the code that I linked before (smart card shell).

In our case we need initialise the HSM with smart card shell, did someone know why the public keys of key pairs generated by generateECCKeyPair are not exportable ?

sc-hsm · January 9, 2026, 1:50pm

ks.generateECCKeyPair() creates the key pair and returns the CVREQ containing the public key. You can either extract the public key here and submit it to the CA, retrieve and store the certificate or just write the request back into the SE using:

const label = "root_of_trust_key";
var req = ks.generateECCKeyPair(label, prime256v1);

print(req);

ks.storeEndEntityCertificate(label, req.getBytes());
print("Finish!");

Chesnet · January 9, 2026, 2:08pm

I was watching the cvc before your message and trying to export it (in order to re-import it from outside) without success. Your solution is better and works as expected !

Thanks you so much !