How to port keys and certificates from nitrokey USB to softhsm token

Hi,

I am looking for moving the keys and certificates from Nitrokey USB to softhsm token
Can I get the steps for the process

Regards
Abdul Moiz

Which Nitrokey do you mean? If this is Nitrokey HSM, do you have DKEK configured?

Yes Nitrokey HSM, DKEK share pbe is configured

You could use the DKEK class in the Smart Card Shell (located in scsh/sc-hsm/DKEK.js) to decrypt the wrapped key and extract the key material in plain.

I have got dkek-share-1.pbe and wrap-key.bin
Can you please help on using above files with steps to extract the key
Is there any pseudo/example script available

This script reads the DKEK share and decodes the RSA key:

/**
 * Decode a key blob from a SmartCard-HSM
 */

var File = require("scsh/file/File").File;
var DKEK = require("scsh/sc-hsm/DKEK").DKEK;

var fn = GPSystem.mapFilename("rsa.wky");
var f = new File(fn);
var bin = f.readAllAsBinary();
var a = new ASN1(bin);
var blob = a.get(0).value;

var fn = GPSystem.mapFilename("password.pbe");
var f = new File(fn);
var bin = f.readAllAsBinary();

var share = DKEK.decryptKeyShare(bin, new ByteString("password", ASCII));

var crypto = new Crypto();
var dkek = new DKEK(crypto);
dkek.importDKEKShare(share);
dkek.dumpKeyBLOB(blob);

creates the following output:

>load("/home/asc/share/projects/workspace_scsh/sc-hsm-sdk-scripts/examples/decodewky.js");
Derive DKEK share encryption key (Step 1 of 3)...
Derive DKEK share encryption key (Step 2 of 3)...
Derive DKEK share encryption key (Step 3 of 3)...
Values from key blob:
---------------------
Checking the MAC      : Passed
KCV                   : 2983262690E120AF    [Must match the KCV of the DKEK for import]
Key type              : 6    [5=RSA, 6=RSA-CRT, 12=ECC, 15=AES]
Default Algorithm ID  : 0.4.0.127.0.7.2.2.2.1.2 (10)     [Default algorithm]
Allowed Algorithm IDs :  (0)
Access Conditions     :  (0)    [Not used]
Key OID               :  (0)    [Not used]
Randomize             : B4A599F7F39D2FBA    [Random data prepended at export]
Key size              : 2048    [Key size in bits (ECC/RSA) or bytes (AES)]
DP1 = d mod (p - 1)   : 32C48B7000CBEB31...05C620391C355213 (128)
DQ1 = d mod (q - 1)   : 9C02E3C570658F0D...5EBDA80257EB9B29 (128)
Prime factor p        : AAE9C3E8DBB783B9...B69F54B7E6D5EF77 (128)
PQ = q - 1 mod p      : AAC2B9DA1AF73D01...C8EA127332059D9C (128)
Prime factor q        : FEC5A4DC1327EDC0...C5397AA7894994EB (128)
Modulus               : AA17E4557B60B3AB...C263530D8CC29E3D (256)
Public Exponent       : 010001 (3)

Hi,
Thanks for the script
I am able to generate the output as below.
How to get the Private key and Public key pem files from output

>load("/home/abdul/sc-hsm-starterkit/sc-hsm-workspace/sc-hsm-sdk-scripts/examples/decodewky.js");
Derive DKEK share encryption key (Step 1 of 3)...
Derive DKEK share encryption key (Step 2 of 3)...
Derive DKEK share encryption key (Step 3 of 3)...
Values from key blob:
----------------------------------
Checking the MAC      : Passed
KCV                   : Dxxxxxxxxxxx9    [Must match the KCV of the DKEK for import]
Key type              : 5    [5=RSA, 6=RSA-CRT, 12=ECC, 15=AES]
Default Algorithm ID  : 0.4.0.127.0.7.2.2.2.1.2 (10)     [Default algorithm]
Allowed Algorithm IDs :  (0)
Access Conditions     :  (0)    [Not used]
Key OID               :  (0)    [Not used]
Randomize             : FBxxxxxxxxx8A    [Random data prepended at export]
Key size              : 4096    [Key size in bits (ECC/RSA) or bytes (AES)]
Private Exponent      : 59C...E7D (512)
Modulus               : C4F...A0D (512)
Public Exponent       : 010001 (3)
>

Hi,

I am able to get the Private and Public keys in pem format using below python script
Hope the extracted keys are the proper keys

#!/usr/bin/python3
  
from Crypto.PublicKey import RSA
#Private Exponent
e = int('59C...E7D', 16)
#Modulus
n = int('C4F...A0D', 16)
#Public Exponent
p = int('010001', 16)

key = RSA.construct( ( n, p, e ) )
print(key.exportKey())
print(key.publickey().exportKey())
2 Likes