HSM: Change label for certificate and private/public key

Hi,

how can I change those on Windows? I thought by this way:

I have a cert and private key with ID 12345, then I thought command should be:

pkcs15-init -A cert --id 12345 --label test123x

Using reader with a card: Nitrokey Nitrokey HSM 0
Failed to change attribute(s): Invalid arguments

But does not work. Same with privkey:

pkcs15-init -A privkey --id 12345 --label test123x

Using reader with a card: Nitrokey Nitrokey HSM 0
Failed to change attribute(s): Invalid arguments

and pubkey:

pkcs15-init -A pubkey --id 12345 --label test123x

Using reader with a card: Nitrokey Nitrokey HSM 0
Failed to change attribute(s): Invalid arguments

What’s wrong?


Using a GUI like xca or KeystoreExplorer they only change the certificate name and and/or output several errors.

Error of xca for example (even though I put in the pin on question):

PKCS#11 Funktion 'C_Login' fehlgeschlagen: CKR_GENERAL_ERROR

There is bad trick, changing private key name in xca chip card management in “Details” (which does not trigger a save to the hsm) and then use F2 to rename. This will result in

PKCS#11 Funktion 'C_SetAttributeValue' fehlgeschlagen: CKR_ARGUMENTS_BAD

but the label on the HSM was really changed… :confused:

Try

pkcs15-init -A cert --id 12345 -a yourpin --lable test123x

that may be is working

pkcs15-init could be used to initialize a PKCS#15 structure on a smart card. PKCS#15 is the meta data structure for describing keys and certificates. This is commonly used for statically configured cards (i.e. the PKI cards issued by a CA).

The SmartCard-HSM does dynamically manage objects on the card and uses some parts of PKCS#15 to describe objects. However, it does not use a full PKCS#15 data structure to describe keys and as such pkcs15-init is the wrong tool. The OpenSC implementation for the SmartCard-HSM emulates some options available in pkcs15-init, but not all. For changing the label you need to use the PKCS#11 interface, which is what xca does.

OpenSC assumes a label at each object, i.e. key, certificate and public key. The SmartCard-HSM only stores a label for the key. The label reported for certificate and public key is always the same as for the private key.

You can change the label for a public key or certificate object, but that does not have an effect. That is a known issue in OpenSC, which should rather report an error then trying to change the label for a certificate or public key.

Hmm, interessting: while I found the command to use pkcs15-init to change a label, I have not found the command using pkcs#11 to do so ? Did I overlook something ?

You’re right, as:

pkcs11-tool -l --id 12345 --label test1

does not work.

There is no param --set-label available like it is for id with --set-id

So it is not possible with commandline tools?