Import public key to NitroKey HSM

Hi

I would like to import a public key for convenience to the NitroKey HSM2, as other keys on the HSM are signed with its private counter part. Unfortunately, I’m struggling with these commands:

> pkcs11-tool -l -p *** --label "test" --type pubkey --module opensc-pkcs11.so --write-object pubkey.der --type pubkey --id 1234
Using slot 0 with a present token (0x0)
Created public key:
Public Key Object; RSA 4096 bits
  label:      test
  ID:         1234
  Usage:      verify
> pkcs11-tool -r -p *** --label "test" --type pubkey --module opensc-pkcs11.so > pubkey_2.der
Using slot 0 with a present token (0x0)
error: object not found
Aborting.

Is it possible to import pubkeys? What am I doing wrong?

Help is appreciated …

Kind regards
Tobi

cc @nitroalex

You may have a look if the key is actually stored via

pkcs11-tool -O

Furthermore, I do not know why you are using this ***, being honest. And I do not need the -p flag for reading the pubkey in my case so that I used successfully:

pkcs11-tool -r --label "test" --type pubkey --module opensc-pkcs11.so

Thanks for your reply.

First of all: the -p flag with pin came from “historical reasons” when switching back and forth between the commands / c&p error. Sorry for being lazy :wink: And the *** for the pin was a kind of reflex.

The pubkey is not stored at all! I also checked with pkcs15-tool -D To emphasize: I want to write/import only the public part to the key to the HSM! The key was generated elsewhere.

The SmartCard-HSM does not support storing plain public key. You can only store additional public keys as certificates.

Public keys visible at the PKCS#11 interface are always extracted from certificate objects

1 Like

Perfect hint @sc-hsm ! Thank you very much!

openssl req -x509 -key priv.pem  -out cert.pem -days 36500 -subj "/CN=example.com"
pkcs11-tool -l --module opensc-pkcs11.so --write-object ./cert.pem --type cert --id 1234 --label "test"
pkcs11-tool --module opensc-pkcs11.so -r --type pubkey --label "test" > pub.der

Works!

hsmwiz makes this quite easy with a NitroKey HSM:

$ hsmwiz putcrt --id 1234 --label "test" cert.pem
$ hsmwiz getkey --id 1234 --label "test"
2 Likes