Key Counter in NitroKey HSM

dchan · September 15, 2017, 11:39pm

The NitroKey HSM literature talks about Key Counter that can limit the number of times the key can be used.

However I cannot find documentation on where to specify this in any documentation. Are there examples?

nitroalex · September 18, 2017, 9:15am

Hi,

as far as I can see it is not implemented in the command set of the OpenSC project yet. Maybe a feature request is worth a try?
There are probably other options to manage this (maybe by setting the value directly with help of opensc-explorer?). I try to find out…

Kind regards
Alex

nitroalex · September 18, 2017, 9:16am

Ah… and by the way: you mean the “key use counter”, do you?

jan · September 18, 2017, 12:34pm

Hi dchan! You would need the SDK. Please register at the CardContact Developer Network to get access to the SDK.

dchan · September 18, 2017, 3:44pm

Yes. I was referring to the Key Use Counter

dchan · September 18, 2017, 3:51pm

I did download the CardContact SDK and studied over the weekend.

Looks like it requires some extra data when constructing the GAKP payload in the APDU…I modified CardContact’s scsh scripts and confirms it works

opensc_explorer also displays the counter as a proprietary attribute:

OpenSC [E82B/0601/0401/81C3/1F02/01]> info CC05

Elementary File  ID CC05

File path:     CC05
File size:     0 bytes
EF structure:  Transparent
ACL for READ:         N/A
ACL for UPDATE:       N/A
ACL for DELETE:       N/A
ACL for WRITE:        N/A
ACL for REHABILITATE: N/A
ACL for INVALIDATE:   N/A
ACL for LIST FILES:   N/A
ACL for CRYPTO:       N/A
Proprietary attributes:  90 04 00 00 00 F6

Open to ideas on how to integrate this properly into pkcs11-tool. Perhaps as a tag in --key-type? E.g

pkcs11-tool -k --key-type "EC:prime256v1/counter=255" -l

nitroalex · September 20, 2017, 5:10pm

Hi @dchan,

that’s great! If you can provide a short description for other users here, you are welcome to do so

If you are willing to get this feature integrated in pkcs11-tool even better!

We’d have to ask the opensc people anyway, but in my point of view it would be best to introduce a new flag like

–key-usage-counter=X

where the functionality is disabled by default.

Integrating this information in the --key-type flag is may confusing and may conflicts with older instructions/scripts.

Are you willing to open a issue/feature request on github?

Kind regards
Alex

dchan · September 20, 2017, 10:56pm

Sure, I have opened up issue #1154 on GitHub.

ant1a · April 24, 2018, 12:41pm

Hello
Can you provide any simple example on how to use the scsh for setting a key with a counter?
I would be gratefull
Thank you