I find that key export and import for HSM 1 differs from HSM 2.
On HSM1, key generation with key algorithms
ECDSA_256,WRAP set allows me to successfully export and import an EC private key given a DKEK. On HSM 2, I may successfully export but not import.
The error provided from scsh3 version 3.15.377 is as follows:
GPError: Card (CARD_INVALID_SW/28416) - "Unexpected SW1/SW2=6F00 (Checking error: No precise diagnosis) received" in /home/micharu123/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1240 at /home/micharu123/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1240 at /home/micharu123/CardContact/scsh3/scsh/sc-hsm/HSMKeyStore.js#229 at /home/micharu123/CardContact/scsh3/keymanager/keymanager.js#1814 at /home/micharu123/CardContact/scsh3/keymanager/keymanager.js#2049
In my debugging effort, I found that setting no key algorithms resulted in a HSM 2 successful export and import (again, given a DKEK). The backtrace implicated an
importKey function error. I printed the
id by inserting the following into
var a = new ASN1(bin); var wrap = a.get(0).value; var id = this.sc.determineFreeKeyId(); print("VALUES: ", wrap, id);
The wrap value for importing a key with algorithms
0000. This was the same for a key with no specified algorithms.
I am curious, then, what is the intended way to export encrypted key material using a DKEK? Should we never specify the key algorithms?