We are looking for an HSM that protects a symmetric AES-128 key that will be used for several AES operations in ECB mode at an external party. Unfortunately, we have to import the key and we cannot use the internal key generation mechanisms.
Is there a way to import a symmetric key (AES-128) into the HSM?
Does the Nitrokey HSM support AES-ECB operations?
I have successfully compiled and used sc-hsm-embedded project from the project linked at How to use AES on NitroKey HSM2 but I cannot find a way how to import an AES key.
Take a look at the importAES.js script that is part of the Smart Card Shell SDK Workspace (in sc-hsm-sdk-scripts/examples in sc-hsm-workspace-20200310.zip). The workspace can be found in the starterkit.
Thanks to your help I was able to import an AES Key into my Nitrokey HSM2. Unfortunately, neither pkcs11-tool nor sc-hsm-embedded is able to find it using findObjects. Both aren’t even listing it as object.
I want to create a C application that uses the HSM to perform cryptographic operations on stored keys. Or is the scsh the only way to do that?
The key is not listed, as it does not have a PKCS#15 description.
The script is just a basic example how to import an AES key. It does not write the appropriate PKCS#15 description, so that PKCS#11 middleware can’t pickup the key.
The HSMKeyStore class has the required code to create a matching PKCS#15 meta structure. I will need to rewrite the example to use that function instead.
In the HSM, we have two distinct API layers, the APDU layer and the middleware layer. At the lower APDU layer we deal with keys identified by their ids (basically a number in the range 1 to 255). At the middleware layer we interact with named keys. The actual mapping between the key name and the key id is implicitly done using an EF (a binary file) containing the PKCS#15 meta data of the keys.
The middleware enumerates all keys on the device and tries to load the related files with the PKCS#15 meta data. Based on the PKCS#15 data (or more specifically the label attribute) it generates a mapping from the key name to the key id.
I can see that the ks.importAESKey function calls SmartCardHSM.buildSKDforAES which is mentioned to create a PKCS#15 description.
Do you have a hint what’s missing for an appropriate description at this point? I might rewrite the code as well and provide it if I’m successful.