I understand importing a key into the HSM is not a ‘normal’ use case,
but (as others on this board) I have an existing key which has already been used for certificate signing
and I would like to secure it rather than starting over with a new key.
Nitro HSM, using the Smart Card shell tool, on Ubuntu 16.04.
Using scsh3gui
Smart Card Shell 3.15.359
I have initialized the Nitrokey HSM device, defined a SO PIN, User PIN, one DKEK share.
Then,
defined a DKEK,
imported the DKEK,
then attempted “Import from PKCS#12” on the smart card shell.
Answered the prompt for the DKEK import file and password,
answered the prompt for the .p12 file,
then got an error
Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27264) - "Unexpected SW1/SW2=6A80 (Checking error: Incorrect parameter in the command data field) received" in /home/tony/temp_security3/nitrokey/SmartCardShell/scsh3.15.359/scsh/sc-hsm/SmartCardHSM.js#1238
at /home/tony/temp_security3/nitrokey/SmartCardShell/scsh3.15.359/scsh/sc-hsm/SmartCardHSM.js#1238
at /home/tony/temp_security3/nitrokey/SmartCardShell/scsh3.15.359/scsh/sc-hsm/HSMKeyStore.js#300
at /home/tony/temp_security3/nitrokey/SmartCardShell/scsh3.15.359/keymanager/keymanager.js#1889
at /home/tony/temp_security3/nitrokey/SmartCardShell/scsh3.15.359/keymanager/keymanager.js#2043
And so: what is the best method for import of a PKCS#12 file?
Is there a way around this error, or is there a better method to accomplish this.
What are the key attributes of the p12 file? What algorithm used, what length etc? The Card did not accept the card, so either there is an error in the code or there is something wrong with the key.
X509v3 Authority Key Identifier:
keyid:
X509v3 CRL Distribution Points:
Full Name:
URI:
Authority Information Access:
CA Issuers - URI:
OCSP - URI:
Re: error in the code
Heads up: I put a bunch of diagnostic prints in the code (attempting to
figure this out), thus the line numbers in the error message in my
posting won’t match the published code … sorry for possible confusion …
For 3072 and 4096 bit RSA keys the private keys must be in private exponent / modulus format rather than the common CRT format. A conversion function that allows creating the key import blob from a CRT keys is not yet available.