We have been experimenting with the nitrokey HSM but stumbled on some things we cant fully explain.
when first creating a key we used the following command: sudo pkcs11-tool --module opensc-pkcs11.so -l --keypairgen --key-type “EC: prime256v1” --id “10” --label “label”
the next key we wanted to generate was done using the same command using id 20 sudo pkcs11-tool --module opensc-pkcs11.so -l --keypairgen --key-type “EC: prime256v1” --id “20” --label “label”
this continued until we go to the 10th key which we tried to create using the following command: sudo pkcs11-tool --module opensc-pkcs11.so -l --keypairgen --key-type “EC: prime256v1” --id “100” --label “label”
when running sudo pkcs15-tool --list-public-keys
we see the 10th key (for which we chose id 100) got id 1000.
this confused us very much so we tried to understand the jump in id number
turns out when asking the key of id 10 and id 100 we both get the same key namely the one we created first
and id 1000 returns us the 10th key
reading up on nitrokey and pkcs11 I have not found any indication for the factor 10 behavior we are seeing here.
Can someone explain me why it works this way? or point me in the right direction?
If I understand it correctly this is a hex value (I use something like --id e568cf246...). I don’t know why reading id “100” gives different results than writing id “100”, maybe it’s a bug in OpenSC tools…
