NitroKey HSM Private Key Description (PRKD) format


I started writing a tool for converting a java keystore into DKEK-wrapped key files (This can be done manually with smart-card-shell now but only by actually importing it into an HSM which won’t be an option as I need to bulk import (wrap) many thousand keys at once from a legacy infrastructure.

I got this 90% working but I’m missing some information about one part of the ASN1 datastructure of those wrapped keyfiles. The .wky wrapped keyfiles will have the encrypted privatekey, then something called “Private Key Description” and finally the corresponding x509 certificate.

I can see that the PRKD data structure contains the keyalias, the key bitsize, and the keyid but there are other fields in there that I don’t really know what they do. And the whole structure is a bit unclear as well, why it’s nested that way. Is there any public code (or docs) where I can look up this data structure? I believe it’s neither in sc-hsm-tool nor in scsh which is what served me as a reference for this so far.

Here’s a good visualization of what I’m talking about: ASN.1 JavaScript decoder (the prkd data)

@sc-hsm can you help here?

The PRKD data structure is the PKCS#15 description of the key. Details can be found in chapter 8 of the user manual. The format is based on an ASN.1 syntax with nested classes. That is why objects are structured that way.

There are four methods buildPrkDforECC(), buildPrkDforRSA(), buildSKDforAES() and buildCertDescription() in the SmartCardHSM class, that is defined in scsh/sc-hsm/SmartCardHSM.js of the Smart Card Shell.

Encoders can also be found in the SmartCardHSMCardService in OCF (Java), in the sc-hsm-embedded sources and in OpenSC (both C).

1 Like

That should help, thanks!

@Bubu Will you publish your tool? That would be great.

The tool lives here for now, this is likely not the final place for this:
It’s working for RSA keys, ECC isn’t implemented yet as I don’t have a pressing need for it, but it would be doable.
Consider this alpha quality, it worked for my testing keys, it might break for everything else. (If that happens you are most likely to get an error trying to import the key through sc-hsm-tool)