A key use counter can be defined using the PKCS#11 module from sc-hsm-embedded and a proprietary attribute defined in .
Does someone have a C code example for setting – and testing – the key use counter attribute for an RSA or EC keypair on the Nitrokey HSM 2? I could only find an AES key generation example so far and I am not sure how to set the attribute for RSA / EC keys:
var kg = new SmartCardHSMKeySpecGenerator(Crypto.EC, dp);
sc.generateAsymmetricKeyPair(2, 0, kg.encode());
SmartCardHSMKeySpecGenerator.encode will add extra attribute with a tag 0x90 and the key counter value if requested to the template (kg) that will be used to write the key object.
In PKCS#11 terms this will be adding a new custom CK_ATTRIBUTE to the key generation template, like here:
and the attribute will be CKA_SC_HSM_KEY_USE_COUNTER:
Now how to read it: key counter, domain ID are SmartCard HSM proprietary attributes in the PKCS#15 key structure.
For example, I have just tried opensc-explorer on my Nitrokey HSM2:
OpenSC Explorer version 0.21.0-0.21.0
OpenSC [3F00]> cd aid:e828bd080f
OpenSC [E828/BD08/0F]> info cc01
Working Elementary File ID CC01
File path: CC01
File size: 0 bytes
EF structure: Transparent
ACL for READ: N/A
ACL for UPDATE: N/A
ACL for DELETE: N/A
ACL for WRITE: N/A
ACL for REHABILITATE: N/A
ACL for INVALIDATE: N/A
ACL for LIST FILES: N/A
ACL for CRYPTO: N/A
Type attributes: 01
Proprietary attributes: 90 04 FF FF FF FF 92 01 00
90 tag, 04 length and FF FF FF FF is the key counter (not set), and 92 tag, 01 length and 00 is the key domain of the key (first key domain in that case - if the key is outside of the domain, this attribute is not present).
So just re-use your key generation template or create a simple one with one key value like this one:
Haven’t tried, but might work!
Thank you for your effort, but I got that far already regarding my understanding of the issue – only that I was not able to make it work, which is why I was asking for working example code.