Nitrokey HSM2 Key Use Counter C Code Example

In HSM2: Distributed key access & sign counter I read:

A key use counter can be defined using the PKCS#11 module from sc-hsm-embedded and a proprietary attribute defined in [3].

Does someone have a C code example for setting – and testing – the key use counter attribute for an RSA or EC keypair on the Nitrokey HSM 2? I could only find an AES key generation example so far and I am not sure how to set the attribute for RSA / EC keys:

Key counter can be set only during the generation of the key. I don’t have C code handy, but JavaScript comes close, have a look at SmartCardHSM.test in scsh/sc-hsm/SmartCardHSM.js - it contains the sequence:

     var kg = new SmartCardHSMKeySpecGenerator(Crypto.EC, dp);
     sc.generateAsymmetricKeyPair(2, 0, kg.encode());

SmartCardHSMKeySpecGenerator.encode will add extra attribute with a tag 0x90 and the key counter value if requested to the template (kg) that will be used to write the key object.

In PKCS#11 terms this will be adding a new custom CK_ATTRIBUTE to the key generation template, like here:

and the attribute will be CKA_SC_HSM_KEY_USE_COUNTER:

AES key generation example is good, the templates are very similar

Now how to read it: key counter, domain ID are SmartCard HSM proprietary attributes in the PKCS#15 key structure.

For example, I have just tried opensc-explorer on my Nitrokey HSM2:

OpenSC Explorer version 0.21.0-0.21.0
OpenSC [3F00]> cd aid:e828bd080f
OpenSC [E828/BD08/0F]> info cc01

Working Elementary File  ID CC01

File path:               CC01
File size:               0 bytes
EF structure:            Transparent
ACL for READ:            N/A
ACL for UPDATE:          N/A
ACL for DELETE:          N/A
ACL for WRITE:           N/A
ACL for LIST FILES:      N/A
ACL for CRYPTO:          N/A
Type attributes:         01
Proprietary attributes:  90 04 FF FF FF FF 92 01 00

90 tag, 04 length and FF FF FF FF is the key counter (not set), and 92 tag, 01 length and 00 is the key domain of the key (first key domain in that case - if the key is outside of the domain, this attribute is not present).

So just re-use your key generation template or create a simple one with one key value like this one:

and then call it

Haven’t tried, but might work!

Haven’t tried, but might work!
Thank you for your effort, but I got that far already regarding my understanding of the issue – only that I was not able to make it work, which is why I was asking for working example code.

If you have an almost-working code and something more than “it does not work”, for example "C_GetAttribute returns 255", then we can try…