Nitrokey HSM2 N-of-M authentication --register-public-key Incorrect parameters in APDU error

charlotte · March 6, 2021, 1:01am

Hi I’m trying to use N-of-M authentication (not DKEK shares) based on the following:

github.com/OpenSC/OpenSC

sc-hsm-tool: Add options for public key authentication

OpenSC:master ← frankbraun:pubkeyauth

opened 09:38PM - 18 Jun 19 UTC

frankbraun

+658 -5

This PR extends the `sc-hsm-tool` with options to use Public Key Authentication …([n-of-m Authentication](https://www.smartcard-hsm.com/docs/SmartCard-HSM_n-of-m_Authentication_V1.0_2015-03-25.pdf)). The new options allow the `sc-hsm-tool` to: - Initialize a HSM for public key authentication (`--public-key-auth` and `--required-pub-keys`). - To export a public key to be used for public key authentication (`--export-for-pub-key-auth`). - To register such an exported public key with an HSM initialized for public key authentication (`--register--public-key`). - Show the status of public key authentication (`public-key-auth-status`). What's still missing is an option to do the actual authentication. The SmartCard-HSM version 2.6 and SmartCard-HSM version 3.1 were used during testing. #### Open issue The CAR and CHR of CV Certificates generated with OpenSC are fixed values, see: https://github.com/OpenSC/OpenSC/blob/19711d0a1301f0519a1348390bb996fd2925f766/src/pkcs15init/pkcs15-sc-hsm.c#L265-L266 This prevents registering multiple keys (created with OpenSC) for public key authentication due to name clashes. This issue has been discussed with Andreas Schwier from @CardContact, but no solution has been found yet. ##### Checklist - [x] Documentation is added or updated

I built opensc with the PR but it fails to when trying to --register-public-key.
I have two Nitrokey HSM2s, HSM A and HSM B. They are both on firmware 3.4

Plug HSM A in
Initialize for public key auth

./bin/sc-hsm-tool --initialize --required-pub-keys 1 --public-key-auth 1

# check to make sure it took effect
./bin/sc-hsm-tool --public-key-auth-status

Unplug HSM A, plug HSM B in
initialize HSM B, generate an RSA key, export it

./bin/sc-hsm-tool  --initialize
./bin/pkcs11-tool --module ./lib/opensc-pkcs11.so --login --pin <pin> --keypairgen --key-type rsa:2048 --id 17 --label "RSA for m-of-n"
./bin/sc-hsm-tool --export-for-pub-key-auth key0.pub -i 1

unplug HSM B, plug HSM A in
attempting to register the public key fails

$ ./bin/sc-hsm-tool  --register-public-key ./key0.pub
Using reader with a card: Nitrokey Nitrokey HSM (DENK01054880000         ) 00 00
Adding the key issued to 'DENK010493800001' on device 'DENK010493800000'.
sc_card_ctl(*, SC_CARDCTL_SC_HSM_REGISTER_PUBLIC_KEY, *) failed with Incorrect parameters in APDU

I would appreciate any help getting this to work, thanks!

Verbose output of failure

P:20475; T:0x140281538310016 16:30:07.966 [sc-hsm-tool] sc.c:335:sc_detect_card_presence: called
<snipped for character limit>
P:20475; T:0x140281538310016 16:30:08.140 [sc-hsm-tool] card-sc-hsm.c:1498:verify_certificate: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:08.140 [sc-hsm-tool] card-sc-hsm.c:1481:verify_certificate: called
P:20475; T:0x140281538310016 16:30:08.140 [sc-hsm-tool] apdu.c:546:sc_transmit_apdu: called
P:20475; T:0x140281538310016 16:30:08.140 [sc-hsm-tool] card.c:473:sc_lock: called
P:20475; T:0x140281538310016 16:30:08.140 [sc-hsm-tool] reader-pcsc.c:684:pcsc_lock: called
P:20475; T:0x140281538310016 16:30:08.140 [sc-hsm-tool] card.c:513:sc_lock: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:08.141 [sc-hsm-tool] apdu.c:513:sc_transmit: called
P:20475; T:0x140281538310016 16:30:08.141 [sc-hsm-tool] apdu.c:363:sc_single_transmit: called
P:20475; T:0x140281538310016 16:30:08.141 [sc-hsm-tool] apdu.c:370:sc_single_transmit: CLA:0, INS:22, P1:81, P2:B6, data(18) 0x7ffdab69b600
P:20475; T:0x140281538310016 16:30:08.141 [sc-hsm-tool] reader-pcsc.c:323:pcsc_transmit: reader 'Nitrokey Nitrokey HSM (DENK01054880000         ) 00 00'
P:20475; T:0x140281538310016 16:30:08.141 [sc-hsm-tool] reader-pcsc.c:324:pcsc_transmit: 
Outgoing APDU (23 bytes):
00 22 81 B6 12 83 10 44 45 4E 4B 30 31 30 34 39 .".....DENK01049
33 38 30 30 30 30 30                            3800000
P:20475; T:0x140281538310016 16:30:08.141 [sc-hsm-tool] reader-pcsc.c:242:pcsc_internal_transmit: called
P:20475; T:0x140281538310016 16:30:08.172 [sc-hsm-tool] reader-pcsc.c:333:pcsc_transmit: 
Incoming APDU (2 bytes):
6A 88 j.
P:20475; T:0x140281538310016 16:30:08.172 [sc-hsm-tool] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:08.172 [sc-hsm-tool] apdu.c:535:sc_transmit: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:08.172 [sc-hsm-tool] card.c:523:sc_unlock: called
P:20475; T:0x140281538310016 16:30:08.172 [sc-hsm-tool] reader-pcsc.c:736:pcsc_unlock: called
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] iso7816.c:128:iso7816_check_sw: Referenced data not found
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] card-sc-hsm.c:1447:get_CAR: called
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] card-sc-hsm.c:1467:get_CAR: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] apdu.c:546:sc_transmit_apdu: called
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] card.c:473:sc_lock: called
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] reader-pcsc.c:684:pcsc_lock: called
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] card.c:513:sc_lock: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] apdu.c:513:sc_transmit: called
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] apdu.c:363:sc_single_transmit: called
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] apdu.c:370:sc_single_transmit: CLA:0, INS:22, P1:81, P2:B6, data(15) 0x7ffdab69b600
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] reader-pcsc.c:323:pcsc_transmit: reader 'Nitrokey Nitrokey HSM (DENK01054880000         ) 00 00'
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] reader-pcsc.c:324:pcsc_transmit: 
Outgoing APDU (20 bytes):
00 22 81 B6 0F 83 0D 44 45 44 49 4E 4B 30 31 30 .".....DEDINK010
30 30 30 31                                     0001
P:20475; T:0x140281538310016 16:30:08.182 [sc-hsm-tool] reader-pcsc.c:242:pcsc_internal_transmit: called
P:20475; T:0x140281538310016 16:30:08.211 [sc-hsm-tool] reader-pcsc.c:333:pcsc_transmit: 
Incoming APDU (2 bytes):
90 00 ..
P:20475; T:0x140281538310016 16:30:08.212 [sc-hsm-tool] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:08.212 [sc-hsm-tool] apdu.c:535:sc_transmit: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:08.212 [sc-hsm-tool] card.c:523:sc_unlock: called
P:20475; T:0x140281538310016 16:30:08.212 [sc-hsm-tool] reader-pcsc.c:736:pcsc_unlock: called
P:20475; T:0x140281538310016 16:30:08.215 [sc-hsm-tool] apdu.c:546:sc_transmit_apdu: called
P:20475; T:0x140281538310016 16:30:08.215 [sc-hsm-tool] card.c:473:sc_lock: called
P:20475; T:0x140281538310016 16:30:08.215 [sc-hsm-tool] reader-pcsc.c:684:pcsc_lock: called
P:20475; T:0x140281538310016 16:30:08.215 [sc-hsm-tool] card.c:513:sc_lock: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:08.215 [sc-hsm-tool] apdu.c:513:sc_transmit: called
P:20475; T:0x140281538310016 16:30:08.215 [sc-hsm-tool] apdu.c:363:sc_single_transmit: called
P:20475; T:0x140281538310016 16:30:08.215 [sc-hsm-tool] apdu.c:370:sc_single_transmit: CLA:0, INS:2A, P1:0, P2:BE, data(228) 0x560594c817dc
P:20475; T:0x140281538310016 16:30:08.215 [sc-hsm-tool] reader-pcsc.c:323:pcsc_transmit: reader 'Nitrokey Nitrokey HSM (DENK01054880000         ) 00 00'
P:20475; T:0x140281538310016 16:30:08.215 [sc-hsm-tool] reader-pcsc.c:324:pcsc_transmit: 
Outgoing APDU (233 bytes):
00 2A 00 BE E4 7F 4E 81 9D 5F 29 01 00 42 0D 44 .*....N.._)..B.D
45 44 49 4E 4B 30 31 30 30 30 30 31 7F 49 4F 06 EDINK0100001.IO.
0A 04 00 7F 00 07 02 02 02 02 03 86 41 04 80 00 ............A...
0E 8E 99 7E 60 BC 6F 88 E6 6B 9B 8D D5 AD 2C D8 ...~`.o..k....,.
77 C2 06 20 8D 10 3C 33 62 E0 5C 64 D0 49 A8 40 w.. ..<3b.\d.I.@
5C 04 89 1D 2E A1 5D 1E DE 8C 1B CC C5 31 E1 6F \.....]......1.o
5A 4A B9 83 6C 97 0C 33 A2 A2 A0 AD 68 CC 5F 20 ZJ..l..3....h._ 
10 44 45 4E 4B 30 31 30 34 39 33 38 30 30 30 30 .DENK01049380000
30 7F 4C 10 06 0B 2B 06 01 04 01 81 C3 1F 03 01 0.L...+.........
01 53 01 00 5F 25 06 02 00 01 02 00 08 5F 24 06 .S.._%......._$.
02 03 01 00 02 05 5F 37 40 14 AE 8A 65 43 04 33 ......_7@...eC.3
50 B7 B0 8E 37 F2 ED AA 8A 18 2F CF 6F 32 62 59 P...7...../.o2bY
24 B6 8A 1E E9 B2 7E 93 E7 62 BF F4 60 E8 EB 14 $.....~..b..`...
44 FD 03 F6 DD 6C E7 2C 8F 04 AC 5F E3 A9 F3 C9 D....l.,..._....
ED AF 5B 38 3C 22 21 D6 AD                      ..[8<"!..
P:20475; T:0x140281538310016 16:30:08.215 [sc-hsm-tool] reader-pcsc.c:242:pcsc_internal_transmit: called
P:20475; T:0x140281538310016 16:30:09.421 [sc-hsm-tool] reader-pcsc.c:333:pcsc_transmit: 
Incoming APDU (2 bytes):
90 00 ..
P:20475; T:0x140281538310016 16:30:09.421 [sc-hsm-tool] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:09.421 [sc-hsm-tool] apdu.c:535:sc_transmit: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:09.421 [sc-hsm-tool] card.c:523:sc_unlock: called
P:20475; T:0x140281538310016 16:30:09.421 [sc-hsm-tool] reader-pcsc.c:736:pcsc_unlock: called
P:20475; T:0x140281538310016 16:30:09.425 [sc-hsm-tool] card-sc-hsm.c:1530:verify_certificate: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:09.425 [sc-hsm-tool] apdu.c:546:sc_transmit_apdu: called
P:20475; T:0x140281538310016 16:30:09.425 [sc-hsm-tool] card.c:473:sc_lock: called
P:20475; T:0x140281538310016 16:30:09.425 [sc-hsm-tool] reader-pcsc.c:684:pcsc_lock: called
P:20475; T:0x140281538310016 16:30:09.426 [sc-hsm-tool] card.c:513:sc_lock: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:09.426 [sc-hsm-tool] apdu.c:513:sc_transmit: called
P:20475; T:0x140281538310016 16:30:09.426 [sc-hsm-tool] apdu.c:363:sc_single_transmit: called
P:20475; T:0x140281538310016 16:30:09.426 [sc-hsm-tool] apdu.c:370:sc_single_transmit: CLA:0, INS:22, P1:81, P2:B6, data(18) 0x7ffdab69d6d0
P:20475; T:0x140281538310016 16:30:09.426 [sc-hsm-tool] reader-pcsc.c:323:pcsc_transmit: reader 'Nitrokey Nitrokey HSM (DENK01054880000         ) 00 00'
P:20475; T:0x140281538310016 16:30:09.426 [sc-hsm-tool] reader-pcsc.c:324:pcsc_transmit: 
Outgoing APDU (23 bytes):
00 22 81 B6 12 83 10 44 45 4E 4B 30 31 30 34 39 .".....DENK01049
33 38 30 30 30 30 30                            3800000
P:20475; T:0x140281538310016 16:30:09.426 [sc-hsm-tool] reader-pcsc.c:242:pcsc_internal_transmit: called
P:20475; T:0x140281538310016 16:30:09.456 [sc-hsm-tool] reader-pcsc.c:333:pcsc_transmit: 
Incoming APDU (2 bytes):
90 00 ..
P:20475; T:0x140281538310016 16:30:09.456 [sc-hsm-tool] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:09.456 [sc-hsm-tool] apdu.c:535:sc_transmit: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:09.456 [sc-hsm-tool] card.c:523:sc_unlock: called
P:20475; T:0x140281538310016 16:30:09.456 [sc-hsm-tool] reader-pcsc.c:736:pcsc_unlock: called
P:20475; T:0x140281538310016 16:30:09.464 [sc-hsm-tool] apdu.c:546:sc_transmit_apdu: called
P:20475; T:0x140281538310016 16:30:09.465 [sc-hsm-tool] card.c:473:sc_lock: called
P:20475; T:0x140281538310016 16:30:09.465 [sc-hsm-tool] reader-pcsc.c:684:pcsc_lock: called
P:20475; T:0x140281538310016 16:30:09.465 [sc-hsm-tool] card.c:513:sc_lock: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:09.465 [sc-hsm-tool] apdu.c:513:sc_transmit: called
P:20475; T:0x140281538310016 16:30:09.465 [sc-hsm-tool] apdu.c:363:sc_single_transmit: called
P:20475; T:0x140281538310016 16:30:09.465 [sc-hsm-tool] apdu.c:370:sc_single_transmit: CLA:80, INS:54, P1:0, P2:0, data(672) 0x560594c81538
P:20475; T:0x140281538310016 16:30:09.465 [sc-hsm-tool] reader-pcsc.c:323:pcsc_transmit: reader 'Nitrokey Nitrokey HSM (DENK01054880000         ) 00 00'
P:20475; T:0x140281538310016 16:30:09.465 [sc-hsm-tool] reader-pcsc.c:324:pcsc_transmit: 
Outgoing APDU (681 bytes):
80 54 00 00 00 02 A0 7F 21 82 02 46 7F 4E 82 01 .T......!..F.N..
3C 5F 29 01 00 42 09 55 54 43 41 30 30 30 30 31 <_)..B.UTCA00001
7F 49 82 01 15 06 0A 04 00 7F 00 07 02 02 02 01 .I..............
02 81 82 01 00 A2 17 62 0A DD 2D 9F 16 B6 35 4E .......b..-...5N
8D 07 FB B2 E8 61 3F 1A 08 19 0B DA C4 F4 04 C2 .....a?.........
65 1D 85 BB 4A 59 AF C6 E1 EA C4 A0 D8 E2 47 72 e...JY........Gr
CF AC 87 CB D0 D2 C0 11 74 62 0E F0 1C 59 F5 42 ........tb...Y.B
90 45 F9 35 DD 5B 21 CE D9 25 2B 05 F7 CA 9C 89 .E.5.[!..%+.....
8E 9E 87 79 F1 C5 1A 53 C6 4C 26 5D CA 23 99 35 ...y...S.L&].#.5
8C A1 3D 2E 16 05 EE 8B 42 BE 0D 2A 79 2D 69 8A ..=.....B..*y-i.
1F A5 EA 2E A6 CC 63 30 50 27 A1 A0 26 55 F4 8E ......c0P'..&U..
97 89 D1 FD 65 2A A5 D5 C3 1A D8 87 DC D8 48 D3 ....e*........H.
4A 19 F8 69 5F DA 13 0A 21 66 0C 45 90 7F F3 62 J..i_...!f.E...b
B6 70 98 69 C4 AA FA 1D AD 55 FA D4 2A 96 5C 94 .p.i.....U..*.\.
7B A9 3F C3 BD 2B 48 11 2A 12 C6 36 4B 84 44 11 {.?..+H.*..6K.D.
CD F6 87 53 25 BB AD DE 42 1F FD 0C 47 6F 53 2A ...S%...B...GoS*
39 E0 21 92 06 5E 7F 12 41 87 45 BE 4C 76 5F 65 9.!..^..A.E.Lv_e
C3 C1 F9 77 32 C5 03 9A AA EC B1 99 B9 93 04 97 ...w2...........
ED 72 E5 15 1E DE 83 89 63 EB 68 2D 8A 9D EA 00 .r......c.h-....
4C B4 65 B0 F5 82 03 01 00 01 5F 20 10 44 45 4E L.e......._ .DEN
4B 30 31 30 34 39 33 38 30 30 30 30 31 5F 37 82 K010493800001_7.
01 00 01 94 26 64 6C 35 A1 FD 7A FE 08 BB C6 1D ....&dl5..z.....
5C 20 FB 3C 32 2C A0 78 43 16 4A 26 7F FD 24 90 \ .<2,.xC.J&..$.
54 3C D7 26 CF B4 69 5E 8E C1 54 F0 0E F8 E5 42 T<.&..i^..T....B
BB ED 8A D0 BE 5C A9 8E 9C B6 46 27 37 7F EC 59 .....\....F'7..Y
37 3A 76 D3 4E EE A0 9D B4 48 3D 37 D1 CC 45 C7 7:v.N....H=7..E.
CA 49 96 C1 E1 A8 D1 7C 35 BF FC 34 79 D6 5E 15 .I.....|5..4y.^.
04 57 B9 A3 36 56 A2 D9 67 4C 63 FB 07 9F DA 7C .W..6V..gLc....|
FC 0E D6 7B 53 28 00 39 3E 75 EF 4B 8F 5D 12 B3 ...{S(.9>u.K.]..
77 FA 36 01 C1 AF BC 93 C0 B9 67 D3 92 08 12 3D w.6.......g....=
1A AB 0B B5 AE 42 5C B8 DC 47 08 F1 AD 94 75 F6 .....B\..G....u.
74 37 D6 79 6B 9A C4 82 D5 9C 5B C9 58 AC 2A 97 t7.yk.....[.X.*.
EC 31 63 8E A1 06 FC DC E6 1C 77 1A C9 D0 93 73 .1c.......w....s
24 D3 73 B4 D4 5E 14 63 2C 1A 86 73 BA 5E 20 B0 $.s..^.c,..s.^ .
13 DD D2 E6 D6 B3 7B E2 35 06 D5 5A 1B 64 BF 8D ......{.5..Z.d..
CA 34 21 5C 0D 32 D9 E0 63 43 E4 6E 7B B7 9C 5E .4!\.2..cC.n{..^
91 C3 B6 D2 71 1F 3A 46 4D 84 9D FE F1 1A AF 20 ....q.:FM...... 
BC 54 42 10 44 45 4E 4B 30 31 30 34 39 33 38 30 .TB.DENK01049380
30 30 30 30 5F 37 40 4D B7 A9 BA 36 E6 5E D4 78 0000_7@M...6.^.x
05 B8 BC 1A B5 3F EA 81 42 71 97 A3 C8 38 E1 1A .....?..Bq...8..
CD EE D6 4D ED 16 E9 47 15 F4 63 B2 5E 2F 14 B7 ...M...G..c.^/..
3A 90 37 39 7B 3F C8 22 A7 36 9B CF 74 9E 66 5C :.79{?.".6..t.f\
64 3E 0B 29 E3 DB 39 00 04                      d>.)..9..
P:20475; T:0x140281538310016 16:30:09.466 [sc-hsm-tool] reader-pcsc.c:242:pcsc_internal_transmit: called
P:20475; T:0x140281538310016 16:30:09.990 [sc-hsm-tool] reader-pcsc.c:333:pcsc_transmit: 
Incoming APDU (2 bytes):
6A 80 j.
P:20475; T:0x140281538310016 16:30:09.990 [sc-hsm-tool] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:09.990 [sc-hsm-tool] apdu.c:535:sc_transmit: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:09.990 [sc-hsm-tool] card.c:523:sc_unlock: called
P:20475; T:0x140281538310016 16:30:09.990 [sc-hsm-tool] reader-pcsc.c:736:pcsc_unlock: called
P:20475; T:0x140281538310016 16:30:09.994 [sc-hsm-tool] iso7816.c:128:iso7816_check_sw: Incorrect parameters in the data field
P:20475; T:0x140281538310016 16:30:09.994 [sc-hsm-tool] card-sc-hsm.c:1592:sc_hsm_register_public_key: Check SW error: -1205 (Incorrect parameters in APDU)
P:20475; T:0x140281538310016 16:30:09.994 [sc-hsm-tool] card.c:1065:sc_card_ctl: returning with: -1205 (Incorrect parameters in APDU)
sc_card_ctl(*, SC_CARDCTL_SC_HSM_REGISTER_PUBLIC_KEY, *) failed with Incorrect parameters in APDU
P:20475; T:0x140281538310016 16:30:09.994 [sc-hsm-tool] card.c:414:sc_disconnect_card: called
P:20475; T:0x140281538310016 16:30:09.995 [sc-hsm-tool] reader-pcsc.c:669:pcsc_disconnect: Nitrokey Nitrokey HSM (DENK01054880000         ) 00 00:SCardDisconnect returned: 0x00000000
P:20475; T:0x140281538310016 16:30:09.995 [sc-hsm-tool] card.c:436:sc_disconnect_card: returning with: 0 (Success)
P:20475; T:0x140281538310016 16:30:09.995 [sc-hsm-tool] ctx.c:931:sc_release_context: called
P:20475; T:0x140281538310016 16:30:09.995 [sc-hsm-tool] reader-pcsc.c:973:pcsc_finish: called

base64 of key0.pub

MIIEcmeCAqB/IYICRn9OggE8XykBAEIJVVRDQTAwMDAxf0mCARUGCgQAfwAHAgICAQKBggEAohdi
Ct0tnxa2NU6NB/uy6GE/GggZC9rE9ATCZR2Fu0pZr8bh6sSg2OJHcs+sh8vQ0sARdGIO8BxZ9UKQ
Rfk13VshztklKwX3ypyJjp6HefHFGlPGTCZdyiOZNYyhPS4WBe6LQr4NKnktaYofpeoupsxjMFAn
oaAmVfSOl4nR/WUqpdXDGtiH3NhI00oZ+Glf2hMKIWYMRZB/82K2cJhpxKr6Ha1V+tQqllyUe6k/
w70rSBEqEsY2S4REEc32h1Mlu63eQh/9DEdvUyo54CGSBl5/EkGHRb5Mdl9lw8H5dzLFA5qq7LGZ
uZMEl+1y5RUe3oOJY+toLYqd6gBMtGWw9YIDAQABXyAQREVOSzAxMDQ5MzgwMDAwMV83ggEAAZQm
ZGw1of16/gi7xh1cIPs8MiygeEMWSiZ//SSQVDzXJs+0aV6OwVTwDvjlQrvtitC+XKmOnLZGJzd/
7Fk3OnbTTu6gnbRIPTfRzEXHykmWweGo0Xw1v/w0edZeFQRXuaM2VqLZZ0xj+wef2nz8DtZ7UygA
OT5170uPXRKzd/o2AcGvvJPAuWfTkggSPRqrC7WuQly43EcI8a2UdfZ0N9Z5a5rEgtWcW8lYrCqX
7DFjjqEG/NzmHHcaydCTcyTTc7TUXhRjLBqGc7peILAT3dLm1rN74jUG1VobZL+NyjQhXA0y2eBj
Q+Rue7ecXpHDttJxHzpGTYSd/vEaryC8VEIQREVOSzAxMDQ5MzgwMDAwMF83QE23qbo25l7UeAW4
vBq1P+qBQnGXo8g44RrN7tZN7RbpRxX0Y7JeLxS3OpA3OXs/yCKnNpvPdJ5mXGQ+Cynj2zl/IYHk
f06BnV8pAQBCDURFRElOSzAxMDAwMDF/SU8GCgQAfwAHAgICAgOGQQSAAA6OmX5gvG+I5mubjdWt
LNh3wgYgjRA8M2LgXGTQSahAXASJHS6hXR7ejBvMxTHhb1pKuYNslwwzoqKgrWjMXyAQREVOSzAx
MDQ5MzgwMDAwMH9MEAYLKwYBBAGBwx8DAQFTAQBfJQYCAAECAAhfJAYCAwEAAgVfN0AUroplQwQz
ULewjjfy7aqKGC/PbzJiWSS2ih7psn6T52K/9GDo6xRE/QP23WznLI8ErF/jqfPJ7a9bODwiIdat
fyGB4n9OgZtfKQEAQg5ERVNSQ0FDQzEwMDAwMX9JTwYKBAB/AAcCAgICA4ZBBJ1JzQhzAclQ4X5S
1LvOlOYJzHhCuJsjy6eRbMza847yHUL12uU0CiQIeSAXOTriiK804kghR3DOfdY/0x2Zo1hfIA1E
RURJTkswMTAwMDAxf0wQBgsrBgEEAYHDHwMBAVMBgF8lBgEFAQACBl8kBgIDAQACBV83QG1Zm1Oc
p3Ih0aEzvtyvDeHMECaA1Q4dWWAHCj254x8SgHXCKyzBlIV6TWSQ3gCyrh/yw5JiqLxOpOU5TMEp
0Lo=

sc-hsm · March 9, 2021, 8:23am

The key used for authentication must be an ECDSA key with brainpoolP256r1 curve. A RSA key can not be registered for public key authentication.

I don’t know the code from the pull-request, so I’d suggest to try this in the Smart Card Shell as described in the document.

charlotte · March 9, 2021, 9:53pm

The key used for authentication must be an ECDSA key with brainpoolP256r1 curve. A RSA key can not be registered for public key authentication.

Thanks, that helps! I’ll try exporting an ECDSA key with brainpoolP256r1 and see if that works.

I’d suggest to try this in the Smart Card Shell as described in the document.

Yes, but unfortunately it doesn’t build without extra effort on ubuntu 18.04 (this might be user error, I’m not familiar with the java ecosystem) and it would be preferable to use publicly available code. Anyways that was my backup plan, so I’ll go forward with that if exporting the ECDSA key doesn’t work.

Appreciate the help!

ondeso · January 17, 2022, 8:31am

The key used for authentication must be an ECDSA key with brainpoolP256r1 curve.

I tested the n-of-m authentication with brainpoolP256r1, and it worked fine.
But I also tried another cureve like secp256k1, and it seems that the authentication mechanism has no problem with that.
Do I ran into trouble with I do not use brainpoolP256r1?

sc-hsm · January 17, 2022, 9:02am

The automated tests only use brainpoolP256r1, but others should work as well. That was different in old firmware version, where only brainpoolP256r1 was supported.