I am still learning how to use pkcs11-tool, pkcs15-tool, openssl engine integration properly to achieve my stuff. I created keys and stuff on my Nitrokey HSM2 and now have a CardOS 4.4 card with the official PKCS11 drivers from the vendor on a second system as well.
During creation of a CSR on the CardOS card I ran into a problem:
pkcs11-tool --keypairgen --key-type rsa:2048 --label "MD_Priv" --id 42 --login --module /usr/local/lib/libcardos11.so
Using slot 0 with a present token (0x1)
Logging in to "Test".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: MD_Priv
ID: 42
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
label: MD_Priv
ID: 42
Usage: encrypt, verify, wrap
Access: local
OK, key generated
Now a CSR:
daubsi@playbox:~$ openssl req -engine pkcs11 -key "pkcs11:object=MD_Priv;type=private" -keyform engine -out daubsi.pem -days 354 -text -x509
engine "pkcs11" set.
Enter PKCS#11 token PIN for Test:
[...]
Organizational Unit Name (eg, section) []:xxx
Common Name (e.g. server FQDN or YOUR name) []:xxx
Email Address []:xxx
140160700826816:error:8207A030:PKCS#11 module:pkcs11_private_encrypt:Device error:p11_rsa.c:116:
140160700826816:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../crypto/asn1/a_sign.c:224
Now, you might say: “Hey this is the Nitrokey forum not CardOS!”. Of course you are right. I was investigating what might have been the problem and noticed the access flags on the key using pkcs11-tool were different than the ones on the HSM!
CardOS System:
pkcs11-tool -O
daubsi@playbox:~$ pkcs11-tool --module /usr/local/lib/libcardos11.so -O -l
Using slot 0 with a present token (0x1)
Logging in to "Test".
Please enter User PIN:
Object 10, type 2147483649
[...]
Private Key Object; RSA
label: MD_Priv
ID: 42
Usage: decrypt, sign, unwrap
**Access: sensitive, always sensitive, never extractable, local**
[...]
Whereas, when I create a key on the Smartcard HSM and issue the same command I get:
pkcs11-tool --keypairgen --key-type rsa:1024 --label "TestKey" --login
pkcs11-tool -O -l
Private Key Object; RSA
label: TestKey
ID: 0f254cf2fc8240b186503658b2e0f0ea4a8b0c84
Usage: decrypt, sign, unwrap
So, no “Access” here?
However, when I use the pkcs15-tool the same flags appear as on the CardOS machine:
pkcs15-tool -D
Private RSA Key [TestKey]
Object Flags : [0x3], private, modifiable
Usage : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 4 (0x4)
Native : yes
Auth ID : 01
ID : 0f254cf2fc8240b186503658b2e0f0ea4a8b0c84
MD:guid : db9c1e6b-b3c8-207a-ea9a-b80bc6230000
So… my question is: Is what you get output by “pkcs11-tool -O” a matter of the pkcs11 driver or why do I get the access info with CardOS but not the opensc-pkcs11 driver for my Nitrokey HSM 2?
And - maybe someone has an idea - what could be the reason for the error of the CardOS card as well?
140160700826816:error:8207A030:PKCS#11 module:pkcs11_private_encrypt:Device error:p11_rsa.c:116:
140160700826816:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../crypto/asn1/a_sign.c:224
Thank you!
