I’m following this post to do my first steps with the NItrokey HSM2 Get started with the Nitrokey HSM or SmartCard-HSM - Raymii.org
I’ve setup SO PIN, User PIN, created a first RSA Key (ID=1), wrapped it using the DKEK and am now trying to delete and restore the key.
According to the howto I should do:
We can test the backup by, after creating a backup first, deleting the key material in the slot:
pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --delete-object --type cert --id 10
pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --delete-object --type privkey --id 10
pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --delete-object --type data --label "HSM RSA Key Remy"
If you use the `pkcs15-tool --dump` command or the `pkcs11-tool --list-objects` command you see that the key is gone
Of course, I changed I and label accordingly. However, I can only delete the type “privkey”. When trying to delete type==cert I just get 'error:object not found". Same for type==data
When I then try to restore/unwrap the saved key I get:
(base) daubsi@bigigloo:/tmp$ sc-hsm-tool --unwrap-key wrap-key-1.bin --key-reference 1 --pin xxxxxx
Using reader with a card: Nitrokey Nitrokey HSM (DENKxxxxxxxxxxxxx ) 00 00
Wrapped key contains:
Key blob
Private Key Description (PRKD)
Certificate
Found existing certificate in EF with fid ce01. Please remove certificate first, select unused key reference or use --force.
(base) daubsi@bigigloo:/tmp$ pkcs11-tool --login --delete-object --type cert --id 1
Using slot 0 with a present token (0x0)
Logging in to "UserPIN (SmartCard-HSM)".
Please enter User PIN:
error: object not found
Aborting.
(base) daubsi@bigigloo:/tmp$ sc-hsm-tool --unwrap-key wrap-key-1.bin --key-reference 1 --pin xxxxxxx--force
Using reader with a card: Nitrokey Nitrokey HSM (DENKxxxxxxxxxxxxx ) 00 00
Wrapped key contains:
Key blob
Private Key Description (PRKD)
Certificate
Key successfully imported
(base) daubsi@bigigloo:/tmp$ pkcs11-tool --list-objects
Using slot 0 with a present token (0x0)
Public Key Object; RSA 4096 bits
label: xxxxx Master Key
ID: 01
Usage: encrypt, verify, wrap
However, when I delete the privkey all the rest seems to be gone as well?
(base) daubsi@bigigloo:/tmp$ pkcs11-tool --module opensc-pkcs11.so --login --delete-object --id 1 --type privkey
Using slot 0 with a present token (0x0)
Logging in to "UserPIN (SmartCard-HSM)".
Please enter User PIN:
(base) daubsi@bigigloo:/tmp$ pkcs11-tool --module opensc-pkcs11.so --login --delete-object --id 1 --type cert
Using slot 0 with a present token (0x0)
Logging in to "UserPIN (SmartCard-HSM)".
Please enter User PIN:
error: object not found
Aborting.
(base) daubsi@bigigloo:/tmp$ pkcs15-tool --dump
Using reader with a card: Nitrokey Nitrokey HSM (DENKxxxxxxxxxxxxx ) 00 00
PKCS#15 Card [SmartCard-HSM]:
Version : 0
Serial number : DENKxxxxxxxx
Manufacturer ID: www.CardContact.de
Flags :
PIN [UserPIN]
Object Flags : [0x3], private, modifiable
Auth ID : 02
ID : 01
Flags : [0x812], local, initialized, exchangeRefData
Length : min_len:6, max_len:15, stored_len:0
Pad char : 0x00
Reference : 129 (0x81)
Type : ascii-numeric
Path : e82b060104018xxxxxxx::
Tries left : 3
PIN [SOPIN]
Object Flags : [0x1], private
ID : 02
Flags : [0x9A], local, unblock-disabled, initialized, soPin
Length : min_len:16, max_len:16, stored_len:0
Pad char : 0x00
Reference : 136 (0x88)
Type : bcd
Path : e82b060104018xxxxxxx::
Tries left : 15
Still on restoring I get the same error that
Found existing certificate in EF with fid ce01. Please remove certificate first, select unused key reference or use --force.
Using force it seems to work fine. Can this error safely be ignored? Is it a bug maybe?