Problem deleting key material

daubsi · February 15, 2020, 1:45pm

I’m following this post to do my first steps with the NItrokey HSM2 Get started with the Nitrokey HSM or SmartCard-HSM - Raymii.org

I’ve setup SO PIN, User PIN, created a first RSA Key (ID=1), wrapped it using the DKEK and am now trying to delete and restore the key.

According to the howto I should do:

We can test the backup by, after creating a backup first, deleting the key material in the slot:

pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --delete-object --type cert --id 10
pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --delete-object --type privkey --id 10
pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --delete-object --type data --label "HSM RSA Key Remy"

If you use the  `pkcs15-tool --dump`  command or the  `pkcs11-tool --list-objects`  command you see that the key is gone

Of course, I changed I and label accordingly. However, I can only delete the type “privkey”. When trying to delete type==cert I just get 'error:object not found". Same for type==data

When I then try to restore/unwrap the saved key I get:

(base) daubsi@bigigloo:/tmp$ sc-hsm-tool --unwrap-key wrap-key-1.bin --key-reference 1 --pin xxxxxx
Using reader with a card: Nitrokey Nitrokey HSM (DENKxxxxxxxxxxxxx         ) 00 00
Wrapped key contains:
  Key blob
  Private Key Description (PRKD)
  Certificate
Found existing certificate in EF with fid ce01. Please remove certificate first, select unused key reference or use --force.
(base) daubsi@bigigloo:/tmp$ pkcs11-tool --login --delete-object --type cert --id 1
Using slot 0 with a present token (0x0)
Logging in to "UserPIN (SmartCard-HSM)".
Please enter User PIN:
error: object not found
Aborting.
(base) daubsi@bigigloo:/tmp$ sc-hsm-tool --unwrap-key wrap-key-1.bin --key-reference 1 --pin xxxxxxx--force
Using reader with a card: Nitrokey Nitrokey HSM (DENKxxxxxxxxxxxxx         ) 00 00
Wrapped key contains:
  Key blob
  Private Key Description (PRKD)
  Certificate
Key successfully imported
(base) daubsi@bigigloo:/tmp$ pkcs11-tool --list-objects
Using slot 0 with a present token (0x0)
Public Key Object; RSA 4096 bits
  label:      xxxxx Master Key
  ID:         01
  Usage:      encrypt, verify, wrap

However, when I delete the privkey all the rest seems to be gone as well?

(base) daubsi@bigigloo:/tmp$ pkcs11-tool --module opensc-pkcs11.so --login --delete-object --id 1 --type privkey
Using slot 0 with a present token (0x0)
Logging in to "UserPIN (SmartCard-HSM)".
Please enter User PIN:
(base) daubsi@bigigloo:/tmp$ pkcs11-tool --module opensc-pkcs11.so --login --delete-object --id 1 --type cert
Using slot 0 with a present token (0x0)
Logging in to "UserPIN (SmartCard-HSM)".
Please enter User PIN:
error: object not found
Aborting.
(base) daubsi@bigigloo:/tmp$ pkcs15-tool --dump
Using reader with a card: Nitrokey Nitrokey HSM (DENKxxxxxxxxxxxxx         ) 00 00
PKCS#15 Card [SmartCard-HSM]:
        Version        : 0
        Serial number  : DENKxxxxxxxx
        Manufacturer ID: www.CardContact.de
        Flags          :

PIN [UserPIN]
        Object Flags   : [0x3], private, modifiable
        Auth ID        : 02
        ID             : 01
        Flags          : [0x812], local, initialized, exchangeRefData
        Length         : min_len:6, max_len:15, stored_len:0
        Pad char       : 0x00
        Reference      : 129 (0x81)
        Type           : ascii-numeric
        Path           : e82b060104018xxxxxxx::
        Tries left     : 3

PIN [SOPIN]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0x9A], local, unblock-disabled, initialized, soPin
        Length         : min_len:16, max_len:16, stored_len:0
        Pad char       : 0x00
        Reference      : 136 (0x88)
        Type           : bcd
        Path           : e82b060104018xxxxxxx::
        Tries left     : 15

Still on restoring I get the same error that
Found existing certificate in EF with fid ce01. Please remove certificate first, select unused key reference or use --force.

Using force it seems to work fine. Can this error safely be ignored? Is it a bug maybe?

szszszsz · February 17, 2020, 10:22am

Hi @daubsi !

Which OpenSC version do you use? Please make sure it is the latest one - v0.20. This command should show it:

pkcs11-tool -I | head

sc-hsm · February 18, 2020, 11:11am

It’s OK to use --force in that case.

Background: In the SmartCard-HSM the EE-Certificate is associated with the private key (e.g. key under CC02, certificate in CE02) and both share the same PKCS#15 meta-data (here C402). Traditional PKCS#15 cards separate private keys and related certificates, which lead to a duplication of meta-data.

If you remove a private key, then the related certificate disappears as well, however the certificate remains dangling in it’s EF. This is caused by OpenSC, which does not understand the concept of deleting key and certificate in one step. If you first delete the certificate and then the key, then the meta-data is updated fine.

Because this happens so frequently, the sc-hsm-tool detect dangling certificates and removes them with the --force option.

daubsi · February 19, 2020, 8:19pm

Thank you for this detailed explanation why the error occurs! Appreciated!

daubsi · February 19, 2020, 8:21pm

It’s the v0.19 from the Nitrokey github page https://github.com/Nitrokey/opensc-build

Cryptoki version 2.20
Manufacturer     OpenSC Project
Library          OpenSC smartcard framework (ver 0.19)
Using slot 0 with a present token (0x0)