What I’ve come to notice is that once a key has been generated once in a slot, it stays there forever (even after explicitly deleting it or re-initializing the device). These two actions only cause the key to “appear” like it does not exist, but if I try to re-generate a key, that old key is the one that reappears (with the same label even if I explicitly specify a different one). To demonstrate this, please take a look at logs below. I ran the following commands twice on each key (to show that the same public key is displayed even after regenerating the key):
sc-hsm-tool -X
sc-hsm-tool
pkcs15-tool -D
pkcs11-tool --login --keypairgen --key-type rsa:2048 --id 1 --label “test1234”
pkcs15-tool -D
pkcs15-tool --read-ssh-key 01
For reference, when I initially plugged in my key, I created two keys, the labels were “nginx” and “apps” respectively. The labels were never specified when running the tests to demonstrate the logs attached to this email.
LOGS:
[root@fedora nacl-crypt-s3-browser]$ sc-hsm-tool -X
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000 ) 00 00
Enter SO-PIN (16 hexadecimal characters) :
Enter initial User-PIN (6 - 16 characters) :
[root@fedora nacl-crypt-s3-browser]$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000 ) 00 00
Version : 3.5
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left : 15
User PIN tries left : 3
[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000 ) 00 00
PKCS#15 Card [SmartCard-HSM]:
Version : 0
Serial number : DENK0107207
Manufacturer ID: www.CardContact.de
Flags :
PIN [UserPIN]
Object Flags : [0x03], private, modifiable
Auth ID : 02
ID : 01
Flags : [0x812], local, initialized, exchangeRefData
Length : min_len:6, max_len:15, stored_len:0
Pad char : 0x00
Reference : 129 (0x81)
Type : ascii-numeric
Path : e82b0601040181c31f0201::
Tries left : 3
PIN [SOPIN]
Object Flags : [0x01], private
ID : 02
Flags : [0x9A], local, unblock-disabled, initialized, soPin
Length : min_len:16, max_len:16, stored_len:0
Pad char : 0x00
Reference : 136 (0x88)
Type : bcd
Path : e82b0601040181c31f0201::
Tries left : 15
[root@fedora nacl-crypt-s3-browser]$ pkcs11-tool --login --keypairgen --key-type rsa:2048 --id 1 --label "test1234"
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: test1234
ID: 01
Usage: decrypt, sign
Access: none
Public Key Object; RSA 2048 bits
label: test1234
ID: 01
Usage: encrypt, verify
Access: none
[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000 ) 00 00
PKCS#15 Card [SmartCard-HSM]:
Version : 0
Serial number : DENK0107207
Manufacturer ID: www.CardContact.de
Flags :
PIN [UserPIN]
Object Flags : [0x03], private, modifiable
Auth ID : 02
ID : 01
Flags : [0x812], local, initialized, exchangeRefData
Length : min_len:6, max_len:15, stored_len:0
Pad char : 0x00
Reference : 129 (0x81)
Type : ascii-numeric
Path : e82b0601040181c31f0201::
Tries left : 3
PIN [SOPIN]
Object Flags : [0x01], private
ID : 02
Flags : [0x9A], local, unblock-disabled, initialized, soPin
Length : min_len:16, max_len:16, stored_len:0
Pad char : 0x00
Reference : 136 (0x88)
Type : bcd
Path : e82b0601040181c31f0201::
Tries left : 15
Private RSA Key [nginx]
Object Flags : [0x03], private, modifiable
Usage : [0x0E], decrypt, sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 2048
Key ref : 1 (0x01)
Native : yes
Auth ID : 01
ID : 01
MD:guid : df1a1096-27d3-272a-41e4-bf9cac9fb580
Public RSA Key [nginx]
Object Flags : [0x00]
Usage : [0x51], encrypt, wrap, verify
Access Flags : [0x02], extract
ModLength : 2048
Key ref : 0 (0x00)
Native : no
ID : 01
DirectValue : <present>
[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool --read-ssh-key 01
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000 ) 00 00
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpj0JKZozOItNi6VDz5xSLqmwNq52GbYq7d2IPMmnw6yHvd6BNqwVbXhFljtELC+30k29tKcbyMKhPRhe4Fu0N8DDSi0wMo+A4Oj1qcafZ2g3HG0X1XbWmW2Rkf1Ec/l1Lijt+80IFeLyocR7TvXnzEf3bDhLD6Nrapak5UdxftY2hbiH7mpwuuX0TymvVrKwkKKayErdAVn9V0sWIhLK66o8rXY4m7tI8ssNBe4bmssh3O49EeylxPYRMkLyyFaId1m7yYTwsRYiBJi53gomXpcw5mdmK2t9zTFlpLpv0B/UtnIkw7YRTHkfHjwu6qJDGcKtB4FE+tofesxj8OEnN nginx
[root@fedora nacl-crypt-s3-browser]$ sc-hsm-tool -X
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000 ) 00 00
Enter SO-PIN (16 hexadecimal characters) :
Enter initial User-PIN (6 - 16 characters) :
[root@fedora nacl-crypt-s3-browser]$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000 ) 00 00
Version : 3.5
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left : 15
User PIN tries left : 3
[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000 ) 00 00
PKCS#15 Card [SmartCard-HSM]:
Version : 0
Serial number : DENK0107207
Manufacturer ID: www.CardContact.de
Flags :
PIN [UserPIN]
Object Flags : [0x03], private, modifiable
Auth ID : 02
ID : 01
Flags : [0x812], local, initialized, exchangeRefData
Length : min_len:6, max_len:15, stored_len:0
Pad char : 0x00
Reference : 129 (0x81)
Type : ascii-numeric
Path : e82b0601040181c31f0201::
Tries left : 3
PIN [SOPIN]
Object Flags : [0x01], private
ID : 02
Flags : [0x9A], local, unblock-disabled, initialized, soPin
Length : min_len:16, max_len:16, stored_len:0
Pad char : 0x00
Reference : 136 (0x88)
Type : bcd
Path : e82b0601040181c31f0201::
Tries left : 15
[root@fedora nacl-crypt-s3-browser]$ pkcs11-tool --login --keypairgen --key-type rsa:2048 --id 1 --label "test1234"
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: test1234
ID: 01
Usage: decrypt, sign
Access: none
Public Key Object; RSA 2048 bits
label: test1234
ID: 01
Usage: encrypt, verify
Access: none
[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000 ) 00 00
PKCS#15 Card [SmartCard-HSM]:
Version : 0
Serial number : DENK0107207
Manufacturer ID: www.CardContact.de
Flags :
PIN [UserPIN]
Object Flags : [0x03], private, modifiable
Auth ID : 02
ID : 01
Flags : [0x812], local, initialized, exchangeRefData
Length : min_len:6, max_len:15, stored_len:0
Pad char : 0x00
Reference : 129 (0x81)
Type : ascii-numeric
Path : e82b0601040181c31f0201::
Tries left : 3
PIN [SOPIN]
Object Flags : [0x01], private
ID : 02
Flags : [0x9A], local, unblock-disabled, initialized, soPin
Length : min_len:16, max_len:16, stored_len:0
Pad char : 0x00
Reference : 136 (0x88)
Type : bcd
Path : e82b0601040181c31f0201::
Tries left : 15
Private RSA Key [nginx]
Object Flags : [0x03], private, modifiable
Usage : [0x0E], decrypt, sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 2048
Key ref : 1 (0x01)
Native : yes
Auth ID : 01
ID : 01
MD:guid : df1a1096-27d3-272a-41e4-bf9cac9fb580
Public RSA Key [nginx]
Object Flags : [0x00]
Usage : [0x51], encrypt, wrap, verify
Access Flags : [0x02], extract
ModLength : 2048
Key ref : 0 (0x00)
Native : no
ID : 01
DirectValue : <present>
[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool --read-ssh-key 01
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000 ) 00 00
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpj0JKZozOItNi6VDz5xSLqmwNq52GbYq7d2IPMmnw6yHvd6BNqwVbXhFljtELC+30k29tKcbyMKhPRhe4Fu0N8DDSi0wMo+A4Oj1qcafZ2g3HG0X1XbWmW2Rkf1Ec/l1Lijt+80IFeLyocR7TvXnzEf3bDhLD6Nrapak5UdxftY2hbiH7mpwuuX0TymvVrKwkKKayErdAVn9V0sWIhLK66o8rXY4m7tI8ssNBe4bmssh3O49EeylxPYRMkLyyFaId1m7yYTwsRYiBJi53gomXpcw5mdmK2t9zTFlpLpv0B/UtnIkw7YRTHkfHjwu6qJDGcKtB4FE+tofesxj8OEnN nginx