The same key is regenerated each time

What I’ve come to notice is that once a key has been generated once in a slot, it stays there forever (even after explicitly deleting it or re-initializing the device). These two actions only cause the key to “appear” like it does not exist, but if I try to re-generate a key, that old key is the one that reappears (with the same label even if I explicitly specify a different one). To demonstrate this, please take a look at logs below. I ran the following commands twice on each key (to show that the same public key is displayed even after regenerating the key):

sc-hsm-tool -X
sc-hsm-tool
pkcs15-tool -D
pkcs11-tool --login --keypairgen --key-type rsa:2048 --id 1 --label “test1234”
pkcs15-tool -D
pkcs15-tool --read-ssh-key 01

For reference, when I initially plugged in my key, I created two keys, the labels were “nginx” and “apps” respectively. The labels were never specified when running the tests to demonstrate the logs attached to this email.

LOGS:

[root@fedora nacl-crypt-s3-browser]$ sc-hsm-tool -X
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000         ) 00 00
Enter SO-PIN (16 hexadecimal characters) : 

Enter initial User-PIN (6 - 16 characters) : 

[root@fedora nacl-crypt-s3-browser]$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000         ) 00 00
Version              : 3.5
Config options       :
  User PIN reset with SO-PIN enabled
SO-PIN tries left    : 15
User PIN tries left  : 3
[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000         ) 00 00
PKCS#15 Card [SmartCard-HSM]:
	Version        : 0
	Serial number  : DENK0107207
	Manufacturer ID: www.CardContact.de
	Flags          : 


PIN [UserPIN]
	Object Flags   : [0x03], private, modifiable
	Auth ID        : 02
	ID             : 01
	Flags          : [0x812], local, initialized, exchangeRefData
	Length         : min_len:6, max_len:15, stored_len:0
	Pad char       : 0x00
	Reference      : 129 (0x81)
	Type           : ascii-numeric
	Path           : e82b0601040181c31f0201::
	Tries left     : 3

PIN [SOPIN]
	Object Flags   : [0x01], private
	ID             : 02
	Flags          : [0x9A], local, unblock-disabled, initialized, soPin
	Length         : min_len:16, max_len:16, stored_len:0
	Pad char       : 0x00
	Reference      : 136 (0x88)
	Type           : bcd
	Path           : e82b0601040181c31f0201::
	Tries left     : 15

[root@fedora nacl-crypt-s3-browser]$ pkcs11-tool --login --keypairgen --key-type rsa:2048 --id 1 --label "test1234"
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; RSA 
  label:      test1234
  ID:         01
  Usage:      decrypt, sign
  Access:     none
Public Key Object; RSA 2048 bits
  label:      test1234
  ID:         01
  Usage:      encrypt, verify
  Access:     none
[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000         ) 00 00
PKCS#15 Card [SmartCard-HSM]:
	Version        : 0
	Serial number  : DENK0107207
	Manufacturer ID: www.CardContact.de
	Flags          : 


PIN [UserPIN]
	Object Flags   : [0x03], private, modifiable
	Auth ID        : 02
	ID             : 01
	Flags          : [0x812], local, initialized, exchangeRefData
	Length         : min_len:6, max_len:15, stored_len:0
	Pad char       : 0x00
	Reference      : 129 (0x81)
	Type           : ascii-numeric
	Path           : e82b0601040181c31f0201::
	Tries left     : 3

PIN [SOPIN]
	Object Flags   : [0x01], private
	ID             : 02
	Flags          : [0x9A], local, unblock-disabled, initialized, soPin
	Length         : min_len:16, max_len:16, stored_len:0
	Pad char       : 0x00
	Reference      : 136 (0x88)
	Type           : bcd
	Path           : e82b0601040181c31f0201::
	Tries left     : 15

Private RSA Key [nginx]
	Object Flags   : [0x03], private, modifiable
	Usage          : [0x0E], decrypt, sign, signRecover
	Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
	Algo_refs      : 0
	ModLength      : 2048
	Key ref        : 1 (0x01)
	Native         : yes
	Auth ID        : 01
	ID             : 01
	MD:guid        : df1a1096-27d3-272a-41e4-bf9cac9fb580

Public RSA Key [nginx]
	Object Flags   : [0x00]
	Usage          : [0x51], encrypt, wrap, verify
	Access Flags   : [0x02], extract
	ModLength      : 2048
	Key ref        : 0 (0x00)
	Native         : no
	ID             : 01
	DirectValue    : <present>

[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool --read-ssh-key 01
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000         ) 00 00
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpj0JKZozOItNi6VDz5xSLqmwNq52GbYq7d2IPMmnw6yHvd6BNqwVbXhFljtELC+30k29tKcbyMKhPRhe4Fu0N8DDSi0wMo+A4Oj1qcafZ2g3HG0X1XbWmW2Rkf1Ec/l1Lijt+80IFeLyocR7TvXnzEf3bDhLD6Nrapak5UdxftY2hbiH7mpwuuX0TymvVrKwkKKayErdAVn9V0sWIhLK66o8rXY4m7tI8ssNBe4bmssh3O49EeylxPYRMkLyyFaId1m7yYTwsRYiBJi53gomXpcw5mdmK2t9zTFlpLpv0B/UtnIkw7YRTHkfHjwu6qJDGcKtB4FE+tofesxj8OEnN nginx
[root@fedora nacl-crypt-s3-browser]$ sc-hsm-tool -X
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000         ) 00 00
Enter SO-PIN (16 hexadecimal characters) : 

Enter initial User-PIN (6 - 16 characters) : 

[root@fedora nacl-crypt-s3-browser]$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000         ) 00 00
Version              : 3.5
Config options       :
  User PIN reset with SO-PIN enabled
SO-PIN tries left    : 15
User PIN tries left  : 3
[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000         ) 00 00
PKCS#15 Card [SmartCard-HSM]:
	Version        : 0
	Serial number  : DENK0107207
	Manufacturer ID: www.CardContact.de
	Flags          : 


PIN [UserPIN]
	Object Flags   : [0x03], private, modifiable
	Auth ID        : 02
	ID             : 01
	Flags          : [0x812], local, initialized, exchangeRefData
	Length         : min_len:6, max_len:15, stored_len:0
	Pad char       : 0x00
	Reference      : 129 (0x81)
	Type           : ascii-numeric
	Path           : e82b0601040181c31f0201::
	Tries left     : 3

PIN [SOPIN]
	Object Flags   : [0x01], private
	ID             : 02
	Flags          : [0x9A], local, unblock-disabled, initialized, soPin
	Length         : min_len:16, max_len:16, stored_len:0
	Pad char       : 0x00
	Reference      : 136 (0x88)
	Type           : bcd
	Path           : e82b0601040181c31f0201::
	Tries left     : 15

[root@fedora nacl-crypt-s3-browser]$ pkcs11-tool --login --keypairgen --key-type rsa:2048 --id 1 --label "test1234"
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; RSA 
  label:      test1234
  ID:         01
  Usage:      decrypt, sign
  Access:     none
Public Key Object; RSA 2048 bits
  label:      test1234
  ID:         01
  Usage:      encrypt, verify
  Access:     none
[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000         ) 00 00
PKCS#15 Card [SmartCard-HSM]:
	Version        : 0
	Serial number  : DENK0107207
	Manufacturer ID: www.CardContact.de
	Flags          : 


PIN [UserPIN]
	Object Flags   : [0x03], private, modifiable
	Auth ID        : 02
	ID             : 01
	Flags          : [0x812], local, initialized, exchangeRefData
	Length         : min_len:6, max_len:15, stored_len:0
	Pad char       : 0x00
	Reference      : 129 (0x81)
	Type           : ascii-numeric
	Path           : e82b0601040181c31f0201::
	Tries left     : 3

PIN [SOPIN]
	Object Flags   : [0x01], private
	ID             : 02
	Flags          : [0x9A], local, unblock-disabled, initialized, soPin
	Length         : min_len:16, max_len:16, stored_len:0
	Pad char       : 0x00
	Reference      : 136 (0x88)
	Type           : bcd
	Path           : e82b0601040181c31f0201::
	Tries left     : 15

Private RSA Key [nginx]
	Object Flags   : [0x03], private, modifiable
	Usage          : [0x0E], decrypt, sign, signRecover
	Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
	Algo_refs      : 0
	ModLength      : 2048
	Key ref        : 1 (0x01)
	Native         : yes
	Auth ID        : 01
	ID             : 01
	MD:guid        : df1a1096-27d3-272a-41e4-bf9cac9fb580

Public RSA Key [nginx]
	Object Flags   : [0x00]
	Usage          : [0x51], encrypt, wrap, verify
	Access Flags   : [0x02], extract
	ModLength      : 2048
	Key ref        : 0 (0x00)
	Native         : no
	ID             : 01
	DirectValue    : <present>

[root@fedora nacl-crypt-s3-browser]$ pkcs15-tool --read-ssh-key 01
Using reader with a card: Nitrokey Nitrokey HSM (DENK01072070000         ) 00 00
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpj0JKZozOItNi6VDz5xSLqmwNq52GbYq7d2IPMmnw6yHvd6BNqwVbXhFljtELC+30k29tKcbyMKhPRhe4Fu0N8DDSi0wMo+A4Oj1qcafZ2g3HG0X1XbWmW2Rkf1Ec/l1Lijt+80IFeLyocR7TvXnzEf3bDhLD6Nrapak5UdxftY2hbiH7mpwuuX0TymvVrKwkKKayErdAVn9V0sWIhLK66o8rXY4m7tI8ssNBe4bmssh3O49EeylxPYRMkLyyFaId1m7yYTwsRYiBJi53gomXpcw5mdmK2t9zTFlpLpv0B/UtnIkw7YRTHkfHjwu6qJDGcKtB4FE+tofesxj8OEnN nginx

Maybe you have caching enabled in OpenSC.

2 Likes

Thanks! It was a caching issue. Here’s what fixed it

  1. Navigate to the cache folder: cd ~/.cache/opensc
  2. Delete all files: rm *
  3. Confirm that they are deleted: ls -la

This should do it!

@misbeus can you try to mark @sc-hsm answer as the solution?

@saper I don’t seem to have the option to do so. Maybe @sc-hsm has to mark it as so?

@saper I can’t mark answers as the solution.

1 Like

@szszszsz can you have a look why the user’s can’t mark posts “as a solution”?

1 Like

Neither can I. This must be some misconfiguration. I will pass it further to the Admin.

1 Like

it should work now… got fixed by the forum admins

1 Like