Unable to use Nitrokey Pro 2 Eliptic Curves with pkcs11 or openssl

Version info:
Nitrokey Pro 2 (OpenPGP card v3.3)
OS: macOS 10.14.6
GnuPG v2.2.17
OpenSC 0.20.0
Openssl 1.1.1g (with libp11 0.4.10)

After creating a ecc keypair (e.g. nistp256/prime256v1) wither either GnuPG, pkcs11-tool or pkcs15-init (basically the same result with all tools), I’m unable to use the keys with pkccs11-tool or openssl.

I tried these commands to generate the keys:
GnuPG as described [here](https://www.nitrokey.com/documentation/elliptic-curves-ecc-support-nitrokey-storage-2-and-pro-2
pkcs11-tool -l --login-type so --keypairgen --key-type EC:prime256v1
pkcs15-init --generate-key EC:prime256v1 --key-usage sign --auth-id 3 --verify-pin

These are the generated objects:

pkcs11-tool -O
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   04818...
  label:      Authentication key
  ID:         03
  Usage:      encrypt, verify, wrap
  Access:     none

pkcs15-tool -D
Private EC Key [Authentication key]
	Object Flags   : [0x03], private, modifiable
	Usage          : [0x222], decrypt, unwrap, nonRepudiation
	Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
	FieldLength    : 0
	Key ref        : 2 (0x02)
	Native         : yes
	Auth ID        : 02
	ID             : 03
	MD:guid        : 9928a38a-3a9e-5efa-fe6f-b767e1b658a7

When trying to create a self-signed certificate with openssl (yields rather cryptic error message) or simply try to show the public key with pkcs11-tool -r --type pubkey --id 3 i get:

error: cannot obtain EC_PARAMS

And indeed, when comparing to other examples or guides, the pkcs11-tool -O does not show a EC_PARAMS field.

When trying to sign some data (pkcs11-tool -s -m ECDSA --input-file digest.sha256) I get a cryptic result:

error: PKCS11 function C_SignFinal failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)

Digging into the debug output, I found:

pkcs15-sec.c:221:format_senv: Card does not support EC with field_size 0
pkcs15-sec.c:222:format_senv: returning with: -1408 (Not supported)

Again, comparing with the output of pkcs15-tool -D, the FieldLength is indeed reported as 0.

How are EC keys supposed to be created to be usable with pkcs11-tool and openssl?

Actually I ran into the same problem today. Already opened a issue. I am sorry for the inconvenience, the ecc support was tested via pkcs15-init.

Furthermore, some more development is done right now which aims to add more support for ecc operations in OpenSC.

Generating the keys did work fine with pkcs11-tool, but it required the key-type to be set to the right curve beforehand with gpg tools.

Already fixed (in master) github issue #1906 might also be related.

Anyway I’m currently using a Nitrokey HSM 2 for this, which works great.