Version info:
Nitrokey Pro 2 (OpenPGP card v3.3)
OS: macOS 10.14.6
GnuPG v2.2.17
OpenSC 0.20.0
Openssl 1.1.1g (with libp11 0.4.10)
Issue
After creating a ecc keypair (e.g. nistp256/prime256v1) wither either GnuPG, pkcs11-tool or pkcs15-init (basically the same result with all tools), I’m unable to use the keys with pkccs11-tool or openssl.
I tried these commands to generate the keys:
GnuPG as described [here](https://www.nitrokey.com/documentation/elliptic-curves-ecc-support-nitrokey-storage-2-and-pro-2
pkcs11-tool -l --login-type so --keypairgen --key-type EC:prime256v1
pkcs15-init --generate-key EC:prime256v1 --key-usage sign --auth-id 3 --verify-pin
These are the generated objects:
pkcs11-tool -O
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 04818...
label: Authentication key
ID: 03
Usage: encrypt, verify, wrap
Access: none
pkcs15-tool -D
Private EC Key [Authentication key]
Object Flags : [0x03], private, modifiable
Usage : [0x222], decrypt, unwrap, nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
FieldLength : 0
Key ref : 2 (0x02)
Native : yes
Auth ID : 02
ID : 03
MD:guid : 9928a38a-3a9e-5efa-fe6f-b767e1b658a7
When trying to create a self-signed certificate with openssl (yields rather cryptic error message) or simply try to show the public key with pkcs11-tool -r --type pubkey --id 3
i get:
error: cannot obtain EC_PARAMS
And indeed, when comparing to other examples or guides, the pkcs11-tool -O
does not show a EC_PARAMS field.
When trying to sign some data (pkcs11-tool -s -m ECDSA --input-file digest.sha256
) I get a cryptic result:
error: PKCS11 function C_SignFinal failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Digging into the debug output, I found:
pkcs15-sec.c:221:format_senv: Card does not support EC with field_size 0
pkcs15-sec.c:222:format_senv: returning with: -1408 (Not supported)
Again, comparing with the output of pkcs15-tool -D
, the FieldLength is indeed reported as 0.
How are EC keys supposed to be created to be usable with pkcs11-tool and openssl?