Hello,
I’m a developer working on an embedded Linux environment to implement a solution to use ECC with the Nitrokey Pro token.
Currently we’re using the following libraries to work with the token:
- opensc 0.20
- pcsc-lite 1.8.25
- ccid 1.4.31
When trying to generate a new EC keypair with pkcs11-tool I get the following error:
$ pkcs11-tool --keypairgen --key-type EC:prime256v1
Using slot 0 with a present token (0x0)
error: Generate EC key mechanism not supported
Aborting.
Here is the token information reported by the pkcs11-tool
$ pkcs11-tool -T
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey Pro (000000000000000000007EEB) 00 00
token label : OpenPGP card (User PIN)
token manufacturer : ZeitControl
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 3.3
firmware version : 3.3
serial num : 000500007eeb
pin min/max : 6/64
Slot 1 (0x1): Nitrokey Nitrokey Pro (000000000000000000007EEB) 00 00
token label : OpenPGP card (User PIN (sig))
token manufacturer : ZeitControl
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 3.3
firmware version : 3.3
serial num : 000500007eeb
pin min/max : 6/64
From the list of mechanisms it seems that EC is not supported at all. But I’m not sure if this is a HW or library/driver limitation.
$ pkcs11-tool -M
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA224, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
RSA-PKCS, keySize={2048,2048}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={2048,2048}, sign, verify
SHA224-RSA-PKCS, keySize={2048,2048}, sign, verify
SHA256-RSA-PKCS, keySize={2048,2048}, sign, verify
SHA384-RSA-PKCS, keySize={2048,2048}, sign, verify
SHA512-RSA-PKCS, keySize={2048,2048}, sign, verify
MD5-RSA-PKCS, keySize={2048,2048}, sign, verify
RIPEMD160-RSA-PKCS, keySize={2048,2048}, sign, verify
RSA-PKCS-KEY-PAIR-GEN, keySize={2048,2048}, generate_key_pair
Have anyone tried to use Nitrokey Pro with OpenSC to confirm that everything I see is correct or not?
What is the actual issue with missing ECC functionality: software (library version or whatever) or hardware (wrong token version)?
We need to support EC keypair generation inside the token and deriving shared secret from the EC private key.
I appreciate any help.
Thanks