$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (<HSM_ID> ) 00 00
Version : 4.1
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left : 15
User PIN tries left : 3
DKEK shares : 1
DKEK key check value : 374338542608E779
$ pkcs11-tool --list-objects --type secrkey
Using slot 0 with a present token (0x1)
Secret Key Object; AES length 32
label:
ID: 01
Usage: encrypt, decrypt
Access: sensitive, always sensitive, never extractable, local
But when I try to wrap(export) it, I get this error.
$ sc-hsm-tool --wrap-key myhsm.backup --key-reference 01
Using reader with a card: Nitrokey Nitrokey HSM (<HSM_ID> ) 00 00
sc_card_ctl(*, SC_CARDCTL_SC_HSM_WRAP_KEY, *) failed with Card does not support the requested operation
Any idea what I’m missing? I am using the version of sc-hsm-tool compiled from the Github source.
OpenSC does not support all of the options and diagnostic functions of the HSM. Please use the Smart Card Shell and the included Key Manager to get acquainted with the system. After that you could use OpenSC or the native module to interact with the HSM.
In this specific case my guess is, that the key does not have the WRAP attribute internally. This is different from the attributes shown at the PKCS#11 interface.
Did a quick test myself. The issue is, that when you generate an AES key with pkcs11-tool and the native PKCS#11 library, then the key is not associated with a key domain. And so the key can not be wrapped using sc-hsm-tool.
If you generate the key using the Smart Card Shell, then wrapping and unwrapping with sc-hsm-tool from OpenSC works.
The native PKCS#11 module has some proprietary attributes, that OpenSC does not support. As far as I know, there is no mechanism in pkcs11-tool to define vendor specific attributes.
It’s pretty much self-explaining. You could read one of the HowTos that handle more complex topics like Public Key Authentication or XKEK Key Domains. That should give a glimpse on what you can do with the Key Manager in the Smart Card Shell.