Comments (15)
Jakuje
commented on June 19, 2024
This will likely depend on the card driver. What card driver do you use? Or what PKCS#11 module do you use?
from opensc.
embetrix
commented on June 19, 2024
@Jakuje : in the example above SoftHSM
But my ultime goal is use it with Optee PKCS#11 TA ( same behaviour as for SoftHSM)
from opensc.
dengert
commented on June 19, 2024
The PKCS11 generic secret has no algorithms. But it can be used as a seed for a AES key for example, since it usually comes from a derive operation, where both parties will have the same secret. pkcs11-tool just shows how it can be created from a derive operation.
.
In you case case dd if=/dev/urandom bs=1 count=32 of=generic_key.bin is just creating random data, so you could write it
something like --key-type AES:32
from opensc.
embetrix
commented on June 19, 2024
@dengert sorry I don't get your point :
if I import the key as --key-type AES:32 I cannot use it for HMAC Sign/Verify:
$ pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH --login --write-object generic_key.bin --type secrkey --key-type AES:32 --id 112A --label generic32 --usage-sign
Using slot 0 with a present token (0x503ec1fb)
Created secret key:
Secret Key Object; AES length 32
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)
label: generic32
ID: 112a
Usage: encrypt, decrypt, verify, wrap, unwrap
Access: none
$ pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH --login --sign --id 112A --mechanism=SHA256-HMAC --input-file=data.bin --output-file=data.sig
Using slot 0 with a present token (0x503ec1fb)
Using signature algorithm SHA256-HMAC
error: PKCS11 function C_SignInit failed: rv = CKR_KEY_TYPE_INCONSISTENT (0x63)
Aborting.
If I create a GENERIC:32 within the PKCS11:
$ pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH --login --keygen --id 112B --key-type GENERIC:32 --usage-sign --sensitive
Using slot 0 with a present token (0x503ec1fb)
Key generated:
Secret Key Object; Generic secret length 32
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)
label:
ID: 112b
Usage: encrypt, decrypt, verify, wrap, unwrap
Access: sensitive, always sensitive, never extractable, local
$ pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH --login --sign --id 112B --mechanism=SHA256-HMAC --input-file=data.bin --output-file=data.sig
Using slot 0 with a present token (0x503ec1fb)
Using signature algorithm SHA256-HMAC
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
$ pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH --login --verify --id 112B --mechanism=SHA256-HMAC --input-file=data.bin --signature-file=data.sig
Using slot 0 with a present token (0x503ec1fb)
Using signature algorithm SHA256-HMAC
Signature is valid
My goal is to import a Generic Key to PKCS#11 on different devices to allow HMAC Sign/Verify
from opensc.
dengert
commented on June 19, 2024
It looks like it works with --module $PKCS11_MODULE_PATH but you are using the same device to do both sign and verify and only because the device could do the generate on the device.
So unless you can extract the key and write it to second device you are back to the original problem.
Writing may only work with some modules and some devices.
pkcs11-tool --module $PKCS11_MODULE_PATH -O and pkcs11-tool $PKCS11_MODULE_PATH -M
might help.
Search for: HMAC Sign/Verify with secret key
But the secret key needs to be in two places on both parties one to sign and and the other to do the verify.
This may not scale very well, unless all the devices have the same secret key or multiple key pairs between each pair of devices.
But you could use a CKK_EC key and do CKM_ECDH1_DERIVE. Here each device has its own CKK_EC. The derivation used the private key on the device of one with the public key of the other (peer) to derive the same generic secret key which you could use with HMAC Sign/Verify Or use as an AES key. So each device needs only one private key.
from opensc.
embetrix
commented on June 19, 2024
it does not work.
I gave the example with --key-type GENERIC:32 just to show that HMAC Sign/Verify is working in this case but doesn't work with imported Key.
I like to share the same key on multiple devices so there is no way to do so unless I import the key.
I would like to avoid key derivation as it doesn't fit my use case.
from opensc.
embetrix
commented on June 19, 2024
As I wrote I use SoftHSM as module
from opensc.
dengert
commented on June 19, 2024
Problem maybe in pkcs11-tool or in the SoftHSM trying to create a generic key on device.
Best way to see where problem is by using opensc-spy. Its an PKCS11 module that loads a PKCS11 module and logs PKCS11 calls and responses. It can be used to load any PKCS11 module.
See: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy
If you use the OpenSC PKCS11 module, get a debug log too.
from opensc.
embetrix
commented on June 19, 2024
Here is a test script:
#!/bin/sh -e
export PKCS11_MODULE_PATH=/usr/lib/softhsm/libsofthsm2.so
export PKCS11SPY=/usr/lib/softhsm/libsofthsm2.so
export PIN="12345"
export SO_PIN="1234"
export SOFTHSM2_CONF=$PWD/.softhsm/softhsm2.conf
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${PWD}
export TOKEN_NAME="token0"
rm -rf .softhsm *.bin
mkdir -p .softhsm/tokens
echo "directories.tokendir = $PWD/.softhsm/tokens" > .softhsm/softhsm2.conf
pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH --slot-index=0 --init-token --label=$TOKEN_NAME --so-pin $SO_PIN --init-pin
dd if=/dev/urandom of=generic_key.bin bs=32 count=1
dd if=/dev/urandom of=data.bin bs=1024 count=1
pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH --login --write-object generic_key.bin --type secrkey --key-type AES:32 --id 112A --label generic32 --usage-sign
pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH --login --list-objects
export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/pkcs11-spy.so
pkcs11-tool --pin $PIN --module $PKCS11_MODULE_PATH --login --sign --label generic32 --mechanism=SHA256-HMAC --input-file=data.bin --output-file=data.sig
from opensc.
embetrix
commented on June 19, 2024
here is the output:
Using slot with index 0 (0x0)
Token successfully initialized
User PIN successfully initialized
1+0 records in
1+0 records out
32 bytes copied, 0,000197385 s, 162 kB/s
1+0 records in
1+0 records out
1024 bytes (1,0 kB, 1,0 KiB) copied, 0,000200315 s, 5,1 MB/s
Using slot 0 with a present token (0x30a4348c)
Created secret key:
Secret Key Object; AES length 32
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)
label: generic32
ID: 112a
Usage: encrypt, decrypt, verify, wrap, unwrap
Access: none
Using slot 0 with a present token (0x30a4348c)
Secret Key Object; AES length 32
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)
label: generic32
ID: 112a
Usage: encrypt, decrypt, verify, wrap, unwrap
Access: none
*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/lib/softhsm/libsofthsm2.so"
0: C_GetInterface
2023-12-08 16:36:54.063
[compat]
[in] pInterfaceName 000055e7a7908722 / 7
00000000 50 4B 43 53 20 31 31 PKCS 11
[in] pVersion = NULL
[in] flags =
Returned: 0 CKR_OK
1: C_Initialize
2023-12-08 16:36:54.063
[in] pInitArgs = (nil)
Returned: 0 CKR_OK
2: C_GetSlotList
2023-12-08 16:36:54.064
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 2
[out] *pulCount = 0x2
Returned: 0 CKR_OK
3: C_GetSlotList
2023-12-08 16:36:54.064
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 816067724
Slot 1
[out] *pulCount = 0x2
Returned: 0 CKR_OK
4: C_GetSlotInfo
2023-12-08 16:36:54.064
[in] slotID = 0x30a4348c
[out] pInfo:
slotDescription: 'SoftHSM slot ID 0x30a4348c '
' '
manufacturerID: 'SoftHSM project '
hardwareVersion: 2.6
firmwareVersion: 2.6
flags: 1
CKF_TOKEN_PRESENT
Returned: 0 CKR_OK
Using slot 0 with a present token (0x30a4348c)
5: C_GetTokenInfo
2023-12-08 16:36:54.064
[in] slotID = 0x30a4348c
[out] pInfo:
label: 'token0 '
manufacturerID: 'SoftHSM project '
model: 'SoftHSM v2 '
serialNumber: '8c4ac115b0a4348c'
ulMaxSessionCount: 0
ulSessionCount: -1
ulMaxRwSessionCount: 0
ulRwSessionCount: -1
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 2.6
firmwareVersion: 2.6
time: '2023120815365400'
flags: 42d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
6: C_OpenSession
2023-12-08 16:36:54.064
[in] slotID = 0x30a4348c
[in] flags = 0x6
[in] pApplication = (nil)
[in] Notify = (nil)
[out] *phSession = 0x1
Returned: 0 CKR_OK
7: C_GetTokenInfo
2023-12-08 16:36:54.064
[in] slotID = 0x30a4348c
[out] pInfo:
label: 'token0 '
manufacturerID: 'SoftHSM project '
model: 'SoftHSM v2 '
serialNumber: '8c4ac115b0a4348c'
ulMaxSessionCount: 0
ulSessionCount: -1
ulMaxRwSessionCount: 0
ulRwSessionCount: -1
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 2.6
firmwareVersion: 2.6
time: '2023120815365400'
flags: 42d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
8: C_Login
2023-12-08 16:36:54.064
[in] hSession = 0x1
[in] userType = CKU_USER
[in] pPin[ulPinLen] 00007ffd4a363b33 / 5
00000000 31 32 33 34 35 12345
Returned: 0 CKR_OK
9: C_FindObjectsInit
2023-12-08 16:36:54.067
[in] hSession = 0x1
[in] pTemplate[1]:
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK
10: C_FindObjects
2023-12-08 16:36:54.067
[in] hSession = 0x1
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned: 0 CKR_OK
11: C_FindObjectsFinal
2023-12-08 16:36:54.067
[in] hSession = 0x1
Returned: 0 CKR_OK
error: Private key not found
Aborting.
from opensc.
embetrix
commented on June 19, 2024
it's weird that it looks for CKO_PRIVATE_KEY ?!
shoudn't be CKO_SECRET_KEY
from opensc.
embetrix
commented on June 19, 2024
Yes it's I built the HEAD of OpenSC I get different output:
*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/lib/softhsm/libsofthsm2.so"
0: C_GetInterface
2023-12-08 17:01:20.270
[compat]
[in] pInterfaceName 0000557bcacf2bf1 / 7
00000000 50 4B 43 53 20 31 31 PKCS 11
[in] pVersion = NULL
[in] flags =
Returned: 0 CKR_OK
1: C_Initialize
2023-12-08 17:01:20.270
[in] pInitArgs = (nil)
Returned: 0 CKR_OK
2: C_GetSlotList
2023-12-08 17:01:20.273
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 2
[out] *pulCount = 0x2
Returned: 0 CKR_OK
3: C_GetSlotList
2023-12-08 17:01:20.273
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 234214609
Slot 1
[out] *pulCount = 0x2
Returned: 0 CKR_OK
4: C_GetSlotInfo
2023-12-08 17:01:20.273
[in] slotID = 0xdf5d4d1
[out] pInfo:
slotDescription: 'SoftHSM slot ID 0xdf5d4d1 '
' '
manufacturerID: 'SoftHSM project '
hardwareVersion: 2.6
firmwareVersion: 2.6
flags: 1
CKF_TOKEN_PRESENT
Returned: 0 CKR_OK
Using slot 0 with a present token (0xdf5d4d1)
5: C_GetTokenInfo
2023-12-08 17:01:20.273
[in] slotID = 0xdf5d4d1
[out] pInfo:
label: 'token0 '
manufacturerID: 'SoftHSM project '
model: 'SoftHSM v2 '
serialNumber: 'b173d4ab8df5d4d1'
ulMaxSessionCount: 0
ulSessionCount: -1
ulMaxRwSessionCount: 0
ulRwSessionCount: -1
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 2.6
firmwareVersion: 2.6
time: '2023120816012000'
flags: 42d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
6: C_OpenSession
2023-12-08 17:01:20.273
[in] slotID = 0xdf5d4d1
[in] flags = 0x4
[in] pApplication = (nil)
[in] Notify = (nil)
[out] *phSession = 0x1
Returned: 0 CKR_OK
7: C_GetTokenInfo
2023-12-08 17:01:20.273
[in] slotID = 0xdf5d4d1
[out] pInfo:
label: 'token0 '
manufacturerID: 'SoftHSM project '
model: 'SoftHSM v2 '
serialNumber: 'b173d4ab8df5d4d1'
ulMaxSessionCount: 0
ulSessionCount: -1
ulMaxRwSessionCount: 0
ulRwSessionCount: -1
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 2.6
firmwareVersion: 2.6
time: '2023120816012000'
flags: 42d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
8: C_Login
2023-12-08 17:01:20.273
[in] hSession = 0x1
[in] userType = CKU_USER
[in] pPin[ulPinLen] 00007fffabfe6a9c / 5
00000000 31 32 33 34 35 12345
Returned: 0 CKR_OK
9: C_FindObjectsInit
2023-12-08 17:01:20.280
[in] hSession = 0x1
[in] pTemplate[1]:
CKA_CLASS CKO_SECRET_KEY
Returned: 0 CKR_OK
10: C_FindObjects
2023-12-08 17:01:20.280
[in] hSession = 0x1
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x2 matches
Returned: 0 CKR_OK
11: C_FindObjectsFinal
2023-12-08 17:01:20.280
[in] hSession = 0x1
Returned: 0 CKR_OK
Using signature algorithm SHA256-HMAC
12: C_SignInit
2023-12-08 17:01:20.280
[in] hSession = 0x1
[in] pMechanism->type = CKM_SHA256_HMAC
[in] pMechanism->pParameter[ulParameterLen] NULL [size : 0x0 (0)]
[in] hKey = 0x2
Returned: 99 CKR_KEY_TYPE_INCONSISTENT
13: C_Finalize
2023-12-08 17:01:20.280
Returned: 0 CKR_OK
error: PKCS11 function C_SignInit failed: rv = CKR_KEY_TYPE_INCONSISTENT (0x63)
Aborting.
from opensc.
embetrix
commented on June 19, 2024
I think that pkcs11-tool doesn't set CK_KEY_TYPE to CKK_GENERIC_SECRET
from opensc.
embetrix
commented on June 19, 2024
with the following patch it's working:
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index aae205fe..1335d0ca 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -4246,7 +4246,7 @@ static int write_object(CK_SESSION_HANDLE session)
if (opt_key_type != 0) {
if (strncasecmp(opt_key_type, "AES:", strlen("AES:")) == 0)
- type = CKK_AES;
+ type = CKK_GENERIC_SECRET;
else if (strncasecmp(opt_key_type, "DES3:", strlen("DES3:")) == 0)
type = CKK_DES3;
else
It's bug in pkcs11-tool, it need to be improved to provide an option to import GENERIC key or possibility to overwrite CK_KEY_TYPE for an AES Key
from opensc.
embetrix
commented on June 19, 2024
with this [PR] (#2955) it works as expected:
dd if=/dev/urandom of=generic_key.bin bs=32 count=1
pkcs11-tool --pin 12345 --module /usr/lib/softhsm/libsofthsm2.so --login --write-object generic_key.bin --type secrkey --key-type GENERIC:32 --id 112A --label generic32 --usage-sign
Using slot 0 with a present token (0x757c5773)
Created secret key:
Secret Key Object; Generic secret length 32
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)
label: generic32
ID: 112a
Usage: encrypt, decrypt, verify, wrap, unwrap
Access: none
pkcs11-tool --pin 12345 --module /usr/lib/softhsm/libsofthsm2.so --login --list-objects
Using slot 0 with a present token (0x757c5773)
Secret Key Object; Generic secret length 32
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)
label: generic32
ID: 112a
Usage: encrypt, decrypt, verify, wrap, unwrap
Access: none
pkcs11-tool --pin 12345 --module /usr/lib/softhsm/libsofthsm2.so --login --sign --label generic32 --mechanism=SHA256-HMAC --input-file=data.bin --output-file=data.sig
Using slot 0 with a present token (0x757c5773)
Using signature algorithm SHA256-HMAC
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
pkcs11-tool --pin 12345 --module /usr/lib/softhsm/libsofthsm2.so --login --verify --label generic32 --mechanism=SHA256-HMAC --input-file=data.bin --signature-file=data.sig
Using slot 0 with a present token (0x757c5773)
Using signature algorithm SHA256-HMAC
Signature is valid
from opensc.
Related Issues (20)
- Error: Could not add card "/usr/local/lib/opensc-pkcs11-local.so": agent refused operation HOT 2
- New epass2003 token fails to initialize with error `Failed to create PKCS #15 meta structure: Card command failed` HOT 23
- Update Links in README.md before making a release HOT 2
- Building eOI (Slovenian eID) on ubuntu 22.04 HOT 12
- Compiling on Windows ignores CNGSDK_INCL_DIR and CPDK_INCL_DIR env. variables values HOT 2
- Problems with test scripts HOT 9
- Reselection of DF after failure in `sc_pkcs15_decipher` function HOT 5
- PIN change fails with CKR_PIN_LEN_RANGE because current PIN is too long HOT 10
- RFE: tools add --module-init arg for non-standard NSS softokn configDir HOT 5
- ActivIdentity Activkey_Sim 00 00 HOT 3
- CI: Check if refresh in documentation is needed
- doc: Python wrapper HOT 6
- pkcs11-tool: return value is 0 when signature verification fails HOT 3
- PKCS15 framework influence PKCS11 interface HOT 3
- docbook-utf8.xsl missing from release archive HOT 1
- Probable Reasons For CKR_GENERAL_ERROR From C_Login HOT 4
- SC-HSM: Support for storing of ECDSA keys HOT 3
- C_FindObjects does not find keys generated by C_GenerateKeyPair without reinserting HOT 3
- In pkcs11-tool CKA_DERIVE is not set for write-object and keygen HOT 2
- pkcs15-crypt signing fails on release 0.25.0 w/ a YubiKey-bound RSA key HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensc.