Importing encrypted RSA and plain RSA private keys in SmartCard-HSM about opensc HOT 6 OPEN

This question/issue interested me only for one reason, the only pkcs#11 implementation that supports unwrap/wrap in opensc is in card-myeid.c. What card-sc-hsm.c supports is a proprietary call that is not available from the pkcs#11 interface.

This has nothing to do with the CreateObject operation. As a rule, the token stores the /private/ key in a special file. This file is not normally readable, but it allows to perform a /private/ operation. The description of the /private key/ of this file is the subject of pkcs#15 .. and here it depends on the token whether it supports pkcs#15 or has another interface that has a mapping of this description (from an object) to some pkcs#15 description within the framework of opensc.

from opensc.

This operation is called unwrapping and is supported by PKCS#11. The code in sc-hsm driver has several mentions of "unwrap" so I believe this should work. You should be able to make some rough tests with pkcs11-tool (see --unwrap option and examples at the end of the manual page.

from opensc.

I looked at the src/libopensc/card-sc-hsm.c code, wrap/unwrap is supported here using the sc_card_ctl() call. Calling this code is not possible in the normal way from pkcs11-tool, but a specific call that appears to be supported by sc-hsm-tool must be used. (man sc-hsm-tool).

from opensc.

@popovec does that also mean for CreateObject call over PKCS11 interface? Importing key programaticaly with a template was giving me trouble, so I abandoned it.

from opensc.

sc-hsm-tool itself also has options for wrapping/unwrapping keys

from opensc.

https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM

from opensc.