Re: [Opensc-devel] missing key usage of pubkey

[Cornelius K. <cor...@ne...>]

Hi Andreas,

I compile 0.15 and used it the below way. It still looks the same.
(Maybe I didn't use it correctly)

But it still looks the same. When I list all objects, the public key
(12) does not have the key-usage "encrypt".

Kind regards
Cornelius

/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l
--keypairgen --key-type rsa:2048 --id 12
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; RSA 
  label:      Private Key
  ID:         12
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      Private Key
  ID:         12
  Usage:      encrypt, verify, wrap
(venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
(git)-[pkcs11] % /usr/local/bin/pkcs11-tool
--module /usr/local/lib/opensc-pkcs11.so -l -O
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Private Key Object; RSA 
  label:      Private Key
  ID:         11
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      Private Key
  ID:         11
  Usage:      none
Private Key Object; RSA 
  label:      Private Key
  ID:         12
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      Private Key
  ID:         12
  Usage:      none




Am Samstag, den 16.04.2016, 00:11 +0200 schrieb Andreas Schwier:
> Dear Cornelius,
> 
> get a newer version ;-)
> 
> 0.13 was the first version to support the SmartCard-HSM and a lot has
> happened since then.
> 
> Andreas
> 
> On 04/15/2016 11:02 PM, Cornelius Kölbel wrote:
> > Hi,
> > 
> > I am doing some tests with the nitrokey (smartcard-hsm) on Ubuntu 14.04.
> > It comes with 0.13.0-3ubuntu4.1.
> > 
> > So you may simply tell me to get a newer version ;-)
> > 
> > Now, when I generate a key pair everything looks fine.
> > The key usage of the pubkey is marked as _encrypt_.
> > 
> > But when I run -l -O the public key has no attributes!
> > 
> > 
> > (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> > (git)-[pkcs11] % pkcs11-tool
> > --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen
> > --key-type rsa:2048 --id
> > 11                                                    
> > Using slot 1 with a present token (0x1)
> > Logging in to "SmartCard-HSM (UserPIN)".
> > Please enter User PIN: 
> > Key pair generated:
> > Private Key Object; RSA 
> >   label:      Private Key
> >   ID:         11
> >   Usage:      decrypt, sign, unwrap
> > Public Key Object; RSA 2048 bits
> >   label:      Private Key
> >   ID:         11
> >   Usage:      encrypt, verify, wrap
> > (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> > (git)-[pkcs11] % pkcs11-tool
> > --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -O
> > Using slot 1 with a present token (0x1)
> > Logging in to "SmartCard-HSM (UserPIN)".
> > Please enter User PIN: 
> > Private Key Object; RSA 
> >   label:      Private Key
> >   ID:         11
> >   Usage:      decrypt, sign, unwrap
> > Public Key Object; RSA 2048 bits
> >   label:      Private Key
> >   ID:         11
> >   Usage:      none
> > 
> > Also when I look at the object all key usage attribs are set to false:
> > 
> > [CKA_ALWAYS_SENSITIVE: True
> > CKA_CLASS: CKO_PUBLIC_KEY
> > CKA_DECRYPT: False
> > CKA_DERIVE: False
> > CKA_ENCRYPT: False
> > CKA_EXTRACTABLE: (0L,)
> > CKA_ID: (17L,)
> > CKA_KEY_GEN_MECHANISM: -1
> > CKA_KEY_TYPE: CKK_RSA
> > CKA_LABEL: Private Key
> > CKA_LOCAL: True
> > CKA_MODIFIABLE: False
> > 
> > When I try to encrypt with the key handle on key x11 i get
> > CKR_FUNCTION_NOT_SUPPORTED.
> > 
> > So it looks like the attributes of the pubkey are not persisted.
> > 
> > Am I missing something?
> > 
> > Thanks a lot and kind regards
> > Cornelius
> > 
> >  
> > 
> > 
> > 
> > ------------------------------------------------------------------------------
> > Find and fix application performance issues faster with Applications Manager
> > Applications Manager provides deep performance insights into multiple tiers of
> > your business applications. It resolves application problems quickly and
> > reduces your MTTR. Get your free trial!
> > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> > 
> > 
> > 
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> > 
> 
> 

-- 
Cornelius Kölbel
cor...@ne...
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel