[Opensc-devel] different key usage/access flags pkcs11-tool/pkcs15-init

[Peter P. <pop...@gm...>]

Hello,


pkcs11-tool seems to set wrong Access Flags on Private EC keys

pkcs15-init sets Access Flags to 0x1D, pkcs11-tool to 0x0, examples below.


Second question: Is there a switch to set key usage "derive" in pkcs15-init ?
$ pkcs15-init --generate-key ec-prime256v1  --auth-id 1 --pin 11111111
--id 14 --label pkcs15_key --key-usage sign,derive
Unknown X.509 key usage derive

pkcs11-tool can generate this usage:
$ pkcs11-tool  --login --pin 11111111 --keypairgen --key-type
EC:prime256v1 --id 14 --label pkcs11_key --usage-derive --usage-sign







Examples:



$ pkcs15-init --generate-key ec-prime256v1  --auth-id 1 --pin 11111111
--id 14 --label pkcs15_key --key-usage sign
$ pkcs15-tool --list-keys  --list-public-keys

Private EC Key [pkcs15_key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0xC], sign, signRecover
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        FieldLength    : 256
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : 3f0050154b01
        Auth ID        : 01
        ID             : 14
        MD:guid        : 0dbf2b61-22e1-9b48-d19d-c3ed217d60bc

Public EC Key [pkcs15_key]
        Object Flags   : [0x2], modifiable
        Usage          : [0xC0], verify, verifyRecover
        Access Flags   : [0x0]
        FieldLength    : 256
        Key ref        : 0 (0x0)
        Native         : no
        Path           : 3f0050155501
        ID             : 14



pkcs11-tool example:

$ pkcs11-tool  --login --pin 11111111 --keypairgen --key-type
EC:prime256v1 --id 14 --label pkcs11_key --usage-sign
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; EC
  label:      pkcs11_key
  ID:         14
  Usage:      sign
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104f804f2b748d3edda96b667e9203feca943076df2aeaf23eb5b6971ffcd06c32cdb46c299e62fb5c05b6df6662d8757333403f2d0ac5d0361810c972ed7941fd3
  EC_PARAMS:  06082a8648ce3d030107
  label:      pkcs11_key
  ID:         14
  Usage:      verify

$ pkcs15-tool --list-keys  --list-public-keys
Private EC Key [pkcs11_key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0xC], sign, signRecover
        Access Flags   : [0x0]
        FieldLength    : 256
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : 3f0050154b01
        Auth ID        : 01
        ID             : 14
        MD:guid        : 0dbf2b61-22e1-9b48-d19d-c3ed217d60bc

Public EC Key [pkcs11_key]
        Object Flags   : [0x2], modifiable
        Usage          : [0xC0], verify, verifyRecover
        Access Flags   : [0x0]
        FieldLength    : 256
        Key ref        : 0 (0x0)
        Native         : no
        Path           : 3f0050155501
        ID             : 14