Menu
▾
▴
opensc-devel
|
From: Marek S. <scr...@wp...> - 2015-10-13 10:34:02
Attachments:
signature.asc
|
Hello, A while ago I tried to import several existing X.509 certificates and its corresponding private key into my SmartCard-HSM, using OpenSC-0.14. It turned out that I could do that - which surprised me a bit because later on I read on-line importing shouldn't work for this card - but only for one certificate at a time, with each subsequent import overwriting the previous one. I then decided that I'd rather have no software-generated certificates on the card than have just one and proceeded to delete the imported data, using pkcs11-tool. The cert and the pubkey both went without trouble, however whenever I attempt to delete the private key I get an error: $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so -l --delete-object --type privkey --id 11ac7c18d526f536d80520d4c03b71f4923d4553 Using slot 1 with a present token (0x1) Logging in to "SmartCard-HSM (UserPIN)". Please enter User PIN: error: PKCS11 function C_DestroyObject() failed: rv = CKR_GENERAL_ERROR (0x5) The same happens now with OpenSC-0.15. Is there any way I could get rid of this key from the card without reinitialising it? Yours sincerely, -- MS |
|
From: Andreas S. <and...@ca...> - 2015-10-19 09:30:45
|
Hi Marek, What does pkcs15-tool -D show ? In the SmartCard-HSM there is a file identifier for the key (0xCC00 + keyid) and an EF with the PKCS#15 description of the key (0xC400 + keyid). For a certificate related to the private key, an EF with 0xCE00 + keyid is allocated. An unrelated certificate (i.e. a CA certificate) is placed in 0xCA00 + index with the meta data in 0xC800 + index. Data objects are placed in either 0xCF00 + index or 0xCD00 + index with meta data in 0xC800 + index. The range 0xCF00 is used for data objects that can be read always, 0xCD00 is used for data protected by the user PIN. The code enumerates file identifier and creates a key object for each key in the range 0xCC01 to 0xCCFF with the meta data from the related EF in the range 0xC401 to 0xC4FF. So if pkcs15-tool still shows the key, then an key object and the meta data are present. You can manually erase the key file and/or meta data file after PIN verification using opensc-tool or a script for the Smart Card Shell. Andreas On 10/13/2015 12:33 PM, Marek Szuba wrote: > Hello, > > A while ago I tried to import several existing X.509 certificates and > its corresponding private key into my SmartCard-HSM, using OpenSC-0.14. > It turned out that I could do that - which surprised me a bit because > later on I read on-line importing shouldn't work for this card - but > only for one certificate at a time, with each subsequent import > overwriting the previous one. I then decided that I'd rather have no > software-generated certificates on the card than have just one and > proceeded to delete the imported data, using pkcs11-tool. The cert and > the pubkey both went without trouble, however whenever I attempt to > delete the private key I get an error: > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so -l --delete-object > --type privkey --id 11ac7c18d526f536d80520d4c03b71f4923d4553 > Using slot 1 with a present token (0x1) > Logging in to "SmartCard-HSM (UserPIN)". > Please enter User PIN: > error: PKCS11 function C_DestroyObject() failed: rv = CKR_GENERAL_ERROR > (0x5) > > The same happens now with OpenSC-0.15. > > Is there any way I could get rid of this key from the card without > reinitialising it? > > Yours sincerely, > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
|
From: Marek S. <scr...@wp...> - 2015-10-20 09:55:11
Attachments:
signature.asc
|
On 2015-10-19 11:30, Andreas Schwier wrote: > What does pkcs15-tool -D show ? It shows a private-key object with the label I gave it during the import attempt, key ref 0 and usage flags 0x4 (the import source had more) but otherwise identical to the card-generated keys. Yes, including "native" set to yes. > You can manually erase the key file and/or meta data file after PIN > verification using opensc-tool or a script for the Smart Card Shell. I've just managed to delete 0xC400 using opensc-explorer (I did not know how to do it using opensc-tool) and, as expected, the imported key has disappeared from the pkcs15-tool -D output. Thanks! I couldn't delete 0xCC00 though, even if I verify the SO PIN instead of the user PIN I get the "not allowed" error. Will the presence of a key object without the corresponding metadata on the card cause problems in the future? -- MS |
|
From: Andreas S. <and...@ca...> - 2015-10-20 10:04:09
|
On 10/20/2015 11:54 AM, Marek Szuba wrote: > On 2015-10-19 11:30, Andreas Schwier wrote: > I've just managed to delete 0xC400 using opensc-explorer (I did not know > how to do it using opensc-tool) and, as expected, the imported key has > disappeared from the pkcs15-tool -D output. Thanks! I couldn't delete > 0xCC00 though, even if I verify the SO PIN instead of the user PIN I get > the "not allowed" error. Will the presence of a key object without the > corresponding metadata on the card cause problems in the future? The file identifier CC00 is reserved for the device authentication key and can not be removed. A key object without meta data is not a problem: The key will simply not show up at the PKCS#11 interface. The meta data is only required for the PKCS#11 module and is not used internally in the device. > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
|
From: Marek S. <scr...@wp...> - 2015-10-20 10:34:46
Attachments:
signature.asc
|
On 2015-10-20 12:04, Andreas Schwier wrote: > The file identifier CC00 is reserved for the device authentication key > and can not be removed. Would this mean that the attempted import resulted in metadata of the imported private key getting attached to the device-authentication key? Either way, thanks for your help. -- MS |
|
From: Andreas S. <and...@ca...> - 2015-10-20 10:46:00
|
Yes, that caused the problem. The code did not reject the key import but returned SC_SUCCESS when writing the private key, thus the meta data was written for key id 0 (the device authentication key). Andreas On 10/20/2015 12:34 PM, Marek Szuba wrote: > On 2015-10-20 12:04, Andreas Schwier wrote: > >> The file identifier CC00 is reserved for the device >> authentication key and can not be removed. > Would this mean that the attempted import resulted in metadata of > the imported private key getting attached to the > device-authentication key? > > Either way, thanks for your help. > > > > ------------------------------------------------------------------------------ > > > > > _______________________________________________ Opensc-devel > mailing list Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X