How to list pkcs11 url of the private key? #27

New Issue

Open

opened 2023-11-26 21:20:11 +08:00 by rrottmann · 1 comment

rrottmann commented 2023-11-26 21:20:11 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)

Copy Link

For signing an intermediate CA with openssl, I need to state the pkcs11 URL in the config file.
I can list the public keys but fail to do so for the private keys:

p11tool --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29
Object 0:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%01;object=RSA2K;type=public
        Type: Public key (RSA-2048)
        Label: RSA2K
        Flags: CKA_WRAP/UNWRAP;
        ID: 01

Object 1:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;object=ESPICOHSMTR;type=public
        Type: Public key (EC/ECDSA-SECP256R1)
        Label: ESPICOHSMTR
        ID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

Object 2:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%11;object=ECDSA;type=public
        Type: Public key (EC/ECDSA-SECP192R1)
        Label: ECDSA
        ID: 11

Object 3:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%6B%52%23%26%27%0F%20%10%7F%64%A4%31%FB%EE%05%0D%9F%29%F9%77;object=root;type=public
        Type: Public key (EC/ECDSA-SECP384R1)
        Label: root
        ID: 6b:52:23:26:27:0f:20:10:7f:64:a4:31:fb:ee:05:0d:9f:29:f9:77

Object 4:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%8C%23%52%12%36%77%D5%04%AB%A4%86%89%F7%88%77%C4%A2%97%11%00;object=intermediate;type=public
        Type: Public key (EC/ECDSA-SECP384R1)
        Label: intermediate
        ID: 8c:23:52:12:36:77:d5:04:ab:a4:86:89:f7:88:77:c4:a2:97:11:00
export GNUTLS_PIN=648219
p11tool --login --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29
Error in crt_list_import (1): Error in provided PIN.

Is this the correct way to get those URLs? Any alternatve to get those?

For signing an intermediate CA with openssl, I need to state the pkcs11 URL in the config file. I can list the public keys but fail to do so for the private keys: ``` p11tool --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29 Object 0: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%01;object=RSA2K;type=public Type: Public key (RSA-2048) Label: RSA2K Flags: CKA_WRAP/UNWRAP; ID: 01 Object 1: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;object=ESPICOHSMTR;type=public Type: Public key (EC/ECDSA-SECP256R1) Label: ESPICOHSMTR ID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 Object 2: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%11;object=ECDSA;type=public Type: Public key (EC/ECDSA-SECP192R1) Label: ECDSA ID: 11 Object 3: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%6B%52%23%26%27%0F%20%10%7F%64%A4%31%FB%EE%05%0D%9F%29%F9%77;object=root;type=public Type: Public key (EC/ECDSA-SECP384R1) Label: root ID: 6b:52:23:26:27:0f:20:10:7f:64:a4:31:fb:ee:05:0d:9f:29:f9:77 Object 4: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%8C%23%52%12%36%77%D5%04%AB%A4%86%89%F7%88%77%C4%A2%97%11%00;object=intermediate;type=public Type: Public key (EC/ECDSA-SECP384R1) Label: intermediate ID: 8c:23:52:12:36:77:d5:04:ab:a4:86:89:f7:88:77:c4:a2:97:11:00 export GNUTLS_PIN=648219 p11tool --login --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29 Error in crt_list_import (1): Error in provided PIN. ``` Is this the correct way to get those URLs? Any alternatve to get those?

👍 1

rrottmann commented 2023-11-26 23:58:04 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)

Copy Link

I found the following workaround:

1. List keys with pkcs11-tool -l --pin 648219 -O and identify the serial of the private key
2. Convert to %-notation: echo 6b522326270f20107f64a431fbee050d9f29f977 | tr [:lower:] [:upper:] | sed 's/../%&/g'
3. Use a minimal pkcs11 URL: pkcs11:id=%6B%52%23%26%27%0F%20%10%7F%64%A4%31%FB%EE%05%0D%9F%29%F9%77;type=private

I found the following workaround: 1. List keys with ` pkcs11-tool -l --pin 648219 -O` and identify the serial of the private key 2. Convert to %-notation: `echo 6b522326270f20107f64a431fbee050d9f29f977 | tr [:lower:] [:upper:] | sed 's/../%&/g'` 3. Use a minimal pkcs11 URL: ` pkcs11:id=%6B%52%23%26%27%0F%20%10%7F%64%A4%31%FB%EE%05%0D%9F%29%F9%77;type=private`

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

development

nightly-development

nightly-master

v6.4

v6.2

v6.0-eddsa1

v6.0

v5.6

v5.4-eddsa1

v5.4

v5.2

v5.0-eddsa1

v5.0

v4.2-eddsa1

v4.2

v4.0-eddsa1

v4.0

v3.6-eddsa1

v3.6

v3.4

v3.2

v3.0

v2.6

v2.4

v2.2

v2.0

v1.12

v1.10

v1.8

v1.6

v1.4

v1.2

v1.0

Labels

Clear labels

bug

Something isn't working

bug

Something isn't working

dependencies

Pull requests that update a dependency file

dependencies

Pull requests that update a dependency file

documentation

Improvements or additions to documentation

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

duplicate

This issue or pull request already exists

enhancement

New feature or request

enhancement

New feature or request

good first issue

Good for newcomers

good first issue

Good for newcomers

help wanted

Extra attention is needed

help wanted

Extra attention is needed

invalid

This doesn't seem right

invalid

This doesn't seem right

question

Further information is requested

question

Further information is requested

wontfix

This will not be worked on

wontfix

This will not be worked on

No Label documentation enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

dearsky

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dearsky/pico-hsm#27