dearsky/pico-hsm
1
0
Fork 0
Code Issues 17 Pull Requests 4 Actions Packages Projects Releases 26 Wiki Activity

pico-hsm-tool initialize erros #96

New Issue
Closed
opened 2025-05-24 18:31:01 +08:00 by jspw-hubgit · 3 comments
jspw-hubgit commented 2025-05-24 18:31:01 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

running script with initialize defaults ends with an error. setting --pin, --slot, --so-pin does not affect script behavior

❯ uv run --script --active --no-config pico-hsm-tool.py initialize
Pico HSM Tool v2.4
Author: Pol Henarejos
Report bugs to https://github.com/polhenarejos/pico-hsm/issues


Traceback (most recent call last):
  File "/pico-hsm-tool.py", line 576, in <module>
    run()
    ~~~^^
  File "/pico-hsm-tool.py", line 573, in run
    main(args)
    ~~~~^^^^^^
  File "/pico-hsm-tool.py", line 543, in main
    picohsm = PicoHSM(args.pin, slot=args.slot)
TypeError: PicoHSM.__init__() got an unexpected keyword argument 'slot'
  1. as a workaround delete argument slot
    picohsm = PicoHSM(args.pin)
    but after that new error appears
❯ uv run --script --active --no-config pico-hsm-tool.py initialize
Pico HSM Tool v2.4
Author: Pol Henarejos
Report bugs to https://github.com/polhenarejos/pico-hsm/issues


********************************
*   PLEASE READ IT CAREFULLY   *
********************************

This tool will erase and reset your device. It will delete all private and secret keys.
Are you sure?
[Press enter to confirm]
Public Point: 044ced66c2fd6ccd8c5d3de6f0786347674505b7cefe2484b76c64607a0a13e080f2ca9f464f02c2dd612b667763c26efe82346da4d4e35534362829d7d2cc0a60
Traceback (most recent call last):
  File "/pico-hsm-tool.py", line 576, in <module>
    run()
    ~~~^^
  File "/pico-hsm-tool.py", line 573, in run
    main(args)
    ~~~~^^^^^^
  File "/pico-hsm-tool.py", line 547, in main
    initialize(picohsm, args)
    ~~~~~~~~~~^^^^^^^^^^^^^^^
  File "/pico-hsm-tool.py", line 242, in initialize
    if (picohsm.platform in (Platform.RP2350, Platform.ESP32, Platform.EMULATION)):
                                                              ^^^^^^^^^^^^^^^^^^
AttributeError: type object 'Platform' has no attribute 'EMULATION'
  1. delete Platform.EMULATION
    if (picohsm.platform in (Platform.RP2350, Platform.ESP32)
    and script runs with no errors
❯ uv run --script --active --no-config pico-hsm-tool.py initialize
Pico HSM Tool v2.4
Author: Pol Henarejos
Report bugs to https://github.com/polhenarejos/pico-hsm/issues


********************************
*   PLEASE READ IT CAREFULLY   *
********************************

This tool will erase and reset your device. It will delete all private and secret keys.
Are you sure?
[Press enter to confirm]
Public Point: 044ced66c2fd6ccd8c5d3de6f0786347674505b7cefe2484b76c64607a0a13e080f2ca9f464f02c2dd612b667763c26efe82346da4d4e35534362829d7d2cc0a60
Device name: ESPICOHSMTRDQVAL
Certificate uploaded successfully!

Note that the device is initialized with a default PIN and configuration.
Now you can initialize the device as usual with your chosen PIN and configuration options.

python env

❯ uv pip list
Using Python 3.13.3 environment at: 
Package      Version
------------ -------
base58       2.1.1
cffi         1.17.1
cryptography 45.0.2
pycparser    2.22
pycvc        1.5.0
pypicohsm    1.4
pyscard      2.2.1
pyusb        1.3.1
setuptools   80.8.0
running script with initialize defaults ends with an error. setting --pin, --slot, --so-pin does not affect script behavior ``` ❯ uv run --script --active --no-config pico-hsm-tool.py initialize Pico HSM Tool v2.4 Author: Pol Henarejos Report bugs to https://github.com/polhenarejos/pico-hsm/issues Traceback (most recent call last): File "/pico-hsm-tool.py", line 576, in <module> run() ~~~^^ File "/pico-hsm-tool.py", line 573, in run main(args) ~~~~^^^^^^ File "/pico-hsm-tool.py", line 543, in main picohsm = PicoHSM(args.pin, slot=args.slot) TypeError: PicoHSM.__init__() got an unexpected keyword argument 'slot' ``` 1. as a workaround delete argument _slot_ _picohsm = PicoHSM(args.pin)_ but after that new error appears ``` ❯ uv run --script --active --no-config pico-hsm-tool.py initialize Pico HSM Tool v2.4 Author: Pol Henarejos Report bugs to https://github.com/polhenarejos/pico-hsm/issues ******************************** * PLEASE READ IT CAREFULLY * ******************************** This tool will erase and reset your device. It will delete all private and secret keys. Are you sure? [Press enter to confirm] Public Point: 044ced66c2fd6ccd8c5d3de6f0786347674505b7cefe2484b76c64607a0a13e080f2ca9f464f02c2dd612b667763c26efe82346da4d4e35534362829d7d2cc0a60 Traceback (most recent call last): File "/pico-hsm-tool.py", line 576, in <module> run() ~~~^^ File "/pico-hsm-tool.py", line 573, in run main(args) ~~~~^^^^^^ File "/pico-hsm-tool.py", line 547, in main initialize(picohsm, args) ~~~~~~~~~~^^^^^^^^^^^^^^^ File "/pico-hsm-tool.py", line 242, in initialize if (picohsm.platform in (Platform.RP2350, Platform.ESP32, Platform.EMULATION)): ^^^^^^^^^^^^^^^^^^ AttributeError: type object 'Platform' has no attribute 'EMULATION' ``` 2. delete _Platform.EMULATION_ _if (picohsm.platform in (Platform.RP2350, Platform.ESP32)_ and script runs with no errors ``` ❯ uv run --script --active --no-config pico-hsm-tool.py initialize Pico HSM Tool v2.4 Author: Pol Henarejos Report bugs to https://github.com/polhenarejos/pico-hsm/issues ******************************** * PLEASE READ IT CAREFULLY * ******************************** This tool will erase and reset your device. It will delete all private and secret keys. Are you sure? [Press enter to confirm] Public Point: 044ced66c2fd6ccd8c5d3de6f0786347674505b7cefe2484b76c64607a0a13e080f2ca9f464f02c2dd612b667763c26efe82346da4d4e35534362829d7d2cc0a60 Device name: ESPICOHSMTRDQVAL Certificate uploaded successfully! Note that the device is initialized with a default PIN and configuration. Now you can initialize the device as usual with your chosen PIN and configuration options. ``` python env ``` ❯ uv pip list Using Python 3.13.3 environment at: Package Version ------------ ------- base58 2.1.1 cffi 1.17.1 cryptography 45.0.2 pycparser 2.22 pycvc 1.5.0 pypicohsm 1.4 pyscard 2.2.1 pyusb 1.3.1 setuptools 80.8.0 ```
polhenarejos commented 2025-05-24 19:57:04 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

Update pypicohsm to latest version.

Update pypicohsm to latest version.
👍 1
jspw-hubgit commented 2025-05-25 23:19:01 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

@polhenarejos may i ask you help on resolving issue?
test from this repository runs with OK status except only RSA-PKCS-OAEP.

❯ /pico-hsm/tests/scripts/pkcs11.sh
==== Test initialization ====
  Test SO-PIN change.....	ok
  Test PIN change....	ok
  Test PIN reset......	ok
  Test wrong PIN attempts........	ok
  Test restore PIN....	ok
.......
==== Test asymmetric ciphering ====
  Keygen RSA 2048.........	ok
  Test RSA-PKCS ciphering.......	ok
  Test RSA-X-509 ciphering........	ok
  Test RSA-PKCS-OAEP ciphering.....	fail

manual test with OAEP works

❯ pkcs11-tool -l --pin 648219 --keypairgen --key-type rsa:2048 --id 1 --label "TestLabel"
Using slot 0 with a present token (0x0)
❯ pkcs15-tool -D
...
Private RSA Key [TestLabel]
...
Public RSA Key [TestLabel]
...
❯ pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der
Using slot 0 with a present token (0x0)
❯ openssl rsa -inform DER -outform PEM -in 1.der -pubin > 1.pub
writing RSA key
❯ echo "This is a test string. Be safe, be secure." > data
❯ openssl pkeyutl -encrypt -inkey 1.pub -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in data -out data.crypt

❯ pkcs11-tool --id 1 --pin 648219 --decrypt --mechanism RSA-PKCS-OAEP -i data.crypt
Using slot 0 with a present token (0x0)
Using decrypt algorithm RSA-PKCS-OAEP
hash-algorithm RSA-PKCS-KEY-PAIR-GEN unknown, defaulting to CKM_SHA256
mgf not set, defaulting to MGF1-SHA256
OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=1, source_ptr=(nil), source_len=0
This is a test string. Be safe, be secure.

related system packages

libp11 (0.4.13-1)
libressl (4.1.0-1)
ccid (1.5.5-1)
opensc (0.26.1-1)
@polhenarejos may i ask you help on resolving issue? test from this repository runs with OK status except only RSA-PKCS-OAEP. ``` ❯ /pico-hsm/tests/scripts/pkcs11.sh ==== Test initialization ==== Test SO-PIN change..... ok Test PIN change.... ok Test PIN reset...... ok Test wrong PIN attempts........ ok Test restore PIN.... ok ....... ==== Test asymmetric ciphering ==== Keygen RSA 2048......... ok Test RSA-PKCS ciphering....... ok Test RSA-X-509 ciphering........ ok Test RSA-PKCS-OAEP ciphering..... fail ``` manual test with OAEP works ``` ❯ pkcs11-tool -l --pin 648219 --keypairgen --key-type rsa:2048 --id 1 --label "TestLabel" Using slot 0 with a present token (0x0) ❯ pkcs15-tool -D ... Private RSA Key [TestLabel] ... Public RSA Key [TestLabel] ... ❯ pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der Using slot 0 with a present token (0x0) ❯ openssl rsa -inform DER -outform PEM -in 1.der -pubin > 1.pub writing RSA key ❯ echo "This is a test string. Be safe, be secure." > data ❯ openssl pkeyutl -encrypt -inkey 1.pub -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in data -out data.crypt ``` ``` ❯ pkcs11-tool --id 1 --pin 648219 --decrypt --mechanism RSA-PKCS-OAEP -i data.crypt Using slot 0 with a present token (0x0) Using decrypt algorithm RSA-PKCS-OAEP hash-algorithm RSA-PKCS-KEY-PAIR-GEN unknown, defaulting to CKM_SHA256 mgf not set, defaulting to MGF1-SHA256 OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=1, source_ptr=(nil), source_len=0 This is a test string. Be safe, be secure. ``` related system packages ``` libp11 (0.4.13-1) libressl (4.1.0-1) ccid (1.5.5-1) opensc (0.26.1-1) ```
jspw-hubgit commented 2025-05-27 00:54:52 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

i found a way how to resolve issue with RSA-PKCS-OAEP.
when using --decrypt 3 options should be specified --mechanism RSA-PKCS-OAEP --hash-algorithm=sha256 --mgf=MGF1-SHA256

❯ pkcs11-tool --id 1 --pin 648219 --decrypt --mechanism RSA-PKCS-OAEP --hash-algorithm=sha256 --mgf=MGF1-SHA256 -i data.crypt
Using slot 0 with a present token (0x0)
Using decrypt algorithm RSA-PKCS-OAEP
OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=1, source_ptr=(nil), source_len=0
This is a test string. Be safe, be secure.
i found a way how to resolve issue with RSA-PKCS-OAEP. when using _--decrypt_ 3 options should be specified _--mechanism RSA-PKCS-OAEP **--hash-algorithm=sha256 --mgf=MGF1-SHA256**_ ``` ❯ pkcs11-tool --id 1 --pin 648219 --decrypt --mechanism RSA-PKCS-OAEP --hash-algorithm=sha256 --mgf=MGF1-SHA256 -i data.crypt Using slot 0 with a present token (0x0) Using decrypt algorithm RSA-PKCS-OAEP OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=1, source_ptr=(nil), source_len=0 This is a test string. Be safe, be secure. ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 bug
Something isn't working
 dependencies
Pull requests that update a dependency file
 dependencies
Pull requests that update a dependency file
 documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 question
Further information is requested
 question
Further information is requested
 wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dearsky
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dearsky/pico-hsm#96
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?