Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Importing encrypted RSA and plain RSA private keys in SmartCard-HSM #3119

Open
scottthomas007 opened this issue Apr 17, 2024 · 6 comments
Open

Importing encrypted RSA and plain RSA private keys in SmartCard-HSM #3119

scottthomas007 opened this issue Apr 17, 2024 · 6 comments

Comments

@scottthomas007
Copy link

Bonjour Community,

I want to integrate SmartCard-HSM in a PKCS11 compliant network HSM for key escrow in such a way that i will generate RSA 2048 private keys of all users in HSM with export parameter on. HSM supports export of RSA 2048 private key (encrypted format ) through a wrap key or Key Encryption Key (KEK) of AES 128, 192 and 256 bits.

For my smart card users, i will export that RSA 2048 private key in encrypted format with a KEK from HSM and i want to import encrypted key in SmartCard-HSM.

Is it possible with this card to import encrypted RSA private keys through AES wrap key or plain private keys in SmartCard-HSM?

Cheers
Scotty
@Jakuje
Copy link
Member

Jakuje commented Apr 17, 2024

This operation is called unwrapping and is supported by PKCS#11. The code in sc-hsm driver has several mentions of "unwrap" so I believe this should work. You should be able to make some rough tests with pkcs11-tool (see --unwrap option and examples at the end of the manual page.

@popovec
Copy link
Member

popovec commented Apr 17, 2024

I looked at the src/libopensc/card-sc-hsm.c code, wrap/unwrap is supported here using the sc_card_ctl() call. Calling this code is not possible in the normal way from pkcs11-tool, but a specific call that appears to be supported by sc-hsm-tool must be used. (man sc-hsm-tool).

@msetina
Copy link

msetina commented Apr 17, 2024

@popovec does that also mean for CreateObject call over PKCS11 interface? Importing key programaticaly with a template was giving me trouble, so I abandoned it.

@popovec
Copy link
Member

popovec commented Apr 17, 2024

This question/issue interested me only for one reason, the only pkcs#11 implementation that supports unwrap/wrap in opensc is in card-myeid.c. What card-sc-hsm.c supports is a proprietary call that is not available from the pkcs#11 interface.

This has nothing to do with the CreateObject operation. As a rule, the token stores the /private/ key in a special file. This file is not normally readable, but it allows to perform a /private/ operation. The description of the /private key/ of this file is the subject of pkcs#15 .. and here it depends on the token whether it supports pkcs#15 or has another interface that has a mapping of this description (from an object) to some pkcs#15 description within the framework of opensc.

@frankmorgner
Copy link
Member

sc-hsm-tool itself also has options for wrapping/unwrapping keys

@frankmorgner
Copy link
Member

https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@frankmorgner @Jakuje @msetina @popovec @scottthomas007