SC-HSM: Support for storing of ECDSA keys

[psangst]

Problem Description

I don't believe this is a bug but a decision to not support loading of pre-issued ECDSA keys on to a PKCS12 (token). I see in sc_hsm_store_key() just has a noop and supports logging. It returns SC_ERROR_NOT_SUPPORTED. Earlier in opensc it seems that a known curve like those standardized from NIST (e.g. P-384) that opensc is able to recognize and even fix the params, but then it runs into this "not supported" error.

The impact of not supporting is very broad and is most felt by people trying to improve security by using an HSM with ECDSA keys. In many cases, unfortunately the keys already exist so need to be stored onto the HSM via the above calls. The result is people are being forced to use Java (e.g. smartcard gui) to load P12 objects on to their HSM. This really should be possible via the opensc stack.

Proposed Resolution

Just requesting the support be added to opensc. I found a reference that blames GNUtls for the lack of support, but they mention arbitrary curves. Why can't we have support for the standard NIST curves and other popular named curves (even if other curves are put off for a future release). I believe this is the initial spot for the feature addition...

static int sc_hsm_store_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card,
sc_pkcs15_object_t *obj, sc_pkcs15_prkey_t *key)
{
LOG_FUNC_CALLED(p15card->card->ctx);
LOG_FUNC_RETURN(p15card->card->ctx, SC_ERROR_NOT_SUPPORTED);
}

Steps to reproduce

Initially the system needs a configured HSM (can be soft HSM but in my case i'm trying the Nitrokey HSM).
p11tool --provider <opensc-pkcs11.so path> --write --login --label --load_privkey --mark-private

Logs

P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-lib.c:775:sc_pkcs15init_finalize_profile: sc_pkcs15init_finalize_profile() returns 0
P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-lib.c:776:sc_pkcs15init_finalize_profile: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-lib.c:458:sc_pkcs15init_set_p15card: called
P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-lib.c:491:sc_pkcs15init_set_p15card: sc_pkcs15init_set_p15card() returns
P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-pubkey.c:1517:sc_pkcs15_fix_ec_parameters: called
P:346340; T:0x140079684790592 17:59:27.216 [opensc-pkcs11] pkcs15-pubkey.c:1541:sc_pkcs15_fix_ec_parameters: Found known curve 'secp384r1'
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-pubkey.c:1547:sc_pkcs15_fix_ec_parameters: Curve name: 'secp384r1'
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-pubkey.c:1554:sc_pkcs15_fix_ec_parameters: Curve length 384
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-pubkey.c:1582:sc_pkcs15_fix_ec_parameters: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:1770:sc_pkcs15init_store_private_key: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2691:prkey_bits: Private EC key length 384
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2521:check_key_compatibility: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2555:check_key_compatibility: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2755:sc_pkcs15init_select_intrinsic_id: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2764:sc_pkcs15init_select_intrinsic_id: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:1234:sc_pkcs15init_init_prkdf: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2862:select_id: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2872:select_id: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:2994:select_object_path: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:3018:select_object_path: key-domain.private-key @e82b0601040181c31f0201:: (auth_id.len=1)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] profile.c:687:sc_profile_instantiate_template: Template key-domain not found
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:3031:select_object_path: get instance 0 of 'template-private-key'
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] profile.c:575:sc_profile_get_file_instance: called
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] profile.c:576:sc_profile_get_file_instance: try to get 'template-private-key' file instance
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] profile.c:579:sc_profile_get_file_instance: returning with: -1201 (File not found)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:3034:select_object_path: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.217 [opensc-pkcs11] pkcs15-lib.c:1363:sc_pkcs15init_init_prkdf: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1202:sc_pkcs15init_encode_prvkey_content: called
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1214:sc_pkcs15init_encode_prvkey_content: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1474:_pkcd15init_set_aux_md_data: called
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1477:_pkcd15init_set_aux_md_data: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-sc-hsm.c:116:sc_hsm_create_key: called
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-sc-hsm.c:117:sc_hsm_create_key: returning with: 0 (Success)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-sc-hsm.c:125:sc_hsm_store_key: called
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-sc-hsm.c:126:sc_hsm_store_key: returning with: -1408 (Not supported)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1817:sc_pkcs15init_store_private_key: Card specific 'store key' failed: -1408 (Not supported)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] pkcs15-lib.c:1842:sc_pkcs15init_store_private_key: returning with: -1408 (Not supported)
P:346340; T:0x140079684790592 17:59:27.218 [opensc-pkcs11] misc.c:71:sc_to_cryptoki_error_common: libopensc return value: -1408 (Not supported)

[frankmorgner]

The OpenSC stack, in general, allows storing a private key the way you want it. In the case of SC-HSM, however, this has never been implemented.

Honestly, I doubt that it would be possible to implement this for sc-hsm, because the import procedure is more complex using a Device Key Encryption Key. Please see the Examples from man 1 sc-hsm-tool and https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM if this is what you want.

[CardContact]

The Smart Card Shell has a mechanism to import RSA and EC keys into a SmartCard-HSM from a PKCS#12 container.

[psangst]

Thanks, i was hoping to do import of P12 files from within a script. Anyone tried to use scsh3 (non-GUI) with command line arguments to import a P12 file?