Discussion:
[Opensc-devel] Cannot delete imported private key from SmartCard-HSM
Marek Szuba
2015-10-13 10:33:48 UTC
Permalink
Hello,

A while ago I tried to import several existing X.509 certificates and
its corresponding private key into my SmartCard-HSM, using OpenSC-0.14.
It turned out that I could do that - which surprised me a bit because
later on I read on-line importing shouldn't work for this card - but
only for one certificate at a time, with each subsequent import
overwriting the previous one. I then decided that I'd rather have no
software-generated certificates on the card than have just one and
proceeded to delete the imported data, using pkcs11-tool. The cert and
the pubkey both went without trouble, however whenever I attempt to
delete the private key I get an error:

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so -l --delete-object
--type privkey --id 11ac7c18d526f536d80520d4c03b71f4923d4553
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
error: PKCS11 function C_DestroyObject() failed: rv = CKR_GENERAL_ERROR
(0x5)

The same happens now with OpenSC-0.15.

Is there any way I could get rid of this key from the card without
reinitialising it?

Yours sincerely,
--
MS
Andreas Schwier
2015-10-19 09:30:36 UTC
Permalink
Hi Marek,

What does pkcs15-tool -D show ?

In the SmartCard-HSM there is a file identifier for the key (0xCC00 +
keyid) and an EF with the PKCS#15 description of the key (0xC400 +
keyid). For a certificate related to the private key, an EF with 0xCE00
+ keyid is allocated. An unrelated certificate (i.e. a CA certificate)
is placed in 0xCA00 + index with the meta data in 0xC800 + index.

Data objects are placed in either 0xCF00 + index or 0xCD00 + index with
meta data in 0xC800 + index. The range 0xCF00 is used for data objects
that can be read always, 0xCD00 is used for data protected by the user PIN.

The code enumerates file identifier and creates a key object for each
key in the range 0xCC01 to 0xCCFF with the meta data from the related EF
in the range 0xC401 to 0xC4FF. So if pkcs15-tool still shows the key,
then an key object and the meta data are present.

You can manually erase the key file and/or meta data file after PIN
verification using opensc-tool or a script for the Smart Card Shell.

Andreas
Post by Marek Szuba
Hello,
A while ago I tried to import several existing X.509 certificates and
its corresponding private key into my SmartCard-HSM, using OpenSC-0.14.
It turned out that I could do that - which surprised me a bit because
later on I read on-line importing shouldn't work for this card - but
only for one certificate at a time, with each subsequent import
overwriting the previous one. I then decided that I'd rather have no
software-generated certificates on the card than have just one and
proceeded to delete the imported data, using pkcs11-tool. The cert and
the pubkey both went without trouble, however whenever I attempt to
$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so -l --delete-object
--type privkey --id 11ac7c18d526f536d80520d4c03b71f4923d4553
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
error: PKCS11 function C_DestroyObject() failed: rv = CKR_GENERAL_ERROR
(0x5)
The same happens now with OpenSC-0.15.
Is there any way I could get rid of this key from the card without
reinitialising it?
Yours sincerely,
------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
https://lists.sourceforge.net/lists/listinfo/opensc-devel
--
--------- CardContact Software & System Consulting
|.##> <##.| Andreas Schwier
|# #| Schülerweg 38
|# #| 32429 Minden, Germany
|'##> <##'| Phone +49 571 56149
--------- http://www.cardcontact.de
http://www.tscons.de
http://www.openscdp.org
http://www.smartcard-hsm.com


------------------------------------------------------------------------------
Marek Szuba
2015-10-20 09:54:57 UTC
Permalink
Post by Andreas Schwier
What does pkcs15-tool -D show ?
It shows a private-key object with the label I gave it during the import
attempt, key ref 0 and usage flags 0x4 (the import source had more) but
otherwise identical to the card-generated keys. Yes, including "native"
set to yes.
Post by Andreas Schwier
You can manually erase the key file and/or meta data file after PIN
verification using opensc-tool or a script for the Smart Card Shell.
I've just managed to delete 0xC400 using opensc-explorer (I did not know
how to do it using opensc-tool) and, as expected, the imported key has
disappeared from the pkcs15-tool -D output. Thanks! I couldn't delete
0xCC00 though, even if I verify the SO PIN instead of the user PIN I get
the "not allowed" error. Will the presence of a key object without the
corresponding metadata on the card cause problems in the future?
--
MS
Andreas Schwier
2015-10-20 10:04:00 UTC
Permalink
Post by Marek Szuba
I've just managed to delete 0xC400 using opensc-explorer (I did not know
how to do it using opensc-tool) and, as expected, the imported key has
disappeared from the pkcs15-tool -D output. Thanks! I couldn't delete
0xCC00 though, even if I verify the SO PIN instead of the user PIN I get
the "not allowed" error. Will the presence of a key object without the
corresponding metadata on the card cause problems in the future?
The file identifier CC00 is reserved for the device authentication key
and can not be removed.

A key object without meta data is not a problem: The key will simply not
show up at the PKCS#11 interface.

The meta data is only required for the PKCS#11 module and is not used
internally in the device.
Post by Marek Szuba
------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
https://lists.sourceforge.net/lists/listinfo/opensc-devel
--
--------- CardContact Software & System Consulting
|.##> <##.| Andreas Schwier
|# #| Schülerweg 38
|# #| 32429 Minden, Germany
|'##> <##'| Phone +49 571 56149
--------- http://www.cardcontact.de
http://www.tscons.de
http://www.openscdp.org
http://www.smartcard-hsm.com


------------------------------------------------------------------------------
Marek Szuba
2015-10-20 10:34:33 UTC
Permalink
Post by Andreas Schwier
The file identifier CC00 is reserved for the device authentication key
and can not be removed.
Would this mean that the attempted import resulted in metadata of the
imported private key getting attached to the device-authentication key?

Either way, thanks for your help.
--
MS
Andreas Schwier
2015-10-20 10:45:51 UTC
Permalink
Yes, that caused the problem.

The code did not reject the key import but returned SC_SUCCESS when
writing the private key, thus the meta data was written for key id 0
(the device authentication key).

Andreas
Post by Marek Szuba
Post by Andreas Schwier
The file identifier CC00 is reserved for the device
authentication key and can not be removed.
Would this mean that the attempted import resulted in metadata of
the imported private key getting attached to the
device-authentication key?
Either way, thanks for your help.
------------------------------------------------------------------------------
_______________________________________________ Opensc-devel
https://lists.sourceforge.net/lists/listinfo/opensc-devel
--
--------- CardContact Software & System Consulting
|.##> <##.| Andreas Schwier
|# #| Schülerweg 38
|# #| 32429 Minden, Germany
|'##> <##'| Phone +49 571 56149
--------- http://www.cardcontact.de
http://www.tscons.de
http://www.openscdp.org
http://www.smartcard-hsm.com
--
--------- CardContact Software & System Consulting
|.##> <##.| Andreas Schwier
|# #| Schülerweg 38
|# #| 32429 Minden, Germany
|'##> <##'| Phone +49 571 56149
--------- http://www.cardcontact.de
http://www.tscons.de
http://www.openscdp.org
http://www.smartcard-hsm.com


------------------------------------------------------------------------------
Loading...