Peter Popovec
2017-03-20 08:12:04 UTC
Hello,
pkcs11-tool seems to set wrong Access Flags on Private EC keys
pkcs15-init sets Access Flags to 0x1D, pkcs11-tool to 0x0, examples below.
Second question: Is there a switch to set key usage "derive" in pkcs15-init ?
$ pkcs15-init --generate-key ec-prime256v1 --auth-id 1 --pin 11111111
--id 14 --label pkcs15_key --key-usage sign,derive
Unknown X.509 key usage derive
pkcs11-tool can generate this usage:
$ pkcs11-tool --login --pin 11111111 --keypairgen --key-type
EC:prime256v1 --id 14 --label pkcs11_key --usage-derive --usage-sign
Examples:
$ pkcs15-init --generate-key ec-prime256v1 --auth-id 1 --pin 11111111
--id 14 --label pkcs15_key --key-usage sign
$ pkcs15-tool --list-keys --list-public-keys
Private EC Key [pkcs15_key]
Object Flags : [0x3], private, modifiable
Usage : [0xC], sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
FieldLength : 256
Key ref : 1 (0x1)
Native : yes
Path : 3f0050154b01
Auth ID : 01
ID : 14
MD:guid : 0dbf2b61-22e1-9b48-d19d-c3ed217d60bc
Public EC Key [pkcs15_key]
Object Flags : [0x2], modifiable
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x0]
FieldLength : 256
Key ref : 0 (0x0)
Native : no
Path : 3f0050155501
ID : 14
pkcs11-tool example:
$ pkcs11-tool --login --pin 11111111 --keypairgen --key-type
EC:prime256v1 --id 14 --label pkcs11_key --usage-sign
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; EC
label: pkcs11_key
ID: 14
Usage: sign
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 044104f804f2b748d3edda96b667e9203feca943076df2aeaf23eb5b6971ffcd06c32cdb46c299e62fb5c05b6df6662d8757333403f2d0ac5d0361810c972ed7941fd3
EC_PARAMS: 06082a8648ce3d030107
label: pkcs11_key
ID: 14
Usage: verify
$ pkcs15-tool --list-keys --list-public-keys
Private EC Key [pkcs11_key]
Object Flags : [0x3], private, modifiable
Usage : [0xC], sign, signRecover
Access Flags : [0x0]
FieldLength : 256
Key ref : 1 (0x1)
Native : yes
Path : 3f0050154b01
Auth ID : 01
ID : 14
MD:guid : 0dbf2b61-22e1-9b48-d19d-c3ed217d60bc
Public EC Key [pkcs11_key]
Object Flags : [0x2], modifiable
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x0]
FieldLength : 256
Key ref : 0 (0x0)
Native : no
Path : 3f0050155501
ID : 14
pkcs11-tool seems to set wrong Access Flags on Private EC keys
pkcs15-init sets Access Flags to 0x1D, pkcs11-tool to 0x0, examples below.
Second question: Is there a switch to set key usage "derive" in pkcs15-init ?
$ pkcs15-init --generate-key ec-prime256v1 --auth-id 1 --pin 11111111
--id 14 --label pkcs15_key --key-usage sign,derive
Unknown X.509 key usage derive
pkcs11-tool can generate this usage:
$ pkcs11-tool --login --pin 11111111 --keypairgen --key-type
EC:prime256v1 --id 14 --label pkcs11_key --usage-derive --usage-sign
Examples:
$ pkcs15-init --generate-key ec-prime256v1 --auth-id 1 --pin 11111111
--id 14 --label pkcs15_key --key-usage sign
$ pkcs15-tool --list-keys --list-public-keys
Private EC Key [pkcs15_key]
Object Flags : [0x3], private, modifiable
Usage : [0xC], sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
FieldLength : 256
Key ref : 1 (0x1)
Native : yes
Path : 3f0050154b01
Auth ID : 01
ID : 14
MD:guid : 0dbf2b61-22e1-9b48-d19d-c3ed217d60bc
Public EC Key [pkcs15_key]
Object Flags : [0x2], modifiable
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x0]
FieldLength : 256
Key ref : 0 (0x0)
Native : no
Path : 3f0050155501
ID : 14
pkcs11-tool example:
$ pkcs11-tool --login --pin 11111111 --keypairgen --key-type
EC:prime256v1 --id 14 --label pkcs11_key --usage-sign
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; EC
label: pkcs11_key
ID: 14
Usage: sign
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 044104f804f2b748d3edda96b667e9203feca943076df2aeaf23eb5b6971ffcd06c32cdb46c299e62fb5c05b6df6662d8757333403f2d0ac5d0361810c972ed7941fd3
EC_PARAMS: 06082a8648ce3d030107
label: pkcs11_key
ID: 14
Usage: verify
$ pkcs15-tool --list-keys --list-public-keys
Private EC Key [pkcs11_key]
Object Flags : [0x3], private, modifiable
Usage : [0xC], sign, signRecover
Access Flags : [0x0]
FieldLength : 256
Key ref : 1 (0x1)
Native : yes
Path : 3f0050154b01
Auth ID : 01
ID : 14
MD:guid : 0dbf2b61-22e1-9b48-d19d-c3ed217d60bc
Public EC Key [pkcs11_key]
Object Flags : [0x2], modifiable
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x0]
FieldLength : 256
Key ref : 0 (0x0)
Native : no
Path : 3f0050155501
ID : 14