How to generate the same GPG key from the same keypair in an HSM

alonbl / gnupg-pkcs11-scd

PKCS#11 GnuPG SCD

http://gnupg-pkcs11.sourceforge.net/

Other

68 stars 17 forks source link

How to generate the same GPG key from the same keypair in an HSM #64

Open vigno88 opened 1 week ago

vigno88 commented 1 week ago

In a "non-hsm" environment, I could derive the same GPG from a unique RSA key by doing:

PEM2OPENPGP_TIMESTAMP=0 PEM2OPENPGP_USAGE_FLAGS=sign pem2openpgp "signer signer@test.com" < dev-key.pem  | gpg --import

This will always result in the same key in gpg.

Is it possible to replicate this using a key stored in an HSM? Whenever I try to --full-generate-key (while passing --faked-system-time to gpg) I get a different command.

Thanks,

Nathan AV

alonbl commented 1 week ago

I honestly do not, you can pick the same RSA key, but not sure how to create the exact public attributes.

vigno88 commented 1 week ago

What does it even mean to pick the same RSA key? If two keys are generated from the same RSA key, then a blob is signed with each key. Both blob signatures cannot be verified with both public key even tough they are generated from the same RSA key.. (at least, that's what is happening to me when i'm trying)