search

polhenarejos / pico-hsm

Hardware Security Module (HSM) for Raspberry Pico and ESP32
https://www.picokeys.com
GNU General Public License v3.0
222 stars 30 forks source link

Error importing dkek in development branch #14

Closed lbradeen closed 1 year ago

lbradeen commented 1 year ago

I'm using the development branch because I hit the hanging issue on Ubuntu 22.04.

I'm following the dkek instructions and cannot get past an error when importing it.


********************************
*   PLEASE READ IT CAREFULLY   *
********************************

This tool will erase and reset your device. It will delete all private and secret keys.
Are you sure?
Pico HSM Tool v1.8
Author: Pol Henarejos
Report bugs to https://github.com/polhenarejos/pico-hsm/issues

[Press enter to confirm]
Public Point: 04f7f3ed82312e21654cff1d092cb55d10c6d6f783a9357c3e117e5b358a454643662e1fc557ef614f153b48a77ccc6dabfbbc1e0c03af56fb412f4a3d090d1cd0
Device name: ESPICOHSMTRZVZUV
Certificate uploaded successfully!

Note that the device is initialized with a default PIN and configuration.
Now you can initialize the device as usual with your chosen PIN and configuration options.

$ sc-hsm-tool --initialize --so-pin 1234123412341234 --pin 12341234 --dkek-shares 1
Using reader with a card: Free Software Initiative of Japan Gnuk [Pico HSM Interface] (DF60BCA003425C33) 00 00
$ sc-hsm-tool --import-dkek-share dkek.pbe --pin 12341234

Using reader with a card: Free Software Initiative of Japan Gnuk [Pico HSM Interface] (DF60BCA003425C33) 00 00
Enter password to decrypt DKEK share : 

Deciphering DKEK share, please wait...
sc_card_ctl(*, SC_CARDCTL_SC_HSM_IMPORT_DKEK_SHARE, *) failed with Not allowed```
polhenarejos commented 1 year ago

Strangely, if you execute both commands sc-hsm-tool again then it works.

polhenarejos commented 1 year ago

I see what is happening. This is nothing wrong with the code. The thing is that sc-hsm-tool sends a shutdown command after 5 seconds of inactivity after initialization, pulling you out of credentials. Plus, sc-hsm-tool --import-dkek-share ignores the --pin argument and it does not perform any login command before dkek import. Try to import the key before 5 seconds of inactivity and it will work. Entering the command will be enough to retain the login status and it will not take into account if you take more than 5 seconds to introduce dkek password. The trick is to call dkek import before 5 seconds.

This does not happen with SCS3 tool and I do not know how to fix it. A possible way is to chain login command with dkek import, but it is really ugly:

pkcs11-tool --login --pin 12341234 -I && sc-hsm-tool --import-dkek-share dkek.pbe

lbradeen commented 1 year ago

That workaround works, thanks.

Thanks for the project as well.