Closed rrottmann closed 11 months ago
Probably caused by 14c78521
Could this be the length of the response data?
Maybe there are two variants of encoding in the response APDU. First: the raw data and the expected returned length only encoded in the response trailer with SW1=0x61,SW2=0x?? until SW1=0x90, SW2=0x00. This is how I would read the spec. All bytes of the body would be considered as data.
Second: prepending the length of the data in the first byte of the response body. Then the first byte needs to be skipped to retrieve the actual data. I would have assumed that only in the command APDU the length is added.
Not at all. SmartCard HSM returns the shared secret with a 04
prepended, as it can be read at OpenSC
https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-sc-hsm.c#L1156
04
usually means the UNCOMPRESSED
encoding point. Since the shared secret comes from the mathematical operation shared=aP=abG
where P=bG
is Bob's public point, I guess what is returned by SC-HSM is the full encoded point trunked to the half+1, since ECDH only requires the x
component. I bet that is an implementation aspect of SC-HSM but, since pkcs11-tool
relies on sc-hsm
driver, it discards the first byte (the 04
).
Some days ago I noticed this 0x04
without an aparent reason until you reported this issue, which reminded me that OpenSC expects that rubbish byte.
Issue
In a hybrid scenario where one symmetric key is derived on the HSM and the partner derives it in software with openssl pkeyutl, there is a single byte at the beginning missing when comparing both derived keys.
General Info
Using Waveshare RP2040 One with latest stable release.
How to reproduce
openssl pkeyutil -derive
key in this example contains an additional1b
. This is different with every fresh ecdh parameter set but always the first byte is missing in the HSM output of the derived key.