search

polhenarejos / pico-hsm

Hardware Security Module for Raspberry Pico
GNU General Public License v3.0
180 stars 23 forks source link

How to list pkcs11 url of the private key? #27

Open rrottmann opened 7 months ago

rrottmann commented 7 months ago

For signing an intermediate CA with openssl, I need to state the pkcs11 URL in the config file. I can list the public keys but fail to do so for the private keys:

p11tool --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29
Object 0:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%01;object=RSA2K;type=public
        Type: Public key (RSA-2048)
        Label: RSA2K
        Flags: CKA_WRAP/UNWRAP;
        ID: 01

Object 1:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;object=ESPICOHSMTR;type=public
        Type: Public key (EC/ECDSA-SECP256R1)
        Label: ESPICOHSMTR
        ID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

Object 2:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%11;object=ECDSA;type=public
        Type: Public key (EC/ECDSA-SECP192R1)
        Label: ECDSA
        ID: 11

Object 3:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%6B%52%23%26%27%0F%20%10%7F%64%A4%31%FB%EE%05%0D%9F%29%F9%77;object=root;type=public
        Type: Public key (EC/ECDSA-SECP384R1)
        Label: root
        ID: 6b:52:23:26:27:0f:20:10:7f:64:a4:31:fb:ee:05:0d:9f:29:f9:77

Object 4:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%8C%23%52%12%36%77%D5%04%AB%A4%86%89%F7%88%77%C4%A2%97%11%00;object=intermediate;type=public
        Type: Public key (EC/ECDSA-SECP384R1)
        Label: intermediate
        ID: 8c:23:52:12:36:77:d5:04:ab:a4:86:89:f7:88:77:c4:a2:97:11:00
export GNUTLS_PIN=648219
p11tool --login --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29
Error in crt_list_import (1): Error in provided PIN.

Is this the correct way to get those URLs? Any alternatve to get those?

rrottmann commented 7 months ago

I found the following workaround:

  1. List keys with pkcs11-tool -l --pin 648219 -O and identify the serial of the private key
  2. Convert to %-notation: echo 6b522326270f20107f64a431fbee050d9f29f977 | tr [:lower:] [:upper:] | sed 's/../%&/g'
  3. Use a minimal pkcs11 URL: pkcs11:id=%6B%52%23%26%27%0F%20%10%7F%64%A4%31%FB%EE%05%0D%9F%29%F9%77;type=private