cardcontact / scsh-scripts Goto Github PK
View Code? Open in Web Editor NEWSmart Card Shell Script Collection
License: GNU General Public License v2.0
Smart Card Shell Script Collection
License: GNU General Public License v2.0
Using a Nitrokey HSM 2 I can import 2048 bit pkcs12 keys (generated with gpg -> gpgsm) via keymanager, but if I try the exact same procedure with a 4096 bit key I get:
Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27264) - "Unexpected SW1/SW2=6A80 (Checking error: Incorrect parameter in the command data field) received" in /home/myuser/scsh3.15.359/scsh/sc-hsm/SmartCardHSM.js#1238
at /home/myuser/scsh3.15.359/scsh/sc-hsm/SmartCardHSM.js#1238
at /home/myuser/scsh3.15.359/scsh/sc-hsm/HSMKeyStore.js#300
at /home/myuser/scsh3.15.359/keymanager/keymanager.js#1884
at /home/myuser/scsh3.15.359/keymanager/keymanager.js#2038
Generating a 4096 bit key works, so the device at least supports them...
Hi All,
I'm running the latest 3.15.288 scsh with a CardContact 4K token which is labelled as "uTrust Token Standard". The platform is Ubuntu 18.04 and openjdk v11.0.4, which is the default for the platform.
I have existing EC-256 keys that I would like to import and protect in the token so that I can give the token to someone else so that they can use the keys but not see them or copy them elsewhere.
I converted the existing PEM files to a P12 file using OpenSSL and the command:
openssl pkcs12 -export -out keypair.p12 -inkey key_priv.pem -in key_cert.pem
I created a DKEK with single share in scsh3gui, so far, so good.
When I try to import the P12 file, I provide the DKEK then the P12 file and I get an error:
Derive DKEK share encryption key (Step 1 of 3)...
Derive DKEK share encryption key (Step 2 of 3)...
Derive DKEK share encryption key (Step 3 of 3)...
<< Here it prints the certificate information >>
Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27904) - "Unexpected SW1/SW2=6D00 (Checking error: Invalid instruction (0)) received" in /home/labuser/workspace/cardcontact/scsh3.15.388/scsh/sc-hsm/SmartCardHSM.js#1270
at /home/labuser/workspace/cardcontact/scsh3.15.388/scsh/sc-hsm/SmartCardHSM.js#1270
at /home/labuser/workspace/cardcontact/scsh3.15.388/scsh/sc-hsm/HSMKeyStore.js#333
at /home/labuser/workspace/cardcontact/scsh3.15.388/keymanager/keymanager.js#1934
at /home/labuser/workspace/cardcontact/scsh3.15.388/keymanager/keymanager.js#2085
Do you have any suggestions what the problem may be and how I can resolve it?
Many thanks.
Hi,
I'm trying to import a private key to a CardContact-based smartcard (namely, Nitrokey HSM). As far as I understand just writing data using just pkcs11-tool was disabled for security reasons, so I did the whole procedure of generating TLS credentials, connecting to CardContact server and downloading the SDK.
Now when I feed my *.p12 to importP12.js from scsh3gui I get the following error:
org.mozilla.javascript.EcmaError: TypeError: Cannot read property "length" from undefined (/home/oytis/Downloads/sc-hsm-sdk/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#80)
at /home/oytis/Downloads/sc-hsm-sdk/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#80
at /home/oytis/Downloads/sc-hsm-sdk/sc-hsm-workspace/sc-hsm-sdk-scripts/key_import/import_P12.js#115
Any idea why this can take place? I use scsh v 3.13.292 and sc-hsm-workspace v 20160930.
Thanks!
Smart Card shell fails to communicate with Identive SCT3522CC token [CCID Interface]
I am trying to initialize freshly delivered Identive SCT3522CC tokens. It seems like PCSC Lite (1.9.5, installed as a package/Rocky Linux 8.9) recognizes the token. But the Smart Card cannot communicate with it:
Running setup script config.js ...
(c) 2005-2021 CardContact Systems GmbH, Minden, Germany (www.cardcontact.de)
Enter 'help' for a command overview or 'quit' to close the shell
_scsh3.setProperty("reader","Identive SCT3522CC token [CCID Interface] (55521904600920) 00 00");
load("keymanager/keymanager.js");
GPError: Card (CARD_INVALID_SW/27270) - "Unexpected SW1/SW2=6A86 (Checking error: Incorrect P1-P2) received" in /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1436
at /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1436
at /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#94
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#198
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#42
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#2457
At the same time, the same installation/setup recognizes works with Identiv uTrust 3512 SAM slot Token [CCID Interface.
No solution available yet
GPError: Card (CARD_INVALID_SW/27270) - "Unexpected SW1/SW2=6A86 (Checking error: Incorrect P1-P2) received" in /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1436
at /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1436
at /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#94
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#198
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#42
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#2457
For migration of legacy systems (soft private keys) it is useful to import EC keys.
#2 states that we can already import RSA keys. I would like to RFE
Either
I acknowledge CardContact position that this defeats the purpose of having a HSM and on-chip key generation. However this feature is necessary to migrate legacy systems.
I have the following device https://www.elotouch.com/accessories/nfc-rfid.html and I would like to know if is posible to read Mifare cards via USB HID.
I have tried load('mifare/readmifare.js') but GPError: Card (CARD_CONNECT_FAILED/0) - "No card in reader or mute card." is responding. However, if I use Manufacturer HEX program I can read the data.
P.S: Official ELO device document https://docs.elotouch.com/accessories/accessories/_UIC680TG_Programmer_s_Manual_REV_2.7.pdf
Hi,
I don't know if i'm posting this issue in the right place, i'm sorry if it's not the case.
i'm having a problem importing a PKCS#12-formatted file using the SCSH v3.14.268 on macOS using the GUI 'Key Manager' feature (right-click, etc.)
My setup:
Expected:
When setting everything correctly in the GUI (ie. 1 DKEK, path to correct DKEK, passphrase), it should ask and import my PKCS#12 keys and certificates into the HSM
What's happening:
After setting everything correctly in the GUI (ie. 1 DKEK, path to correct DKEK, passphrase), i have this console output:
Derive DKEK share encryption key (Step 1 of 3)...
Derive DKEK share encryption key (Step 2 of 3)...
Derive DKEK share encryption key (Step 3 of 3)...
GPError: Crypto (CRYPTO_FAILED/51) - "Illegal key size" in /Users/fladnag/Downloads/scsh3.14.348/scsh/sc-hsm/DKEK.js#213
at /Users/fladnag/Downloads/scsh3.14.348/scsh/sc-hsm/DKEK.js#213
at /Users/fladnag/Downloads/scsh3.14.348/keymanager/keymanager.js#1821
at /Users/fladnag/Downloads/scsh3.14.348/keymanager/keymanager.js#2028
It seems it can't decipher the DKEK.
Do you have an idea about the problem I have ?
Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27264) - "Unexpected SW1/SW2=6A80 (Checking error: Incorrect parameter in the command data field) received" in D:\XXXXX\scsh3.15.388\scsh\sc-hsm\SmartCardHSM.js#1270
at D:\XXXXX\scsh3.15.388\scsh\sc-hsm\SmartCardHSM.js#1270
at D:\XXXXX\scsh3.15.388\scsh\sc-hsm\HSMKeyStore.js#300
at D:\XXXXX\scsh3.15.388\keymanager\keymanager.js#1931
at D:\XXXXX\scsh3.15.388\keymanager\keymanager.js#2085
This bug should be fixed since v3.15.383 by Issue #5 , so I added "dkek.dumpKeyBLOB(blob);" in "KeyManager.prototype.importPKCS12" for debugging (hiding some infos below):
Values from key blob:
---------------------
Checking the MAC : Passed
KCV : XXXXXXX [Must match the KCV of the DKEK for import]
Key type : 5 [5=RSA, 6=RSA-CRT, 12=ECC, 15=AES]
Default Algorithm ID : 0.4.0.127.0.7.2.2.2.1.2 (10) [Default algorithm]
Allowed Algorithm IDs : (0)
Access Conditions : (0) [Not used]
Key OID : (0) [Not used]
Randomize : XXXXXXXX [Random data prepended at export]
Key size : 4096 [Key size in bits (ECC/RSA) or bytes (AES)]
Private Exponent : 00A230822B41......A6FE9141 (513)
Modulus : BF00540892CD......A1C90B (512)
Public Exponent : 010001 (3)
and used "openssl rsa -in keyfile -text" for checking it:
modulus:
00:bf:00:54:08:92:cd:......:a1:c9:0b
publicExponent: 65537 (0x10001)
privateExponent:
00:a2:30:82:2b:41:......:a6:fe:91:41
The format of keyblob seems to be OK, I don't know where's wrong...
Below actions work:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.