cardcontact / scsh-scripts Goto Github PK

Using a Nitrokey HSM 2 I can import 2048 bit pkcs12 keys (generated with gpg -> gpgsm) via keymanager, but if I try the exact same procedure with a 4096 bit key I get:

Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27264) - "Unexpected SW1/SW2=6A80 (Checking error: Incorrect parameter in the command data field) received" in /home/myuser/scsh3.15.359/scsh/sc-hsm/SmartCardHSM.js#1238
    at /home/myuser/scsh3.15.359/scsh/sc-hsm/SmartCardHSM.js#1238
    at /home/myuser/scsh3.15.359/scsh/sc-hsm/HSMKeyStore.js#300
    at /home/myuser/scsh3.15.359/keymanager/keymanager.js#1884
    at /home/myuser/scsh3.15.359/keymanager/keymanager.js#2038

Generating a 4096 bit key works, so the device at least supports them...

Hi All,

I'm running the latest 3.15.288 scsh with a CardContact 4K token which is labelled as "uTrust Token Standard". The platform is Ubuntu 18.04 and openjdk v11.0.4, which is the default for the platform.

I have existing EC-256 keys that I would like to import and protect in the token so that I can give the token to someone else so that they can use the keys but not see them or copy them elsewhere.

I converted the existing PEM files to a P12 file using OpenSSL and the command:

openssl pkcs12 -export -out keypair.p12 -inkey key_priv.pem -in key_cert.pem

I created a DKEK with single share in scsh3gui, so far, so good.

When I try to import the P12 file, I provide the DKEK then the P12 file and I get an error:

Derive DKEK share encryption key (Step 1 of 3)...
Derive DKEK share encryption key (Step 2 of 3)...
Derive DKEK share encryption key (Step 3 of 3)...

<< Here it prints the certificate information >>

Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27904) - "Unexpected SW1/SW2=6D00 (Checking error: Invalid instruction (0)) received" in /home/labuser/workspace/cardcontact/scsh3.15.388/scsh/sc-hsm/SmartCardHSM.js#1270
at /home/labuser/workspace/cardcontact/scsh3.15.388/scsh/sc-hsm/SmartCardHSM.js#1270
at /home/labuser/workspace/cardcontact/scsh3.15.388/scsh/sc-hsm/HSMKeyStore.js#333
at /home/labuser/workspace/cardcontact/scsh3.15.388/keymanager/keymanager.js#1934
at /home/labuser/workspace/cardcontact/scsh3.15.388/keymanager/keymanager.js#2085

Do you have any suggestions what the problem may be and how I can resolve it?

Many thanks.

Hi,
I'm trying to import a private key to a CardContact-based smartcard (namely, Nitrokey HSM). As far as I understand just writing data using just pkcs11-tool was disabled for security reasons, so I did the whole procedure of generating TLS credentials, connecting to CardContact server and downloading the SDK.
Now when I feed my *.p12 to importP12.js from scsh3gui I get the following error:

org.mozilla.javascript.EcmaError: TypeError: Cannot read property "length" from undefined (/home/oytis/Downloads/sc-hsm-sdk/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#80)
    at /home/oytis/Downloads/sc-hsm-sdk/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#80
    at /home/oytis/Downloads/sc-hsm-sdk/sc-hsm-workspace/sc-hsm-sdk-scripts/key_import/import_P12.js#115

Any idea why this can take place? I use scsh v 3.13.292 and sc-hsm-workspace v 20160930.

Thanks!

Problem Description

Smart Card shell fails to communicate with Identive SCT3522CC token [CCID Interface]

I am trying to initialize freshly delivered Identive SCT3522CC tokens. It seems like PCSC Lite (1.9.5, installed as a package/Rocky Linux 8.9) recognizes the token. But the Smart Card cannot communicate with it:

Running setup script config.js ...

Smart Card Shell Scripting Engine (scdp4j) 3.17.459

(c) 2005-2021 CardContact Systems GmbH, Minden, Germany (www.cardcontact.de)
Enter 'help' for a command overview or 'quit' to close the shell

_scsh3.setProperty("reader","Identive SCT3522CC token [CCID Interface] (55521904600920) 00 00");
load("keymanager/keymanager.js");
GPError: Card (CARD_INVALID_SW/27270) - "Unexpected SW1/SW2=6A86 (Checking error: Incorrect P1-P2) received" in /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1436
at /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1436
at /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#94
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#198
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#42
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#2457

At the same time, the same installation/setup recognizes works with Identiv uTrust 3512 SAM slot Token [CCID Interface.

Proposed Resolution

No solution available yet

Steps to reproduce

1. Insert the token into USB 2/3 port
2. Run Smart Card shell
3. Select the reader (optional)
4. Try to load the key manager

Logs

GPError: Card (CARD_INVALID_SW/27270) - "Unexpected SW1/SW2=6A86 (Checking error: Incorrect P1-P2) received" in /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1436
at /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1436
at /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#94
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#198
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#42
at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#2457

For migration of legacy systems (soft private keys) it is useful to import EC keys.

#2 states that we can already import RSA keys. I would like to RFE

Either

1. Document wrap format so we may import EC keys
2. Enhance DKEK.js to import EC keys

I acknowledge CardContact position that this defeats the purpose of having a HSM and on-chip key generation. However this feature is necessary to migrate legacy systems.

I have the following device https://www.elotouch.com/accessories/nfc-rfid.html and I would like to know if is posible to read Mifare cards via USB HID.

I have tried load('mifare/readmifare.js') but GPError: Card (CARD_CONNECT_FAILED/0) - "No card in reader or mute card." is responding. However, if I use Manufacturer HEX program I can read the data.

@frankthater @CardContact

P.S: Official ELO device document https://docs.elotouch.com/accessories/accessories/_UIC680TG_Programmer_s_Manual_REV_2.7.pdf

Hi,

I don't know if i'm posting this issue in the right place, i'm sorry if it's not the case.

i'm having a problem importing a PKCS#12-formatted file using the SCSH v3.14.268 on macOS using the GUI 'Key Manager' feature (right-click, etc.)

My setup:

• A Nitrokey HSM, freshly updated (to V2.6 for issuer DEDINK0200001 via http://www.pki-as-a-service.net/cardcontact ) and initialized (and already few keys on it),
• Initialized with 1 DKEK Share key and strong random password (32 alphanumeric chars),
• A macOS KeyStore-generated PKCS#12 file I want to import.

Expected:
When setting everything correctly in the GUI (ie. 1 DKEK, path to correct DKEK, passphrase), it should ask and import my PKCS#12 keys and certificates into the HSM

What's happening:
After setting everything correctly in the GUI (ie. 1 DKEK, path to correct DKEK, passphrase), i have this console output:

Derive DKEK share encryption key (Step 1 of 3)...
Derive DKEK share encryption key (Step 2 of 3)...
Derive DKEK share encryption key (Step 3 of 3)...
GPError: Crypto (CRYPTO_FAILED/51) - "Illegal key size" in /Users/fladnag/Downloads/scsh3.14.348/scsh/sc-hsm/DKEK.js#213
    at /Users/fladnag/Downloads/scsh3.14.348/scsh/sc-hsm/DKEK.js#213
    at /Users/fladnag/Downloads/scsh3.14.348/keymanager/keymanager.js#1821
    at /Users/fladnag/Downloads/scsh3.14.348/keymanager/keymanager.js#2028

It seems it can't decipher the DKEK.

Do you have an idea about the problem I have ?

Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27264) - "Unexpected SW1/SW2=6A80 (Checking error: Incorrect parameter in the command data field) received" in D:\XXXXX\scsh3.15.388\scsh\sc-hsm\SmartCardHSM.js#1270
    at D:\XXXXX\scsh3.15.388\scsh\sc-hsm\SmartCardHSM.js#1270
    at D:\XXXXX\scsh3.15.388\scsh\sc-hsm\HSMKeyStore.js#300
    at D:\XXXXX\scsh3.15.388\keymanager\keymanager.js#1931
    at D:\XXXXX\scsh3.15.388\keymanager\keymanager.js#2085

This bug should be fixed since v3.15.383 by Issue #5 , so I added "dkek.dumpKeyBLOB(blob);" in "KeyManager.prototype.importPKCS12" for debugging (hiding some infos below):

Values from key blob:
---------------------
Checking the MAC      : Passed
KCV                   : XXXXXXX    [Must match the KCV of the DKEK for import]
Key type              : 5    [5=RSA, 6=RSA-CRT, 12=ECC, 15=AES]
Default Algorithm ID  : 0.4.0.127.0.7.2.2.2.1.2 (10)     [Default algorithm]
Allowed Algorithm IDs :  (0)
Access Conditions     :  (0)    [Not used]
Key OID               :  (0)    [Not used]
Randomize             : XXXXXXXX    [Random data prepended at export]
Key size              : 4096    [Key size in bits (ECC/RSA) or bytes (AES)]
Private Exponent      : 00A230822B41......A6FE9141 (513)
Modulus               : BF00540892CD......A1C90B (512)
Public Exponent       : 010001 (3)

and used "openssl rsa -in keyfile -text" for checking it:

modulus:
    00:bf:00:54:08:92:cd:......:a1:c9:0b
publicExponent: 65537 (0x10001)
privateExponent:
    00:a2:30:82:2b:41:......:a6:fe:91:41

The format of keyblob seems to be OK, I don't know where's wrong...

Below actions work:

• Importing 2048 bit RSA keys from P12
• Generating 4096 bit RSA keys on the card, then exporting them, then deleting them from the card, and then importing them