pico-hsm
pico-hsm copied to clipboard
Published
20 hours ago •
polhenarejos
polhenarejos
How to list pkcs11 url of the private key?
For signing an intermediate CA with openssl, I need to state the pkcs11 URL in the config file. I can list the public keys but fail to do so for the private keys:
p11tool --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29
Object 0:
URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%01;object=RSA2K;type=public
Type: Public key (RSA-2048)
Label: RSA2K
Flags: CKA_WRAP/UNWRAP;
ID: 01
Object 1:
URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;object=ESPICOHSMTR;type=public
Type: Public key (EC/ECDSA-SECP256R1)
Label: ESPICOHSMTR
ID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Object 2:
URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%11;object=ECDSA;type=public
Type: Public key (EC/ECDSA-SECP192R1)
Label: ECDSA
ID: 11
Object 3:
URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%6B%52%23%26%27%0F%20%10%7F%64%A4%31%FB%EE%05%0D%9F%29%F9%77;object=root;type=public
Type: Public key (EC/ECDSA-SECP384R1)
Label: root
ID: 6b:52:23:26:27:0f:20:10:7f:64:a4:31:fb:ee:05:0d:9f:29:f9:77
Object 4:
URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29;id=%8C%23%52%12%36%77%D5%04%AB%A4%86%89%F7%88%77%C4%A2%97%11%00;object=intermediate;type=public
Type: Public key (EC/ECDSA-SECP384R1)
Label: intermediate
ID: 8c:23:52:12:36:77:d5:04:ab:a4:86:89:f7:88:77:c4:a2:97:11:00
export GNUTLS_PIN=648219
p11tool --login --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM%20%28UserPIN%29
Error in crt_list_import (1): Error in provided PIN.
Is this the correct way to get those URLs? Any alternatve to get those?
I found the following workaround:
- List keys with
pkcs11-tool -l --pin 648219 -Oand identify the serial of the private key - Convert to %-notation:
echo 6b522326270f20107f64a431fbee050d9f29f977 | tr [:lower:] [:upper:] | sed 's/../%&/g' - Use a minimal pkcs11 URL:
pkcs11:id=%6B%52%23%26%27%0F%20%10%7F%64%A4%31%FB%EE%05%0D%9F%29%F9%77;type=private