Issue while Import externally generated Private key file in CardContact SmartCard-HSM

[scottthomas007]

Bonjour Users,

I created the RSA 2048 bit key to store in CardContact SmartCard by command
openssl genrsa -out user.key.pem 2048

I tried to import PEM key file in CardContact SmartCard by pkcs11-tool

pkcs11-tool -l --pin 123456 --write-object user.key.pem --type privkey --id 10
Using slot 1 with a present token (0x1)
2015-11-27 10:21:25.047 cannot lock memory, sensitive data may be paged to disk
error: Cannot read private key

Aborting.

So I also converted the PEM file to DER file by command

openssl rsa -in user.key.pem -out user.key.der -outform DER

Tried again to import the DER key file in CardContact SmartCard by pkcs11-tool

pkcs11-tool -l --pin xxxxxxxx --write-object user.key.der --type privkey --id 10
Using slot 1 with a present token (0x1)
2015-11-27 10:30:10.216 cannot lock memory, sensitive data may be paged to disk
error: PKCS11 function C_CreateObject failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)

Aborting.

Please provide me command method to store the externally generated private key into CardContact SmartCard-HSM

[CardContact]

The SmartCard-HSM does not support importing private keys in plain for security reasons.

Even though this seems to be common practice, we strongly discourage users of importing externally generated keys in plain. Reasons are

1. The quality of a private key much stronger depends on the quality of the random number generator than on the key length. If the random number generator used to create the key has weaknesses or was tampered, then chances are that you are getting a weak key. Just have a look what happened with OpenSSL (CVE-2008-0166).
2. Keys in software key stores like PKCS#12 are typically protected by a password-derived key. Anyone with a copy of the encrypted key file (which usually can't be prevented) just needs to shoulder-surf for the password to get undetected access. This defeats the purpose of using a hardware token, where you want to make sure the key is linked to physical piece of equipment.
3. Importing the key into the device requires decryption of the PKCS#12 in memory, after which the plain private key traverses several application layers (application, middleware, PC/SC daemon, USB subsystem, kernel, USB wiring, card reader firmware, card interface). Trying to prevent key leakage is very difficult in a software stack that wasn't designed to protect sensitive information.

However we acknowledge, that there might be situations where generating a fresh key is not a viable option. For those rare cases, the SDK provides for a tool to import a private key from a PKCS#12 file. **This should only be done if you really know what you are doing **.

The SDK software [1] is available via the CDN [2] if you have a SmartCard-HSM EA+ token. If not, just write me an e-mail.

[1] https://devnet.cardcontact.de/projects/sc-hsm-sdk/files
[2] http:https://www.cardcontact.de/cdn/about.html

[scottthomas007]

I have to use this SC to import CA key and store user public/private keys. Leaving the import tool, how can i import the P12 file in SC-HSM smart card via some API or command ?