Importing 4096 bit RSA keys from P12 into SmartCard-HSM 4K Mini-SIM Card (3.3) failed with SCSH v3.15.388

[danielliang]

Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27264) - "Unexpected SW1/SW2=6A80 (Checking error: Incorrect parameter in the command data field) received" in D:\XXXXX\scsh3.15.388\scsh\sc-hsm\SmartCardHSM.js#1270
    at D:\XXXXX\scsh3.15.388\scsh\sc-hsm\SmartCardHSM.js#1270
    at D:\XXXXX\scsh3.15.388\scsh\sc-hsm\HSMKeyStore.js#300
    at D:\XXXXX\scsh3.15.388\keymanager\keymanager.js#1931
    at D:\XXXXX\scsh3.15.388\keymanager\keymanager.js#2085

This bug should be fixed since v3.15.383 by Issue #5 , so I added "dkek.dumpKeyBLOB(blob);" in "KeyManager.prototype.importPKCS12" for debugging (hiding some infos below):

Values from key blob:
---------------------
Checking the MAC      : Passed
KCV                   : XXXXXXX    [Must match the KCV of the DKEK for import]
Key type              : 5    [5=RSA, 6=RSA-CRT, 12=ECC, 15=AES]
Default Algorithm ID  : 0.4.0.127.0.7.2.2.2.1.2 (10)     [Default algorithm]
Allowed Algorithm IDs :  (0)
Access Conditions     :  (0)    [Not used]
Key OID               :  (0)    [Not used]
Randomize             : XXXXXXXX    [Random data prepended at export]
Key size              : 4096    [Key size in bits (ECC/RSA) or bytes (AES)]
Private Exponent      : 00A230822B41......A6FE9141 (513)
Modulus               : BF00540892CD......A1C90B (512)
Public Exponent       : 010001 (3)

and used "openssl rsa -in keyfile -text" for checking it:

modulus:
    00:bf:00:54:08:92:cd:......:a1:c9:0b
publicExponent: 65537 (0x10001)
privateExponent:
    00:a2:30:82:2b:41:......:a6:fe:91:41

The format of keyblob seems to be OK, I don't know where's wrong...

Below actions work:

• Importing 2048 bit RSA keys from P12
• Generating 4096 bit RSA keys on the card, then exporting them, then deleting them from the card, and then importing them

[Emantor]

We are seeing the same issue on NitroKey HSM.

[CardContact]

Seems like the private exponent is too long.

Can you try to edit scsh/sc-hsm/DKEK.js and add

var d = e.modInverse(r);

if (d.byteAt(0) == 0) {
	d = d.bytes(1);
}

var nk = new Key();

in convertCRT2PEM(). You need the restart command to reload the module before you test.

[jluebbe]

After inserting this code, I've been able to import one key successfully, but after deleting it and trying a second time I get:

Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27268) - "Unexpected SW1/SW2=6A84 (Checking error: Not enough memory space in the file) received" in …/nitrokey-hsm/scsh3.15.388/scsh/sc-hsm/SmartCardHSM.js#1270

The test keys are available here: https://git.pengutronix.de/cgit/ptx-code-signing-dev/tree/
I've used openssl pkcs12 -export -inkey fit-4096-development.key -in fit-4096-development.crt -name fit -out fit-4096-development.p12 -passout pass: to convert them to a .p12 file. I'm using a nitrokey HSM2 updated from 3.1 to 3.4.

[CardContact]

Can you post a trace of the last 5 APDUs in the "trace" tab ?

[CardContact]

Did you try the import directly after initializing the device ?

Try a card reset between initialization and import. There is a known bug in the JVM garbage collector that causes the import of 3K and 4K key directly after INITIALIZE DEVICE to fail. We can not fix this issue, as it lays outside of our code. The workaround is to do a card reset between initialization and import (Enter "r" on the Smart Card Shell console).

[jluebbe]

Did you try the import directly after initializing the device ?

I imported the DKEK via sc-hsm-tool and then generated a devnet cert and replugged the HSM.
I was able to import it once successfully, but after deleting and retrying it failed.

Try a card reset between initialization and import. There is a known bug in the JVM garbage collector that causes the import of 3K and 4K key directly after INITIALIZE DEVICE to fail. We can not fix this issue, as it lays outside of our code. The workaround is to do a card reset between initialization and import (Enter "r" on the Smart Card Shell console).

OK. I'll do some more experiments.

[jluebbe]

Can you post a trace of the last 5 APDUs in the "trace" tab ?

I had do delete the key again, import it successfully and try to import another 4k key to get it to fail again: https://gist.github.com/jluebbe/2f897df679d51d7b6ed89d11ee1c5856

So far, I've only been able to import one of these keys per power-cycle or reset ('r' command). The second try always fails again with:

Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27268) - "Unexpected SW1/SW2=6A84 (Checking error: Not enough memory space in the file) received" in …/nitrokey-hsm/scsh3.15.388/scsh/sc-hsm/SmartCardHSM.js#1270

[CardContact]

I can reproduce the issue with your development key. It fails with out-of-memory during import.

I then disabled secure messaging and after a card reset it worked. You can disable secure messaging by opening keymanager/keymanager.js and disable

//	this.sc.openSecureChannel(this.crypto, this.certchain.publicKey);

in KeyManager.prototype.setCard().

The problem with 4K key is, that all operations are very RAM consuming and the JVM stretches very close to the limit. We generally test with key material generated internally and not so much with externally generated keys (This is not a recommended approach, as it defeats the purpose of having a hardware token to protect keys).

My first guess is, that the key has some specific properties that cause problems in the JCOP OS. I will do some more testing in the emulator to see what makes the key specific.

Generally we recommend to use 2K RSA keys or if you need larger keys switch to ECC. ECC keys up to 521 bit work perfectly. 3K and 4K keys are problematic on JCOP3 devices. Importing 3K and 4K also has the problem, that they can not be imported in CRT format but PE/M. The wrapped CRT components are just to large to fit into the APDU buffer of the card.

In the future we will switch to JCOP4, which has a different implementation for larger RSA keys. Maybe things get better than.

[jluebbe]

I can reproduce the issue with your development key. It fails with out-of-memory during import.

Thanks for looking into this!

I then disabled secure messaging and after a card reset it worked. You can disable secure messaging by opening keymanager/keymanager.js and disable

//	this.sc.openSecureChannel(this.crypto, this.certchain.publicKey);

in KeyManager.prototype.setCard().

This is already commented out in scsh3.15.388. Is it already disabled?

The problem with 4K key is, that all operations are very RAM consuming and the JVM stretches very close to the limit. We generally test with key material generated internally and not so much with externally generated keys (This is not a recommended approach, as it defeats the purpose of having a hardware token to protect keys).

These keys are for software signing/verified boot of embedded devices. To be able to test the signing workflow as completely as possible, three cases:

1. development keys loaded into SoftHSM2 (test PKCS#11 client implementation and normal development)
2. development keys imported into Nitrokey HSM (testing usage of a real token with the same locked devices as in 1.)
3. release keys generated on a separate set of Nitrokey HSMs (and backuped via warped key export/import)

The issue only happens for me with 2. So far I've been able to import the keys one by one, with resets in between. That's time intensive but allows me to test the whole chain with the existing locked devices.

My first guess is, that the key has some specific properties that cause problems in the JCOP OS. I will do some more testing in the emulator to see what makes the key specific.

Thanks.

Generally we recommend to use 2K RSA keys or if you need larger keys switch to ECC. ECC keys up to 521 bit work perfectly. 3K and 4K keys are problematic on JCOP3 devices. Importing 3K and 4K also has the problem, that they can not be imported in CRT format but PE/M. The wrapped CRT components are just to large to fit into the APDU buffer of the card.

I'd agree, but in this case, RSA 4k is the best supported by the Hardware/ROM-Code and ECC is not supported.

In the future we will switch to JCOP4, which has a different implementation for larger RSA keys. Maybe things get better than.

OK. Is JCOP3/4 part of the updateable firmware or would this be a new device?

[jluebbe]

The issue only happens for me with 2. So far I've been able to import the keys one by one, with resets in between. That's time intensive but allows me to test the whole chain with the existing locked devices.

After importing them from p12 one-by-one and exporting them as wrapped keys, I was able to reimport all .wky files in one session. So it seems there is some difference between how SCSH and the HSM wrap the same key material.

[CardContact]

That is well possible. We suspect, that these kind of problems are caused by the way RAM objects in the JVM are garbage collected. Unfortunately NXP does not offer any documentation or support info how that is actually done.

So it depends on the sequence of APDUs, which is different when importing from wky or P12.

[danielliang]

It works now with this patch, and with v3.16.426

Seems like the private exponent is too long.

Can you try to edit scsh/sc-hsm/DKEK.js and add

var d = e.modInverse(r);

if (d.byteAt(0) == 0) {
	d = d.bytes(1);
}

var nk = new Key();

in convertCRT2PEM(). You need the restart command to reload the module before you test.

[Ryetschye]

Thank you for your effort to resolve the issue, but I still have exactly the problem:

Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27268) - "Unexpected SW1/SW2=6A84 (Checking error: Not enough memory space in the file) received" in /home/crypto/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1348

My trace shows the following:

2B C: 80 58 00 00 - ENUMERATE OBJECTS      Le=0 Extended
   R: SW1/SW2=9000 (Normal processing: No error) Lr=4
      0000  2F 02 CC 00                                      /...
2B C: 80 52 00 00 - MANAGE KEY DOMAIN Lc=32
      *** Sensitive Information Removed ***      Le=0
   R: SW1/SW2=9000 (Normal processing: No error) Lr=10
      0000  01 00 6E 81 2E E3 06 38 4E E3                    ..n....8N.
2B C: 80 74 01 93 - UNWRAP KEY Lc=1099 Extended
      0007  6E 81 2E E3 06 38 4E E3 05 00 0A 04 00 7F 00 07  n....8N.........
      0017  02 02 02 01 02 00 00 00 00 00 00 11 BB ED 32 20  ..............2
......
      0437  07 4D 14 99 B3 00 1B 63 7C 7F 84 CD 6F 20 D0 DF  .M.....c|...o ..
      0447  3D EF 1B 6A AF BA 02 A9 3A B6 AB                 =..j....:..
   R: SW1/SW2=6A84 (Checking error: Not enough memory space in the file) Lr=0

I have the following setup:
SmartCard-HSM Version 3.3 on JCOP 3 - Free memory 86228 byte
Windows 10 and /or Linux (Ubuntu 20.04) with Java 8 and /or Java 11
Smart Card Shell 3.16.426
PKCS12 file with RSA 4k key and self-signed certificate (no password protection)
1 generated and imported DKEK with no password

What I am doing wrong?

By the way: importing a 2k RSA key works fine.

SOLVED: I have updated the HSM to version 3.4 and I used the reset functionality!

[eighthave]

I have a NitroKey HSM 2 that I updated to firmware v2.5. I still have this problem importing a RSA 4096 bit generated by keytool in a JKS then converted using keytool to P12. I'm using Smart Card Shell v3.17.453 and following the directions from https://vessokolev.blogspot.com/2019/06/smartcard-hsm-usb-token-using-smart.html

$ keytool -genkey \
    -keystore keystore.jks -alias foo \
    -keyalg RSA -keysize 2048 -sigalg SHA256withRSA \
    -validity 10000 -storepass:env KEY_STORE_PASS -keypass:env KEY_PASS \
    -dname "CN=foo, OU=Test" -J-Duser.language=en
$ keytool -importkeystore \
    -srckeystore keystore.jks -srcalias foo -srcstorepass:env KEY_STORE_PASS -srckeypass:env KEY_PASS \
    -destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass:env KEY_STORE_PASS -destkeypass:env KEY_PASS

Here's the error:

Importing key and certificate...
GPError: Card (CARD_INVALID_SW/27013) - "Unexpected SW1/SW2=6985 (Checking error: Condition of use not satisfied) received" in /home/hans/scsh/sc-hsm/SmartCardHSM.js#1348
    at /home/hans/scsh/sc-hsm/SmartCardHSM.js#1348
    at /home/hans/scsh/sc-hsm/HSMKeyStore.js#300
    at /home/hans/keymanager/keymanager.js#2118
    at /home/hans/keymanager/keymanager.js#2272