topic pkcs11-tool generates 2 private keys for keypairgen in Secure Authentication

pkcs11-tool generates 2 private keys for keypairgen

user4 — Fri, 26 Apr 2024 09:39:46 GMT

I'm expecting to have a public and a private key pair when I execute pkcs11-tool command with --keypairgen option, but the outputs says generated 2 private keys.

Is that an expected behavior of se050? If not, am I missing something important?

platform: Debian (bullseye)

module variant: SE050C1

# pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:2048 --label "sss:20202020" Using slot 0 with a present token (0x1) smCom :WARN :Invalid conn_ctx App :INFO :Using PortName='/dev/i2c-1:0x48' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1:0x48) sss :INFO :atr (Len=35) 00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08 01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41 54 50 4F sss :WARN :Communication channel is Plain. sss :WARN :!!!Not recommended for production use.!!! Key pair generated: Private Key Object; RSA label: sss:20202020 ID: 20202020 Usage: decrypt, sign Access: sensitive, always sensitive Allowed mechanisms: RSA-PKCS,SHA1-RSA-PKCS,SHA224-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS,RSA-PP Private Key Object; RSA label: sss:20202020 ID: 20202020 Usage: decrypt, sign Access: sensitive, always sensitive Allowed mechanisms: RSA-PKCS,SHA1-RSA-PKCS,SHA224-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS,RSA-PP

Re: pkcs11-tool generates 2 private keys for keypairgen

Kan_Li — Mon, 29 Apr 2024 07:54:59 GMT

Hi @user4 ,

May I have the MW version?

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Re: pkcs11-tool generates 2 private keys for keypairgen

user4 — Tue, 30 Apr 2024 01:08:47 GMT

Hi Kan,

Thank you for responding.

Unfortunately, I don't know the specific version of MW because this environment was built by another company, but guessing it might be 4.2.0:

# dpkg -L plug-and-trust /. /etc /etc/plug-and-trust /etc/plug-and-trust/openssl11_sss_se050.cnf /usr /usr/lib /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/engines-1.1 /usr/lib/arm-linux-gnueabihf/engines-1.1/e4sss.so /usr/lib/arm-linux-gnueabihf/libsssapisw.so.4.2.0 /usr/lib/arm-linux-gnueabihf/plug-and-trust /usr/lib/arm-linux-gnueabihf/plug-and-trust/libsss_pkcs11.so /usr/share /usr/share/doc /usr/share/doc/plug-and-trust /usr/share/doc/plug-and-trust/changelog.Debian.gz /usr/share/doc/plug-and-trust/copyright /usr/lib/arm-linux-gnueabihf/libsssapisw.so.4

Re: pkcs11-tool generates 2 private keys for keypairgen

Kan_Li — Mon, 06 May 2024 05:21:46 GMT

Hi @user4 ,

Thanks for the information! I have tied the same with MW ver 4.5.1 , it just works as expected. Maybe you have to update the MW to the latest. Please kindly refer to the following for details.

Have a great day,
Kan

Re: pkcs11-tool generates 2 private keys for keypairgen

user4 — Tue, 07 May 2024 00:38:52 GMT

Hi Kan,

Thank you for the inputs. I've also verified that using the libraries in that version does solve the problem, so will consider to ask the package provider to update the MW.