Gemalto is now part of the Thales Group, find out more.

You are here

Id Prime md 840/841 Smart Card - PKCS#11 GenerateKeyPair() errors | Thales IoT Developer Community


April 25, 2018 - 2:24pm, 2132 views


I'am testing your IDPrime 840(Applet ver: Id Prime Java Card 4.1.2 F) and 841(Applet ver: Id Prime Java Card 4.0.2 K) smart cards. I received the information that in order to generate keys (for example RSA)  or use the remaining crypto possibilities of the card, I should use the PKCS # 11 libraries.  I want to generate pair of RSA keys. 

My application does the following steps:

1. Initializes the Cryptoki library

2. Defines the mechanism CKM_RSA_PKCS_KEY_PAIR_GEN and opens the slot (with checking the two flags: flags: 65537 = CKF_HW | CKF_GENERATE_KEY_PAIR)

3. Opens the session for the smart card (in CKF_SERIAL_SESSION ****)

4. Logs in to the card with  pin (C_Login function) 

After correctly completing the above steps, it uses the C_GenerateKeyPair () function that returns the error depending on the value of the CKA_TOKEN attribute.. When the CKA_TOKEN attribute is set to false in the public and private key template, we get the response CKR_ATTRIBUTE_VALUE_INVALID (0x00000013), if the parameter CKA_TOKEN is set to true program return error CKR_SESSION_READ_ONLY (0x000000B5).

If the session is started in the CKF_RW_SESSION ****, the GenerateKeyPair () function will return the error CKR_SESSION_PARALLEL_NOT_SUPPORTED (0x000000B4).

Why is it not possible to generate the aforementioned RSA key pair and what are the possibilities to repair these errors?