Approach to download keypair to Nitro HSM


#1

My use case is the migration from an Aladdin eToken to an alternative, using an existing RSA key created with openssl. The application is using pykcs11 to generate XML signatures.

I am using the same arguments for nitrohsm and etoken, except --module:

pkcs11-tool --login --pin 648219 -w /ramdisk/testcert_key.der --type privkey --label sigkey --so-pin="$SOPIN"

While eToken works, I receive CKR_FUNCTION_NOT_SUPPORTED (0x54) with the NitroHSM. For the certificate I get CKR_GENERAL_ERROR.

Do I need to use another approach? Encrypting the key with the DKEK, and then use something like sc-hsm-tool --unwrap-key? Is there some documentation available?

I am using CentOS 7.6.1810 in a docker image and OpenSC 0.19.


#2

Did you initialize the device first? Did you tried general connectivity? Maybe it is best to test the setup first with a VM or a proper system and try with docker afterwards. As far as I know the usage of system components can be tricky with docker unless you know exactly what you are doing.