I realize it’s an older HSM but if I list the mechanisms, it does show that it supports RSA keys of up to 4096. However, if I try to generate a key of that size, I get "error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_DATA_INVALID (0x20)
"
If I generate one with 2048, it works perfectly fine.
pkcs11-tool --list-token-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
token label :
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 2.5
serial num :
pin min/max : 6/15
pkcs11-tool --list-mechanisms
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA224, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
ECDSA, keySize={192,521}, hw, sign, other flags=0x1d00000
ECDSA-SHA1, keySize={192,521}, hw, sign, other flags=0x1d00000
ECDH1-COFACTOR-DERIVE, keySize={192,521}, hw, derive, other flags=0x1d00000
ECDH1-DERIVE, keySize={192,521}, hw, derive, other flags=0x1d00000
ECDSA-KEY-PAIR-GEN, keySize={192,521}, hw, generate_key_pair, other flags=0x1d00000
RSA-X-509, keySize={1024,4096}, hw, decrypt, sign, verify
RSA-PKCS, keySize={1024,4096}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={1024,4096}, sign, verify
SHA224-RSA-PKCS, keySize={1024,4096}, sign, verify
SHA256-RSA-PKCS, keySize={1024,4096}, sign, verify
SHA384-RSA-PKCS, keySize={1024,4096}, sign, verify
SHA512-RSA-PKCS, keySize={1024,4096}, sign, verify
MD5-RSA-PKCS, keySize={1024,4096}, sign, verify
RIPEMD160-RSA-PKCS, keySize={1024,4096}, sign, verify
RSA-PKCS-PSS, keySize={1024,4096}, hw, sign, verify
SHA1-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify
SHA224-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify
SHA256-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify
SHA384-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify
SHA512-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify
RSA-PKCS-KEY-PAIR-GEN, keySize={1024,4096}, generate_key_pair
pkcs11-tool --login --pin 000000 --keypairgen --key-type rsa:4096 --id 1 --label "test" --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_DATA_INVALID (0x20)
Aborting.