Is RSA signing a pre-computed hash with Nitrokey HSM 2 not possible?

Vampire · November 18, 2024, 8:57pm

We bought a Nitrokey HSM 2.
We put a SignServer instance in front of it.

Now I wanted to get signing with client-side hash computation working to minimize network traffic and work the HSM has to do.

With a PKCS#12 file and according worker this works fine.
But if I try to do the same with the PKCS#11 worker for the HSM and the NONEwithRSA algorithm, I get an error saying “No such algorithm: RSA/ECB/PKCS1Padding”.

Is this not supported using Nitrokey HSM 2?

sc-hsm · November 19, 2024, 7:46am

Signing a client provided hash is the normal mode of operation for the HSM, but it depends on the PKCS#11 module if it does the correct algorithm mapping.

Are you using OpenSC or the native PKCS#11 module ?

Is that the SignServer from EJBCA ? EJBCA works fine with the HSM, so I would assume SignServer uses the same integration.

Maybe you can create a trace with pkcs11-spy to see that calls and parameter are used at the PKCS#11 interface.