Mechanisms in PKCS11 are not working for a RSA key

This may have been raised in another category (HSM2 for example) but that’s not exactly the same.

I’m trying to upload a RSA key using PKCS#11 (pkcs11-tool) because, that’s another topic, the API version is unpractical.

Here is the case.

pkcs11-tool --module ${PKCS11_MODULE} --login --write-object “${KEYID}” --type privkey --id $HEXID --label injected

The list of mechanisms comes from pkcs11-tool --list-mechanisms

No error whatsoever the keys are uploaded.
Well. Fine.

But, when trying to list the keys with their mechanisms
pkcs11-tool -t here is the result:

testing key 2 (${KEYID})
– mechanism can’t be used to decrypt, skipping
RSA-X-509: Mechanism not supported
RSA-PKCS: Mechanism not supported

weird isn’t it ?
And, indeed, using openssl for signing yields an unknowns mechanism error.

OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
libpkcs11 : 0.4.13
NetHSM module compiled from git dated sunday.

An idea?
Thank you.

1 Like


Can you please share the output of the GET /keys/{KeyID} endpoint for that key (or the output of nitropy nethsm get-key ${KEYID})?

1 Like