This may have been raised in another category (HSM2 for example) but that’s not exactly the same.
I’m trying to upload a RSA key using PKCS#11 (pkcs11-tool) because, that’s another topic, the API version is unpractical.
Here is the case.
pkcs11-tool --module ${PKCS11_MODULE} --login --write-object “${KEYID}” --type privkey --id $HEXID --label injected
–allowed-mechanisms RSA-X-509,RSA-PKCS,SHA1-RSA-PKCS,SHA224-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS,RSA-PKCS-OAEP,RSA-PKCS-KEY-PAIR-GEN
The list of mechanisms comes from pkcs11-tool --list-mechanisms
No error whatsoever the keys are uploaded.
Well. Fine.
But, when trying to list the keys with their mechanisms
pkcs11-tool -t here is the result:
testing key 2 (${KEYID})
– mechanism can’t be used to decrypt, skipping
RSA-X-509: Mechanism not supported
RSA-PKCS: Mechanism not supported
weird isn’t it ?
And, indeed, using openssl for signing yields an unknowns mechanism error.
OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
libpkcs11 : 0.4.13
NetHSM module compiled from git dated sunday.
An idea?
Thank you.
db