Hi there,
continuing this thread…
I only recently received my Nitrokey HSM 2:
pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK01000000000 ) 00 00
token label : UserPIN (test)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 3.1
serial num : DENK0100000
pin min/max : 6/15
But when I try to generate RSA4096 keys on the card, I get an error:
pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -l --pin 000000 --keypairgen --key-type rsa:4096 --id 10
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.
The same command with RSA2048 works fine:
pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -l --pin 000000 --keypairgen --key-type rsa:2048 --id 10
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; RSA
label: Private Key
ID: 10
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: Private Key
ID: 10
Usage: encrypt, verify, wrap
Also, keys larger than 2048 bits are not recognized as capabilities by pkcs11-tool:
pkcs11-tool --list-mechanism
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
ECDSA, keySize={192,320}, hw, sign, other flags=0x1d00000
ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d00000
ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d00000
ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d00000
ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, other flags=0x1d00000
RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify
RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify
SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify
SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify
SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify
MD5-RSA-PKCS, keySize={1024,2048}, sign, verify
RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify
RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair
How can the increased key sizes of HSM 2 be used?