Nitrokey HSM 2 - RSA Keys >2048 / OpenSC 0.18

Hi there,

continuing this thread

I only recently received my Nitrokey HSM 2:

pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK01000000000         ) 00 00
  token label        : UserPIN (test)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.1
  serial num         : DENK0100000
  pin min/max        : 6/15

But when I try to generate RSA4096 keys on the card, I get an error:

pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -l --pin 000000 --keypairgen --key-type rsa:4096 --id 10
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.

The same command with RSA2048 works fine:

pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -l --pin 000000 --keypairgen --key-type rsa:2048 --id 10
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; RSA 
  label:      Private Key
  ID:         10
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      Private Key
  ID:         10
  Usage:      encrypt, verify, wrap

Also, keys larger than 2048 bits are not recognized as capabilities by pkcs11-tool:

pkcs11-tool --list-mechanism
Using slot 0 with a present token (0x0)
Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  ECDSA, keySize={192,320}, hw, sign, other flags=0x1d00000
  ECDSA-SHA1, keySize={192,320}, hw, sign, other flags=0x1d00000
  ECDH1-COFACTOR-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d00000
  ECDH1-DERIVE, keySize={192,320}, hw, derive, other flags=0x1d00000
  ECDSA-KEY-PAIR-GEN, keySize={192,320}, hw, generate_key_pair, other flags=0x1d00000
  RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify
  RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify
  SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify
  SHA384-RSA-PKCS, keySize={1024,2048}, sign, verify
  SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify
  MD5-RSA-PKCS, keySize={1024,2048}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify
  RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair

How can the increased key sizes of HSM 2 be used?

Which version of OpenSC do you use?

Currently I’m using opensuse’s stock version 0.18.0

Hi!

RSA4096 is listed as supported on my OpenSC 0.19. Using HSM2 with firmware version : 3.1.

Indeed - upgrading to opensc version 0.19.0 did the trick!

2 Likes