Nitrokey HSM2 - Unable to create ECC NIST-384 key on OpenSC 0.19

Hello everybody,
I’ve tried to generate a NIST-384 ECC but an error is returned:

pkcs11-tool --login --keypairgen --key-type EC:secp384r1

> error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_DATA_INVALID (0x20)

ECC key generation is successfully when using other curves, such as prime256v1 and secp521r1.

Any clue how to solve this issue?

Hi @senesef!

  1. Which OpenSC version do you use? Please make sure it is the latest one - v0.20. This command should show it:
pkcs11-tool -I | head
  1. Please run the same command with logging enabled and save it, as in:
env OPENSC_DEBUG=9 pkcs11-tool --login --keypairgen --key-type EC:secp384r1 | tee pkcs11-secp384.log

Please do not attach the log, as the PIN will be shown raw there (unless you are using the default PIN that is). Instead please edit it and leave lines before CKR_DATA_INVALID message.
The OpenSC library version will be placed in the log file as well.

Hi Sz,
many thanks for your prompt reply. I’ve just checked that NIST-384 ECC key creation works fine using OpenSC 0.20. I was able to check this on Windows 10 (using binary) and Raspbian (after re-compiling from source) So, problem solved! :slight_smile:

BTW, is there any special reason why 384 key length (as opposed to 521) doesn’t work with OpenSC 0.19?


1 Like


Looking at the v0.20 changelog (CTRL+F-> SC HSM) it looks like it was just added in this release. These are done only once a year, so differences between versions are quite big.