Nitrokey Pro 2 - PKCS#11 key generation with Java and OpenSC

Hey @Vlasonag

pkcs11-tool uses a keysize of 1024 by default, and the Pro does only support 2048 for generation, as you can see in pkcs11-tool -M: (edit: the Nitrokey Pro actually does, but recent OpenSC versions limit it to keysizes)

...
RSA-PKCS-KEY-PAIR-GEN, keySize={2048,2048}, generate_key_pair
...

so you’ll have to pass the proper keysize as --key-type RSA:2048, for me the key generation works with the following command line:

$ pkcs11-tool --login-type so --pin 12345678 --so-pin 12345678 -k --key-type RSA:2048 --slot 0

Key pair generated:
Private Key Object; RSA 
  label:      Private Key
  ID:         e813d1180bb86188682b7969bb32c7b5d12eb4fa
  Usage:      decrypt, sign
  Access:     none
Public Key Object; RSA 16384 bits
  label:      Private Key
  ID:         e813d1180bb86188682b7969bb32c7b5d12eb4fa
  Usage:      encrypt, verify
  Access:     none

depending on how you providing your pin the command may differ, the essential part is: -k --key-type RSA:2048

disclaimer: never use pins in commandlines :wink:

edit: you can also see the PKCS#11 commands directly used for generation (if you need them to do this in code) by just setting OPENSC_DEBUG=9 as environment variable, then you should see many debug output, search it for C_GenerateKeyPair and you’ll see the PKCS#11 arguments passed to the RSA-PKCS-KEY-PAIR-GEN mechanism.

cheers

1 Like