OpenSSL create CSR error

Hi,

I am using Nitrokey HSM2. I installed OpenSC 0.19.0, OpenSSL 1.1.1c and libp11 from git. I initialized the Nitrokey HSM2. Result of the pkcs11-tool:

Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
  token label        : UserPIN (PES-HSM-test)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.2
  serial num         : DENK0102473
  pin min/max        : 6/15

Now I am trying to create CSR (certificate signing request), with OpenSSL. Command:
OPENSSL_CONF=hsm.conf openssl req -new -keyform engine -engine pkcs11 -x509 -subj "/CN=Test" -out cert.pem -key id_10

hsm.conf:

openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
# empty.

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
PIN = 123456
init = 0

Problem is, that I am getting error like this:

139816463811648:error:8207A054:PKCS#11 module:pkcs11_private_encrypt:Function not supported:p11_rsa.c:120:
139816463811648:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:crypto/asn1/a_sign.c:224:

Thanks for any idea.
Tomas Klein

I found out, that if size of the key is RSA2048 there is no problem, but if key size is RSA3072 or RSA4096, there is the error with PKCS module.

Hi!

RSA 4096 should be supported since OpenSC 0.19, but perhaps not in every place yet. We had similar topic here: Nitrokey HSM 2 - RSA Keys >2048. I think it would be worth to register a ticket there (OpenSC issues page), if all else fails.

Have you tried with sc-hsm-pkcs11.so PKCS#11 module, instead of OpenSC’s one? Here is its documentation, and the project.

You may want as well to update the smart card’s firmware: https://www.smartcard-hsm.com/support.html.

Hi @Tomas_Klein!

Could you share briefly, which one of the proposed solutions has helped you?