OpenSSL create CSR error

Tomas_Klein · August 28, 2019, 1:20pm

Hi,

I am using Nitrokey HSM2. I installed OpenSC 0.19.0, OpenSSL 1.1.1c and libp11 from git. I initialized the Nitrokey HSM2. Result of the pkcs11-tool:

Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
  token label        : UserPIN (PES-HSM-test)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.2
  serial num         : DENK0102473
  pin min/max        : 6/15

Now I am trying to create CSR (certificate signing request), with OpenSSL. Command:
OPENSSL_CONF=hsm.conf openssl req -new -keyform engine -engine pkcs11 -x509 -subj "/CN=Test" -out cert.pem -key id_10

hsm.conf:

openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
# empty.

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
PIN = 123456
init = 0

Problem is, that I am getting error like this:

139816463811648:error:8207A054:PKCS#11 module:pkcs11_private_encrypt:Function not supported:p11_rsa.c:120:
139816463811648:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:crypto/asn1/a_sign.c:224:

Thanks for any idea.
Tomas Klein

Tomas_Klein · August 29, 2019, 8:17am

I found out, that if size of the key is RSA2048 there is no problem, but if key size is RSA3072 or RSA4096, there is the error with PKCS module.

szszszsz · August 30, 2019, 8:14am

Hi!

RSA 4096 should be supported since OpenSC 0.19, but perhaps not in every place yet. We had similar topic here: Nitrokey HSM 2 - RSA Keys >2048. I think it would be worth to register a ticket there (OpenSC issues page), if all else fails.

Have you tried with sc-hsm-pkcs11.so PKCS#11 module, instead of OpenSC’s one? Here is its documentation, and the project.

You may want as well to update the smart card’s firmware: https://www.smartcard-hsm.com/support.html.

szszszsz · September 11, 2019, 9:42am

Hi @Tomas_Klein!

Could you share briefly, which one of the proposed solutions has helped you?

Tomas_Klein · October 18, 2019, 8:35am

Hello,

problem was with library from OpenSC. Library from the smartcard-hsm webpage works