The HSM does not allow import of sensitive key material in plain for security reasons. Sensitive key material would traverse several layers in the application and operating system with the risk of unwanted disclosure.
You will need to use a Key Encryption Key for import. The easiest way is to use the importAES.js script from the SmartCard-HSM Workspace. It is contained in the SmartCard-HSM Starterkit:
var aes = new Key();
aes.setComponent(Key.AES, new ByteString("00112233445566778899AABBCCDDEEFF", HEX));
// Use default crypto provider
var crypto = new Crypto();
// Create card access object
var card = new Card(_scsh3.reader);
card.reset(Card.RESET_COLD);
// Create SmartCard-HSM card service
var sc = new SmartCardHSM(card);
// Attach key store
var ks = new HSMKeyStore(sc);
// Initialize with key domain
var sci = new SmartCardHSMInitializer(card);
sci.setKeyDomains(1);
sci.initialize();
// Create DKEK domain with 00.00 DKEK
sc.createDKEKKeyDomain(0, 1);
var share = new ByteString("0000000000000000000000000000000000000000000000000000000000000000", HEX);
sc.importKeyShare(0, share);
// Create DKEK encoder and import share
var dkek = new DKEK(crypto);
dkek.importDKEKShare(share);
// Encode AES key into blob
var blob = dkek.encodeAESKey(aes);
dkek.dumpKeyBLOB(blob);
var key = ks.importAESKey("ImportedAESKey", blob, 128);
What the script does is to create a DKEK key domain on the HSM with a known key share of all ‘00’. It then encrypts the plain key value into a suitable key blob which is then imported.
Of course you should either choose a secret DKEK share or clear the DKEK share in the HSM to prevent later export under the known DKEK.