Hello friends
I launched NetHSM and connected to it through PKCS11 Tool and Nitropy
I used the following command to sign
echo "NetHSM rulez!" | openssl dgst -sha256 -binary | pkcs11-tool --module /usr/lib/nitrokey/libnethsm_pkcs11.so --sign --label rsakey --mechanism RSA-PKCS-PSS --hash-algorithm SHA256 --output-file data.sig --signature-format openssl
But I encountered the following error, where could the problem be?
Using slot 0 with a present token (0x0)
Using signature algorithm RSA-PKCS-PSS
PSS parameters: hashAlg=SHA256, mgf=MGF1-SHA256, salt_len=32 B
error: PKCS11 function C_SignInit failed: rv = CKR_MECHANISM_INVALID (0x70)
Aborting.
Hey hey,
generally the interaction between different tools and the “translation” of the various modes/mechanisms often leads to issues. Specifically in this case it is also important to mention that there is a difference between the mechanism hashing by itself or it already receives hashed contents. NetHSM currently only supports the latter.
Here is a complete example using OpenSC + curl with the SHA256-RSA-PKCS-PSS mechanism taken from our tests inside the nethsm-pkcs11 repository:
#!/bin/sh -x
set -e
KEYID=rsakey
HEXID=$(echo -n ${KEYID} | xxd -ps)
rm -rf _data.sig _public.pem
curl -s --fail-with-body -k -u operator:opPassphrase -v -X GET \
https://localhost:8443/api/v1/keys/$KEYID/public.pem -o _public.pem
echo 'NetHSM rulez!' | pkcs11-tool --module ./target/debug/libnethsm_pkcs11.so -v \
--sign --mechanism SHA256-RSA-PKCS-PSS --output-file _data.sig --id $HEXID
echo 'NetHSM rulez!' | openssl dgst -keyform PEM -verify _public.pem -sha256 \
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature _data.sig
best
Hello dear
thank you for your attention
I used your comment and fixed my problem
Now I have a new question:
I have a public and private key and a certificate
I want to import them into netsm
I have 2 ways: pkcs11_tool with driver and nitropy
To use pkcs11_tool with the driver, I can’t specify the mechanism and after importing the keys and certificate as shown in the figure in red color, no mechanism is visible and I get an error when signing. Please guide me if I want to import the object, how can I work (I have no problem with generating objects and signatures, but I need to be able to import)
make sure you have a recent nitropy version - to import keypairs (provide them as .pem), you might simply use nitropy and import-key:
❯ nitropy nethsm -h 127.0.0.1 import-key -h
Command line tool to interact with Nitrokey devices 0.4.50
Usage: nitropy nethsm import-key [OPTIONS] FILENAME
Import a key pair from a PEM file into the NetHSM.
If the key ID is not set, it is generated by the NetHSM.
This command requires authentication as a user with the Administrator role.
Options:
-m, --mechanism [RSA_Decryption_RAW|RSA_Decryption_PKCS1|RSA_Decryption_OAEP_MD5|RSA_Decryption_OAEP_SHA1|RSA_Decryption_OAEP_SHA224|RSA_Decryption_OAEP_SHA256|RSA_Decryption_OAEP_SHA384|RSA_Decryption_OAEP_SHA512|RSA_Signature_PKCS1|RSA_Signature_PSS_MD5|RSA_Signature_PSS_SHA1|RSA_Signature_PSS_SHA224|RSA_Signature_PSS_SHA256|RSA_Signature_PSS_SHA384|RSA_Signature_PSS_SHA512|EdDSA_Signature|ECDSA_Signature|AES_Encryption_CBC|AES_Decryption_CBC]
The mechanisms for the new key
--tags TEXT The tags for the new key
-k, --key-id TEXT The ID of the new key
-h, --help Show this message and exit.
best
