Signtool usage with Nitrokey HSM


#1

I am trying to use the NitroKey HSM to sign .exe using signtool.
The initialiaztion and key generation works fine. I installed the sc-hsm-middleware to get the minidriver necessary for the operation.
I generated :
- A root certificate on ID 01
-A signing certificate on ID 02

The pkcs15-tool -D command show them as intended

I want to use signtool to sign a executable :

signtool sign /n “SigningCert” /csp “Microsoft Base Smart Card Crypto Provider” /kc “15e353a3-b80b-07c0-4e70-aa07aaff8e05” /fd SHA256 /v calc.exe

The following certificate was selected:
Issued to: SigningCert
Issued by: RootAuthenticode
Expires: Wed Dec 26 16:24:31 2018
SHA1 hash: 7991ABE78760FEE9102D8F1F480707215B743CD5

The certificate is correctly chosen, but then Windows security, while detecting the Nitro Key fails with :

The smart card cannot perform the requested operation or the operation requires a different smart card

It seems that either the nitrokey does not support this operation (which I don’t think so), or that I am missing a step.

Anyone know what I could be missing ?

Alternatively, is there another alternative to signtool (Mono / line by line openssl )

Thanks a lot


#2

Which cryptographic algorithms and length are the keys in you are using?


#3

Doesn’t need the CSP to be something like the OpenSC minidriver for being able to actually use the HSM? @jan ?


#4

I understand the Minidriver is already installed.


#5

If so, it isn’t used in the command, is it? I thought, may it works when choosing the CSP driver name in the command instead of “Microsoft Base Smart Card Crypto Provider”. But this is just guessing here.


#6

Hello,

@jan I am using RSA 2048 keys

I have indeed installed the minidriver distributed alongqside the sc-hsm-middleware.

@nitroalex I tried to list anoted CSP (for instance OpenSC CSP), and the certificate itself is not found. The system find the certificate only with “Microsoft Base Smart Card Crypto Provider”.

Also, I did not found any option to specify the driver name. My understanding is that Windows select the appropriate driver automatically.


#7

I don’t know what the problem is here, being honest.

Is there a more verbose (debug) output available for the signtool?