[Opendnssec-develop] Problem importing keys to SCA6K

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Mar 12 16:49:38 UTC 2010


I managed to link the softhsm tool with SCA6K library, with some modifications. I did this because I wanted to import a key pair using the CreateObject functionality in PKCS#11. And I did not want to spend time on writing a separate program.

I was able to import the key pair, but there are some problems with the SCA6K card. It does not set the CKA_MODULUS_BITS, which is used by ods-hsmutil. It thus show RSA/0 and not RSA/1024. According to PKCS#11, this attribute must not be used when creating an object, but should be added by the HSM itself. It do work if the user do provide this attribute in the template.

But when I start to sign with this key I get "WARNING: HSM returned BOGUS signature! Abort signing, retry on next resign".

The import functionality do work on SoftHSM. So something is seriously broken in the SCA6000 card.

// Rickard

More information about the Opendnssec-develop mailing list