[gnutls-help] certtool - generate CSR without CKM_RSA_PKCS

Sébastien HAVAS sebastien.havas at ise.fr
Thu Aug 3 17:52:59 CEST 2017 

Hello,

I'm trying to generate a CSR via a RSA key pair on a HSM (ATOS BULL 
Proteccio).
Due to a law, multiple constraints have been applied to the HSM, 
including the deactivation of the CKM_RSA_PKCS signature algorithm.
As such, when I invoke the following command with certtool (version 
3.5.8), it fails at the end because it wanted to sign the CSR with the 
private key with the CKM_RSA_PKCS algorithm.

C:\Program Files\GnuTLS\bin>certtool.exe 
--provider=C:\windows\System32\nethsm.dll --generate-request 
--load-privkey "%PRIVKEY%" --load-pubkey "%PUBKEY%" --outfile 
C:\Users\shavas\Desktop\extractCSR.csr
Bull TrustWay Proteccio NetHSM 2.11
Configuration case 3 read from 
C:\Users\shavas\AppData\Roaming\Bull\Proteccio\proteccio.ini
Generating a PKCS #10 certificate request...
Token 'NUMERIA' with URL 
'pkcs11:model=Proteccio%23EL-S1;manufacturer=BULL%20S.A.S%2c%20Les%20Clayes%2c%20France;serial=81604-0050000381;token=NUMERIA' 
requires user PIN
Enter PIN:
Common name: TEST NUMERIA
Organizational unit name: NUMERIA
Organization name:
Locality name:
State or province name:
Country name (2 chars): FR
Enter the subject's domain component (DC):
UID:
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N):
Will the certificate be used for signing (DHE ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Will the certificate be used to sign code? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Is this a TLS web client certificate? (y/N):
Is this a TLS web server certificate? (y/N):
sign: PKCS #11 unsupported feature

And the logs of the HSM are clear:
>>> TW_CK [Thu Aug 03 16:59:58:127] [pid:5856 thid:4116]
     C_SignInit(0x01000002, {CKM_RSA_PKCS, NULL_PTR, 0x00000000}, 3) 
...starting
>>> TW_CK [Thu Aug 03 16:59:58:131] [pid:5856 thid:4116]
     C_SignInit hSession=0x01000002 hKey=3 ... completed(OK 0X0);
>>> TW_CK [Thu Aug 03 16:59:58:133] [pid:5856 thid:4116]
     C_Sign(0x01000002 51 bytes data) ...starting
>>> TW_CK [Thu Aug 03 16:59:58:136] [pid:5856 thid:4116]
     C_Sign hSession=0x01000002 ulDataLen=51 ulSignatureLen=256 ... 
completed(OK 0X0);
>>> TW_CK [Thu Aug 03 16:59:58:138] [pid:5856 thid:4116]
     C_Sign(0x01000002 51 bytes data) ...starting
>>> TW_CK [Thu Aug 03 16:59:58:141] [pid:5856 thid:4116]
     C_Sign ... failed (MECHANISM INVALID 0X70);

Is there a parameter to tell certtool to instead use the 
CKM_RSA_PKCS_PSS (authorized) algorithm for signing the CSR, either via 
the command line or via a template file ?

Regards,
Sébastien HAVAS

More information about the Gnutls-help mailing list