Signing with Certificates and pkcs#11

[Wolfram Wadepohl]

We are using signing with openssl cms command. But openssl cms does not
support the certificate fetched over pkcs#11 from a Nitrokey HSM.

Has anyone the same problem or even better a suggestion for a solution?

--
Wolfram Wadepohl
Storopack Hans Reichenecker GmbH

[ayoub...@googlemail.com]

that should work out of the box,

something like: 

$ openssl cms -sign engine pkcs11 -keyform engine -passin pass:"pa33w0rd"  -inkey /path/to/key.pem -signer /path/to/cert.pem -binary -in /path/to/sw-description -outform der -out /path/to/sw-description.sig

best

Ayoub

[ayoub...@googlemail.com]

correction:

should of course specify the key/cert in pkcs11 URIs and not files !!

[Kakao Yong]

Hello,

This is how I do it with swupdate + Nitrokey HSM 2.

1. First we need to extract the public key from the Nitrokey to include it in the rootfs (this is used by swupdate to check the signature of .swu (or more specifically: sw-description))

export PKCS11_MODULE_PATH="/usr/local/lib/libsc-hsm-pkcs11.so"
pkcs11-tool --module "${PKCS11_MODULE_PATH}" --read-object --type pubkey --label "OTA" > /tmp/swu_public.der
# Convert DER → PEM
openssl rsa -pubin -inform DER -in /tmp/swu_public.der -outform PEM -out /tmp/swu_public.pem

Note: In our HSM, the key label is "OTA"

2. Generate the sw-description.sig file:

export SWUPDATE_PKCS11_SIGN_KEY="pkcs11:token=SmartCard-HSM;object=OTA;type=private"
openssl dgst -sha256 -engine pkcs11 -keyform engine -sign "${SWUPDATE_PKCS11_SIGN_KEY}" -out "sw-description.sig" "sw-description"

the pkcs11: URI is to identify the correct key to use:

- You can adapt depending on your HSM configuration (name of the key, token ..)

- Make sure it is not ambiguous (if you have multiple keys with same label or ..) : So add more parameters if needed 

[ayoub...@googlemail.com]

yes you are right the openssl cms command does not expose -signer parameter as pkcs11 URI so it will not work! however the certificates is not a secret (signed public key) and can be exported as pem file and used with openssl cms sign.

if you need absolutely to sign using the cert directly out of the HSM you need to write your own C/C++ code using libcrypto API something defintely that should be working in this case.

[Tobias Deiminger]

Hi,

just two remarks.

ayoub...@googlemail.com schrieb am Mittwoch, 19. November 2025 um 15:52:36 UTC+1:

...

On Wednesday, November 19, 2025 at 1:50:54 PM UTC+1 Kakao Yong wrote:

...

openssl dgst -sha256 -engine pkcs11 -keyform engine -sign "${SWUPDATE_PKCS11_SIGN_KEY}" -out "sw-description.sig" "sw-description"

Since 'openssl ... -engine pkcs11 -keyform engine ...' was mentioned a few times: This uses the legacy OpenSSL "engine API". The new way to do it is to use providers, e.g.

  openssl dgst -sha256 -provider pkcs11 -provider default -sign "${SWUPDATE_PKCS11_SIGN_KEY}" -out "sw-description.sig" "sw-description"

should work. It needs pkcs11-provider [1] in the backend (instead of libp11 engine).

And, instead of signing with openssl, you could use the swugenerator tool to conveniently create and sign your update images. It supports PKCS#11 and HSMs. We have a test in Debian for exactly that. You can look at the test script [2] to see how it works.

Cheers
Tobias

[1] https://github.com/latchset/pkcs11-provider
[2] https://salsa.debian.org/python-team/packages/swugenerator/-/blob/master/debian/tests/swusign?ref_type=heads#L117

[ayoub...@googlemail.com]

his question was more related to CMS sign in OpenSSL not offering to select PKCS11 uri for Certificate parameters ( independent from Engine/Provider), same with swugenerator (based on OpenSSL cmdline)