Elliptic Curve P-384 key SHA384 Digest(EC_SIGN_P384_SHA384) is not working with nginx integration

[koi8]

To comply with internal security requirements I need to use EC_SIGN_P384_SHA384, the EC_SIGN_P256_SHA256 does not fit them. When trying yo use EC_SIGN_P384_SHA384 getting an error in the nginx log:

19:44:42 [crit] 1401#1401: *44248 SSL_do_handshake() failed (SSL: error:8207A070:PKCS#11 module:pkcs11_private_encrypt:Mechanism invalid error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib) while SSL handshaking

or similar. To reproduce an error follow the guide https://cloud.google.com/kms/docs/reference/pkcs11-nginx and use EC_SIGN_P384_SHA384 instead of EC_SIGN_P256_SHA256.

Actually all of the available ciphers for HSM key are not working, only the EC_SIGN_P256_SHA256 works. WIll be good to extend the list of ciphers available to use with nginx, especially with more secure one.

[tdbhacks]

Thanks for using our PKCS #11 library!

Based on the error message you are seeing, this looks like something that might be caused by generating a self-signed certificate with the -sha256 option, but trying to verify it with a KMS _SHA384 key. In the certificate generation step, did you make sure to pass -sha384 instead of -sha256?

If this is not the root cause of your issue, it would be useful to know the platform and PKCS #11 library version (1.0 or 1.1) you are using, to try to reproduce. I just went through the guide and performed a successful handshake with a EC_SIGN_P384_SHA384 key using the latest version of our library on a Debian 11 Compute Engine VM.

I initially ran into an issue with nginx not serving on port 443 because of missing symlinks, but I believe that is unrelated to the current issue you are facing.

[tdbhacks]

Closing for inactivity, feel free to reopen if needed.