No sign method created on imported private key object

[conscott]

Playing with signing with imported DER private key, and the object returned from create_object() contains no sign method.

with token.open(rw=True, user_pin=os.environ['PIN']) as session:
        pk = ec.decode_ec_private_key(data)
        pk[Attribute.LABEL] = label
        pk[Attribute.TOKEN] = True
        pk[Attribute.SIGN] = True
        obj = session.create_object(pk)
        der_sig = obj.sign(data) # Fails here

Fails with AttributeError: 'PrivateKey' object has no attribute '_sign'

It looks like for some reason the SignMixin does not get added to the object type on construction and I am not really sure why.

The incoming pk also has attributes ObjectClass, Value, KEY_TYPE

I know I should just generate keypairs on the HSM instead, but I am trying to compare HSM signing R/S values to another signing.

Any ideas here?

[danni]

The template is passed to C_CreateObject and then read back to create the Python object, so there can be some changes based on what the HSM wants. If you check obj[Attribute.SIGN] it's probably false. Annoyingly it's a bit inconsistent, some HSMs will raise TemplateInconsistent if they don't like your arguments. Some will just change the arguments.

The question is why. Assuming your HSM supports signing... are you passing it a key type it supports signing for. I know at least one commercial HSM you require a separate license to use EC. Possibly for EC it could depend on the curve you're using. Most HSM libraries have a debugging mode environment variable that will print more information out to the console, and can help you understand why it's not functioning.

[danni]

Did we ever conclude what was going on here?

[conscott]

No exactly, but I found another satisfactory path for what I was trying to test. Thank you for the feedback, I will close the ticket.