Hi, I'm hoping that someone with knowledge of evmctl is on this list and can help. I want to modify evmctl to use a HSM to perform the signature generation side of things. My first attempt, which is the easiest option, was to just replace len = RSA_private_encrypt(sizeof(sighash), sighash, sig + sizeof(*hdr) + 2, key, RSA_PKCS1_PADDING); in sign_hash_v2 with a call to C_Encrypt from the Cryptoki API but sadly this failed as I think the private key has been marked as not being able to encrypt. The call returns CKR_KEY_FUNCTION_NOT_PERMITTED. If I try the public key it's encrypts happily. I tried setting CKA_ENCRYPT on the private key but, and quite rightly, it wouldn't let me. So the next option is to try and perform the signature generation in the HSM which is a bit more involved. Before attempting, I was wondering whether this is possible or there is something in the way the signatures are generated that means that this just isn't going to work? I ask as I see that it prepends the ASN1 encoded message of what hash function was used to the actual hash. Would the HSM sign function do exactly the same if I use RSA_PKCS1_PADDING? Many Thanks in advance, Martin.
