How to use SHA512 hashing algorithm with elliptic curve to sign, in PKCS11Interop?

Question

In am using PKCS11Interop in C#, i got CKR_MECHANISM_INVALID error while trying to use method Sign. The key object i am using is of mechanism type CKM_EC_KEY_PAIR_GEN . but at signing time, i use mechanism CKM_ECDSA_SHA512 .

I tried to define key mechanism as CKM_ECDSA_SHA512 at key-pair generation time, but it seems that this key type needs some attributes that i don't know. The attributes i am using is similar to the correct version of this question, but it seems using hash algorithms need some thing more.

Please guide me how should i use SHA512 hash algorithm with ECDSA elliptic key.

Answer 1

Your unmanaged PKCS#11 library most likely does not support CKM_ECDSA_SHA512.

By returning CKR_MECHANISM_INVALID error your unmanaged PKCS#11 library is telling you that "An invalid mechanism was specified to the cryptographic operation". You can use GetMechanismInfo() method to check whether the mechanism is supported:

if (!slot.GetMechanismList().Contains(CKM.CKM_ECDSA_SHA512))
    throw new Exception("Unmanaged PKCS#11 library does not support CKM_ECDSA_SHA512 mechanism");

However CKM_ECDSA_SHA512 (hashing and signing) mechanism is used rather rarely. It's much more common and efficient to compute SHA512 hash in your application and then sign it with CKM_ECDSA (just signing) mechanism.