Crypto.sign with an engine stored private key

Hi All,

I am trying to sign a string with a an engine stored private key.
my engine loads fine, but I am getting an argument error on :crypto.sign.


def digital_signature(string) do
refrenceKey = load_engine()
privKey = %{:engine => refrenceKey, :key_id => "3"}
signature = :crypto.sign(:rsa, :sha256, string, privKey)

def load_engine() do
{:ok, engine} = :crypto.engine_load(<<"dynamic">>,[{<<"SO_PATH">>,<<"/some/path/">>},{<<"ID">>, <<"cloudhsm">>},<<"LOAD">>],[])


** (exit) an exception was raised:
** (ArgumentError) argument error
(crypto) :crypto.pkey_sign_nif(:rsa, :sha256, "{\"Username\":\"simon\",\"Timestamp\":\"2019-01-04T20:58:48.7840832Z\",\"MachineName\":\"DESKTOP-04VG111\"}", [%{:engine => #Reference<0.1907491504.29753345.12345>, :key_id => "3"}], [])
(crypto) crypto.erl:829: :crypto.sign/5
1 Like

I think the password attribute is mandatory in the map describing the private key.

When I tried to use the :crypto engine API with a YubiKey in the past I got stuck on the OpenSC PKCS#11 driver asking for a PIN using stdin/stdout. The BEAM has its own I/O handling and doesn’t let me enter the PIN. It seems weird to have a library try and perform interactive I/O like that, and I guess it must be possible to pass the PIN through the API instead, but I haven’t found a way.


I tried with the password attribute but still fails, will let know if I do find a solution to it.

I hate to jump on an old post but I kept running into this post when trying to solve how to perform digital signatures with a YubiKey. I was not able to solve how to perform the signature using a certificate in slot 9c (cert #02) because it requires user input for every signature event but slot 9e (cert #04) allowed me to login using pin once and perform a signature.

Here is the related code for posterity’s sake:

  def digital_signature(string, %{pin: _pin, slot: _slot} = opts) do
    {:ok, engine} = load_engine()
    privKey = private_key(engine, opts)
    signature = :crypto.sign(:ecdsa, :sha256, string, privKey)

  def load_engine() do
      [{"SO_PATH", libpkcs}, {"ID", "pkcs11"}, {"LOAD", ""}],
      [{"MODULE_PATH", "/usr/lib/"}]

  def private_key(engine, %{pin: pin, slot: slot}) do
      engine: engine,