Utimaco HSM providers

Question

Utimaco HSM offers multiple connection API's - JCE/PKCS11/CSP. I am running a simulator setup on windows and imported 2 keys to internal storage with Utimaco CSP tool, but when I connect with JCE provider to the same device - the keystore is empty. If I import keys through JCE to internal storage, they are retrievable.

In the Utimaco documentation it is said, that both CSP and JCE use Utimaco CXI module, but it appears they are not interchangeable? Or is it something I am missing?

$ cngtool ListKeys
------------------------------------------------------------
Provider          : Utimaco CryptoServer Key Storage Provider
Device            : 3001@127.0.0.1
Group             : TEST_HSM
Mode              : Internal Key Storage
------------------------------------------------------------
Index  AlgId        Size   Group            Name                             Spec
---------------------------------------------------------------------------------
1      RSA          2048   TEST_HSM         TEST_HSM_1                       2
2      RSA          2048   TEST_HSM         TEST_HSM_2                       2

Answer 1

The tools provided (cxitool, cngtool, p11tool2) are aware of what keys are "theirs". For the most part, each key has metadata that is relevant to the provider that created them, and does not have the necessary metadata needed by any other provider, so -- again "for the most part" -- the keys are not interchangeable.

This is not so much a 'limitation' as a 'let's keep the user from shooting themselves in the foot'.

Yes, there are ways around this, but you have to write code using the base CXI interface.

Also, this is heavily version dependent, the above comments might not be correct for earlier or later versions of the SecurityServer providers.

(disclaimer: I work for Utimaco)