HSM signing integration

[mfajusol]

I’m using the pymdoccbor library to sign mDocs with a keystore, and that workflow works correctly.

However, I’m now trying to secure the process by using an HSM to sign the CBOR data, and I encounter an error during signing. Below is a simplified snippet showing only the library-related implementation.

    self.mdoci: MdocCborIssuer = MdocCborIssuer(
        alg="ES256", kid="kid-test",
        hsm=True,
        key_label="alias-test",
        user_pin="1234",
        lib_path="/usr/lib/softhsm/libsofthsm2.so",
        slot_id=0,
    )

    self.mdoci.new(
        doctype="eu.europa.ec.av.1", data=data, validity=validity, cert_path=cert_path
    )

I’m using a local HSM (SoftHSM), which I’ve successfully used in other projects (for example, signing JWTs), so the HSM itself appears to be working properly.

After debugging, the issue seems to originate in the MsoIssuer class. Specifically:

• When calling msoi.sign(...) (inside self.mdoci.new(...)) with self.hsm = True, no value is assigned to the key field of the Sign1Message.
• When self.hsm = False, the key is assigned correctly (as it uses the private key directly)

However, the error does not occur at this stage.

The actual error happens later, when mso.encode(...) is called. At that point, the compute_signature(...) method from the SignCommon class (in the pycose library) is executed and fails with the error: "Exception: Key cannot be None".

So my questions are:

• Is HSM-based signing currently supported in this flow?
• If not, is support planned for a future release?
• Or could this be due to a configuration issue on my side?

Thanks in advance for any clarification.