[openssl-users] openssl ca pkcs11 UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

Peter Magnusson blaufish.public.email at gmail.com
Tue Oct 16 07:54:08 UTC 2018


The error can be workaround by entering PIN = "..." into [pkcs11_section].
pkcs11 engine version is libp11-0.4.9.
Anyone know if this a 1) libp11 issue or 2) openssl issue or 3) me
doing something wrong?
On Mon, Oct 15, 2018 at 5:40 PM Peter Magnusson
<blaufish.public.email at gmail.com> wrote:
>
> Hi,
>
> I'm trying to understand how to make "openssl ca" prompt for a PKCS#11
> login pin. Version is openssl-1.1.1.
>
> openssl req works as I would expect, prompting for PIN:
>
> YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
> local-build/bin/openssl \
>  req -config yubihsm2-openssl.conf -new \
>  -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out
> certs.dir/ca.csr.pem
> engine "pkcs11" set.
> Enter PKCS#11 token PIN for YubiHSM:
>
> openssl ca I fail to get working, no prompt presented, tried adding
> -passin stdin but that has no effect.
>
> YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
>  local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform
> engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \
>  -config yubihsm2-openssl.conf \
>  -days 3650 -extensions vpn_server_cert \
>  -out server.cert.pem \
>  -infiles ../server/certs.dir/server.csr.pem
> engine "pkcs11" set.
> Using configuration from yubihsm2-openssl.conf
> Login failed
> Login to token failed, returning NULL...
> PKCS11_get_private_key returned NULL
> cannot load CA private key from engine
> 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too
> large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters
> 140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid
> arguments:p11_slot.c:240:
> 140735853761408:error:26096080:engine
> routines:ENGINE_load_private_key:failed loading private
> key:crypto/engine/eng_pkey.c:78:
> unable to load CA private key
>
> Best Regards
> //P


More information about the openssl-users mailing list