[openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.
Paras Shah (parashah)
parashah at cisco.com
Mon Sep 17 20:59:59 UTC 2018
I have softhsm-v2.5.0-rc1 which has ec keys imported in it. Now, when I try to use these keys from openssl CLI using the pkcs11 engine, it fails.
1. SoftHSM version
[]:~$ softhsm2-util --version
2.5.0rc1
2. SoftHSM token init
[]:~$ softhsm2-util --init-token --slot 0 --label "token 2.5.0-rc1"
=== SO PIN (4-255 characters) ===
Please enter SO PIN: ****
Please reenter SO PIN: ****
=== User PIN (4-255 characters) ===
Please enter user PIN: ****
Please reenter user PIN: ****
The token has been initialized and is reassigned to slot 928024111
3. ECC key in pkcs8 format
[]:~$ openssl pkey -in ~/tmp/secp256k1-key.pem.pkcs8 -text
-----BEGIN PRIVATE KEY-----
MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgYCXpIJyEAexhkvrCMGlF
A4sQItcIp6wm83WVoeOFzEyhRANCAATMfAkLtsynHRmRyYLn+uRpJUm6bOZJBQhK
N81nJv06fN6MY0nEzWG9jJsvSNlf5jW7yecbje2wWQL/JYqviFwr
-----END PRIVATE KEY-----
Private-Key: (256 bit)
priv:
60:25:e9:20:9c:84:01:ec:61:92:fa:c2:30:69:45:
03:8b:10:22:d7:08:a7:ac:26:f3:75:95:a1:e3:85:
cc:4c
pub:
04:cc:7c:09:0b:b6:cc:a7:1d:19:91:c9:82:e7:fa:
e4:69:25:49:ba:6c:e6:49:05:08:4a:37:cd:67:26:
fd:3a:7c:de:8c:63:49:c4:cd:61:bd:8c:9b:2f:48:
d9:5f:e6:35:bb:c9:e7:1b:8d:ed:b0:59:02:ff:25:
8a:af:88:5c:2b
ASN1 OID: secp256k1
4. Import the key into softhsm
[]:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token "token 2.5.0-rc1"
Found slot 928024111 with matching token label.
=== User PIN (4-255 characters) ===
Please enter user PIN: ****
Please reenter user PIN: ****
The key pair has been imported.
5. Get the pkcs11 url for the private key
[]:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all
Object 0:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private
Type: Private key
Label: ec key
Flags: CKA_PRIVATE; CKA_SENSITIVE;
ID: 11:11
Object 1:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=public
Type: Public key
Label: ec key
ID: 11:11
6. Try to access key with openssl engine.
[]:~$ openssl version
OpenSSL 1.1.1 11 Sep 2018
[]:~$ more ~/tmp/openssl.cnf
openssl_conf = openssl_init
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /Users/parashah/Downloads/libp11-0.4.9/src/.libs/pkcs11.dylib
MODULE_PATH = /usr/local/lib/softhsm/libsofthsm2.so
init = 0
[]:~$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private" -inform ENGINE -engine pkcs11 -text
engine "pkcs11" set.
Enter PKCS#11 token PIN for token 2.5.0-rc1:
140736065815424:error:100C0010:elliptic curve routines:i2d_ECPrivateKey:EC lib:crypto/ec/ec_asn1.c:995:
140736065815424:error:100D6010:elliptic curve routines:eckey_priv_encode:EC lib:crypto/ec/ec_ameth.c:242:
140736065815424:error:06071092:digital envelope routines:EVP_PKEY2PKCS8:private key encode error:crypto/evp/evp_pkey.c:72:
140736065815424:error:0907E073:PEM routines:do_pk8pkey:error converting private key:crypto/pem/pem_pk8.c:73:
====
Please let me know if I am missing anything. Note that the same operations work fine on a RSA key.
--
Paras
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180917/576e3050/attachment-0001.html>
More information about the openssl-users
mailing list