[openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.
Paras Shah (parashah)
parashah at cisco.com
Sat Sep 22 23:42:08 UTC 2018
To update this thread. Please follow the commentary on the https://github.com/OpenSC/libp11/issues/249
From: "Blumenthal, Uri - 0553 - MITLL" <uri at ll.mit.edu>
Date: Friday, September 21, 2018 at 5:07 AM
To: "Paras Shah (parashah)" <parashah at cisco.com>, "openssl-users at openssl.org" <openssl-users at openssl.org>
Cc: Nicola <nic.tuv at gmail.com>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.
Note that the key to reproducing this issue is compiling SoftHSMv2 with 1.1.1. When compiled with 1.0.2p, everything else can be compiled against 1.1.1 and it works ok.
Regards,
Uri
Sent from my iPhone
On Sep 21, 2018, at 02:09, Paras Shah (parashah) via openssl-users <openssl-users at openssl.org<mailto:openssl-users at openssl.org>> wrote:
I opened the issue https://github.com/openssl/openssl/issues/7258
Also, opened issue https://github.com/OpenSC/libp11/issues/249
and https://github.com/opendnssec/SoftHSMv2/issues/417
Found the root cause to be the openssl version 1.1.1 that was used to compile the engine_pkcs11 and SoftHSM.
When I recompiled with openssl-1.0.2p, it worked fine. See https://github.com/OpenSC/libp11/issues/249 for details.
From: "Paras Shah (parashah)" <parashah at cisco.com<mailto:parashah at cisco.com>>
Date: Tuesday, September 18, 2018 at 10:06 AM
To: Nicola <nic.tuv at gmail.com<mailto:nic.tuv at gmail.com>>, "openssl-users at openssl.org<mailto:openssl-users at openssl.org>" <openssl-users at openssl.org<mailto:openssl-users at openssl.org>>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.
Sure. I will open the issue.
From: Nicola <nic.tuv at gmail.com<mailto:nic.tuv at gmail.com>>
Date: Monday, September 17, 2018 at 10:05 PM
To: "Paras Shah (parashah)" <parashah at cisco.com<mailto:parashah at cisco.com>>, "openssl-users at openssl.org<mailto:openssl-users at openssl.org>" <openssl-users at openssl.org<mailto:openssl-users at openssl.org>>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.
Would it be possible for you to open this as an issue on Github and include there your first email and the full logs?
Thanks,
Nicola Tuveri
On Tue, 18 Sep 2018 at 01:15, Paras Shah (parashah) via openssl-users <openssl-users at openssl.org<mailto:openssl-users at openssl.org>> wrote:
That is not it. It results in the same error for the EC key.
It is not the URL or the ID. Because for a RSA key in the softhsm with id = 3333, it works fine with url containing id=%33%33
$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%33%33;object=rsa%20key;type=private" -engine pkcs11 -inform ENGINE
engine "pkcs11" set.
Enter PKCS#11 token PIN for token 2.5.0-rc1:
-----BEGIN PRIVATE KEY-----
MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDD3378F1XbXJvP
WP2GtZry0u6sL3eNYktQwJfhDMz5evDG+PahVjCMszV5CZvG+Kvap40xPBJoonqi
oMAQsoLu7/fTx82aEL3TbdjXNLFnQ2KKYmfG9ymx80sLHMmdmDXpNNE+bEKJz1dp
t1Q0cVduwmqSfB8JyIE6Udz7JX7HCXaVmxoK7z4Njh3dyHsqhdqKIx0dBuK0hCaq
4zPzGP/sORA3G9ZPxxpEvF3gvE/zsXj7ifihqbqr2eIFOpB/lQqAehsgQT5/6Iq+
9pAX2LCxNkaUHYYZpMkM8Oi37jzg8PX/FnHdm9HQU2IBqYhoqo7/VsNdUDln2QHN
dGAUprcbAgMBAAE=
-----END PRIVATE KEY-----
Coming back to EC key, looking at the error logs emitted, it does seem to recognize it to be EC (the logs contain EC_routines) somehow but then fails.
On 9/17/18, 2:22 PM, "openssl-users on behalf of Richard Levitte" <openssl-users-bounces at openssl.org<mailto:openssl-users-bounces at openssl.org> on behalf of levitte at openssl.org<mailto:levitte at openssl.org>> wrote:
In message <4AC69FC3-BEC7-46F6-882A-671196FC0156 at contoso.com<mailto:4AC69FC3-BEC7-46F6-882A-671196FC0156 at contoso.com>> on Mon, 17 Sep 2018 20:59:59 +0000, "Paras Shah (parashah)" <parashah at cisco.com<mailto:parashah at cisco.com>> said:
> 4. Import the key into softhsm
>
> []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token
> "token 2.5.0-rc1"
Ok, so here, the ID is "1111"
> 5. Get the pkcs11 url for the private key
>
> []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all
>
> Object 0:
>
> URL:
> pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private
But here, the ID is "%11%11", and since those get percent decoded,
that's actually two vertical tabs, or with C vector syntax,
{ 0x0b, 0x0b }
I'm not sure what engine-pkcs11 asks of you otherwise, but one guess
could be to change 'id=%11%11' to 'id=1111' in that URL and try again.
Cheers,
Richard
--
Richard Levitte levitte at openssl.org<mailto:levitte at openssl.org>
OpenSSL Project http://www.openssl.org/~levitte/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180922/87c939f5/attachment-0001.html>
More information about the openssl-users
mailing list