CSR creation using pkcs11 dynamic engine

Selva Nair selva.nair at gmail.com
Fri May 28 18:47:35 UTC 2021


Hi,

On Fri, May 28, 2021 at 1:44 PM Piotr Lobacz <piotr.lobacz at softgent.com> wrote:
>
> Ok, i have found out that dotnet OpenSsl library has it's own code for verification is key private. For this it needs the whole data of private key from which this method:
>
> static int HasNoPrivateKey(RSA* rsa)
>
>  which is in ./src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.c of dotnet verifies occurence of all private parameters. Unfortunately from what i know private keys are not extractable from tokens because of CKA_EXTRACTABLE=false parameter.
>
> Correct me if i'm wrong but from what i know about openssl, when i'm switching to a closed engine the whole cryptography is being made by the engine module. I think that there should be some other method verifing if key is private. Maybe somebody could give me a hint?

Its not verifying, but signing operation that is failing. This sounds
like something wrong in the way you are using the dotnet interface or
possibly a bug in (or limitation of) that implementation itself. Like
its not meant to be used when keys are "external".  I have no idea
having never used C#.

But you are right, when the private key is loaded through the pkcs11
engine the key is external (can stay non-extractable), and the signing
operation gets delegated to the engine. Are you sure that the pkey
returned by the ENGINE_get_private_key() and rsa handle generated from
that pkey are valid? I see no error checks in your code unless dotnet
will automatically trigger exceptions on error.

You may get more relevant help in the dotnet community.


Selva


More information about the openssl-users mailing list