[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Dec 9 21:24:41 UTC 2015 

I’m having a problem, and am not sure whether it’s due to my
ignorance/misuse of the tool (i.e. it should be done differently), or a bug
in the tool, or it’s just not capable of doing what I want it to.

What I’m trying to accomplish: use engine_pkcs11
<https://github.com/OpenSC/engine_pkcs11>  with OpenSSL to sign and decrypt
with private keys on a smart card, accessed as a PKCS#11 token. To support
this engine, I’ve also installed libp11 <https://github.com/OpenSC/libp11> ,
and of course OpenSC <https://github.com/OpenSC/OpenSC>  itself.

This shows that OpenSC works and accesses the smart card successfully:

$ p11tool --provider /Library/OpenSC/lib/opensc-pkcs11.dylib --list-privkeys
--login

Token 'PIV_II (PIV Card Holder pin)' with URL
'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV
_II%20%28PIV%20Card%20Holder%20pin%29' requires user PIN

Enter PIN: 

Object 0:

URL: 
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_
II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-t
ype=private

Type: Private key

Label: PIV AUTH key

Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;

ID: 01



Object 1:

URL: 
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_
II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=pr
ivate

Type: Private key

Label: SIGN key

Flags: CKA_PRIVATE; CKA_SENSITIVE;

ID: 02



Object 2:

URL: 
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_
II%20%28PIV%20Card%20Holder%20pin%29;id=%03;object=KEY%20MAN%20key;object-ty
pe=private

Type: Private key

Label: KEY MAN key

Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;

ID: 03



Object 3:

URL: 
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_
II%20%28PIV%20Card%20Holder%20pin%29;id=%04;object=CARD%20AUTH%20key;object-
type=private

Type: Private key

Label: CARD AUTH key

Flags: CKA_SENSITIVE;

ID: 04



This shows that OpenSSL does seem to load the engine, but fails to access
the key on the smart card:

$ openssl engine pkcs11 -t

(pkcs11) pkcs11 engine

     [ available ]

$ openssl req -engine pkcs11 -new -key
"pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV
_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=p
rivate;pin-value=123456" -keyform engine -out req.pem -text -x509 -subj
"/CN=Tester"

engine "pkcs11" set.

specified object not found

PKCS11_get_private_key returned NULL

cannot load Private Key from engine

140735296230224:error:26096080:engine
routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124:

unable to load Private Key

$ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign -inkey
"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -keyform
engine -out config.status.sig -in config.status.hash

engine "pkcs11" set.

Error opening Private Key
pkcs11:object=SIGN%20key;object-type=private;pin-value=123456

140735296230224:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('pkcs11:object=SIGN%20key;object-type=private
;pin-value=123456','r')

140735296230224:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:

unable to load Private Key

Error initializing context

Usage: pkeyutl [options]

-in file        input file

-out file       output file

-sigfile file signature file (verify operation only)

-inkey file     input key

-keyform arg    private key format - default PEM

-pubin          input is a public key

-certin         input is a certificate carrying a public key

-pkeyopt X:Y    public key options

-sign           sign with private key

-verify         verify with public key

-verifyrecover  verify with public key, recover original data

-encrypt        encrypt with public key

-decrypt        decrypt with private key

-derive         derive shared secret

-hexdump        hex dump output

-engine e       use engine e, possibly a hardware device.

-passin arg     pass phrase source

$ 


I would appreciate guidance regarding how to accomplish what I’m trying to
do, and whether it is possible to do so staying within the OpenSSL CLI.

Thanks!

P.S. I followed the README from https://github.com/OpenSC/engine_pkcs11 as
an example of how to use OpenSSL with engine_pkcs11 and the token.
-- 
Regards,
Uri Blumenthal


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151209/b06d598d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151209/b06d598d/attachment-0001.bin>

More information about the openssl-dev mailing list