[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Wed Dec 9 21:24:41 UTC 2015
I’m having a problem, and am not sure whether it’s due to my
ignorance/misuse of the tool (i.e. it should be done differently), or a bug
in the tool, or it’s just not capable of doing what I want it to.
What I’m trying to accomplish: use engine_pkcs11
<https://github.com/OpenSC/engine_pkcs11> with OpenSSL to sign and decrypt
with private keys on a smart card, accessed as a PKCS#11 token. To support
this engine, I’ve also installed libp11 <https://github.com/OpenSC/libp11> ,
and of course OpenSC <https://github.com/OpenSC/OpenSC> itself.
This shows that OpenSC works and accesses the smart card successfully:
$ p11tool --provider /Library/OpenSC/lib/opensc-pkcs11.dylib --list-privkeys
--login
Token 'PIV_II (PIV Card Holder pin)' with URL
'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV
_II%20%28PIV%20Card%20Holder%20pin%29' requires user PIN
Enter PIN:
Object 0:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_
II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-t
ype=private
Type: Private key
Label: PIV AUTH key
Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
ID: 01
Object 1:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_
II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=pr
ivate
Type: Private key
Label: SIGN key
Flags: CKA_PRIVATE; CKA_SENSITIVE;
ID: 02
Object 2:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_
II%20%28PIV%20Card%20Holder%20pin%29;id=%03;object=KEY%20MAN%20key;object-ty
pe=private
Type: Private key
Label: KEY MAN key
Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
ID: 03
Object 3:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_
II%20%28PIV%20Card%20Holder%20pin%29;id=%04;object=CARD%20AUTH%20key;object-
type=private
Type: Private key
Label: CARD AUTH key
Flags: CKA_SENSITIVE;
ID: 04
This shows that OpenSSL does seem to load the engine, but fails to access
the key on the smart card:
$ openssl engine pkcs11 -t
(pkcs11) pkcs11 engine
[ available ]
$ openssl req -engine pkcs11 -new -key
"pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV
_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=p
rivate;pin-value=123456" -keyform engine -out req.pem -text -x509 -subj
"/CN=Tester"
engine "pkcs11" set.
specified object not found
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140735296230224:error:26096080:engine
routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124:
unable to load Private Key
$ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign -inkey
"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -keyform
engine -out config.status.sig -in config.status.hash
engine "pkcs11" set.
Error opening Private Key
pkcs11:object=SIGN%20key;object-type=private;pin-value=123456
140735296230224:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('pkcs11:object=SIGN%20key;object-type=private
;pin-value=123456','r')
140735296230224:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:
unable to load Private Key
Error initializing context
Usage: pkeyutl [options]
-in file input file
-out file output file
-sigfile file signature file (verify operation only)
-inkey file input key
-keyform arg private key format - default PEM
-pubin input is a public key
-certin input is a certificate carrying a public key
-pkeyopt X:Y public key options
-sign sign with private key
-verify verify with public key
-verifyrecover verify with public key, recover original data
-encrypt encrypt with public key
-decrypt decrypt with private key
-derive derive shared secret
-hexdump hex dump output
-engine e use engine e, possibly a hardware device.
-passin arg pass phrase source
$
I would appreciate guidance regarding how to accomplish what I’m trying to
do, and whether it is possible to do so staying within the OpenSSL CLI.
Thanks!
P.S. I followed the README from https://github.com/OpenSC/engine_pkcs11 as
an example of how to use OpenSSL with engine_pkcs11 and the token.
--
Regards,
Uri Blumenthal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151209/b06d598d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151209/b06d598d/attachment-0001.bin>
More information about the openssl-dev
mailing list