[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

Richard Levitte levitte at openssl.org
Thu Dec 10 08:39:31 UTC 2015 

This is an odity with 'openssl pkeyutl'.  Try this option order:

LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign -keyform engine -inkey "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out config.status.sig -in config.status.hash

The reason for this is that pkeyutl (as opposed to most other openssl
subcommands) tries to load the key while parsing the options, so if
'-keyform engine' comes after '-inkey ...', it will try to load the
key before having seen that it should be loaded from engine.

I think a bugfix for this is in order...

Cheers,
Richard

In message <D28E0643.23C27%uri at ll.mit.edu> on Wed, 9 Dec 2015 21:24:41 +0000, "Blumenthal, Uri - 0553 - MITLL" <uri at ll.mit.edu> said:

uri> I’m having a problem, and am not sure whether it’s due to my
uri> ignorance/misuse of the tool (i.e. it should be done differently), or
uri> a bug in the tool, or it’s just not capable of doing what I want it
uri> to.
uri> 
uri> What I’m trying to accomplish: use engine_pkcs11 with OpenSSL to sign
uri> and decrypt with private keys on a smart card, accessed as a PKCS#11
uri> token. To support this engine, I’ve also installed libp11, and of
uri> course OpenSC itself.
uri> 
uri> This shows that OpenSC works and accesses the smart card successfully:
uri> 
uri> $ p11tool --provider /Library/OpenSC/lib/opensc-pkcs11.dylib -
uri> -list-privkeys --login
uri> 
uri> Token 'PIV_II (PIV Card Holder pin)' with URL
uri> 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29'
uri> requires user PIN
uri> 
uri> Enter PIN:
uri> 
uri> Object 0:
uri> 
uri> URL:
uri> pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-type=private
uri> 
uri> Type: Private key
uri> 
uri> Label: PIV AUTH key
uri> 
uri> Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
uri> 
uri> ID: 01
uri> 
uri> Object 1:
uri> 
uri> URL:
uri> pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private
uri> 
uri> Type: Private key
uri> 
uri> Label: SIGN key
uri> 
uri> Flags: CKA_PRIVATE; CKA_SENSITIVE;
uri> 
uri> ID: 02
uri> 
uri> Object 2:
uri> 
uri> URL:
uri> pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%03;object=KEY%20MAN%20key;object-type=private
uri> 
uri> Type: Private key
uri> 
uri> Label: KEY MAN key
uri> 
uri> Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
uri> 
uri> ID: 03
uri> 
uri> Object 3:
uri> 
uri> URL:
uri> pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%04;object=CARD%20AUTH%20key;object-type=private
uri> 
uri> Type: Private key
uri> 
uri> Label: CARD AUTH key
uri> 
uri> Flags: CKA_SENSITIVE;
uri> 
uri> ID: 04
uri> 
uri> This shows that OpenSSL does seem to load the engine, but fails to
uri> access the key on the smart card:
uri> 
uri> $ openssl engine pkcs11 -t
uri> 
uri> (pkcs11) pkcs11 engine
uri> 
uri> [ available ]
uri> 
uri> $ openssl req -engine pkcs11 -new -key
uri> "pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private;pin-value=123456"
uri> -keyform engine -out req.pem -text -x509 -subj "/CN=Tester"
uri> 
uri> engine "pkcs11" set.
uri> 
uri> specified object not found
uri> 
uri> PKCS11_get_private_key returned NULL
uri> 
uri> cannot load Private Key from engine
uri> 
uri> 140735296230224:error:26096080:engine
uri> routines:ENGINE_load_private_key:failed loading private
uri> key:eng_pkey.c:124:
uri> 
uri> unable to load Private Key
uri> 
uri> $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign -
uri> inkey "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -
uri> keyform engine -out config.status.sig -in config.status.hash
uri> 
uri> engine "pkcs11" set.
uri> 
uri> Error opening Private Key
uri> pkcs11:object=SIGN%20key;object-type=private;pin-value=123456
uri> 
uri> 140735296230224:error:02001002:system library:fopen:No such file or
uri> directory:bss_file.c:398:fopen
uri> ('pkcs11:object=SIGN%20key;object-type=private;pin-value=123456','r')
uri> 
uri> 140735296230224:error:20074002:BIO routines:FILE_CTRL:system
uri> lib:bss_file.c:400:
uri> 
uri> unable to load Private Key
uri> 
uri> Error initializing context
uri> 
uri> Usage: pkeyutl [options]
uri> 
uri> -in file input file
uri> 
uri> -out file output file
uri> 
uri> -sigfile file signature file (verify operation only)
uri> 
uri> -inkey file input key
uri> 
uri> -keyform arg private key format - default PEM
uri> 
uri> -pubin input is a public key
uri> 
uri> -certin input is a certificate carrying a public key
uri> 
uri> -pkeyopt X:Y public key options
uri> 
uri> -sign sign with private key
uri> 
uri> -verify verify with public key
uri> 
uri> -verifyrecover verify with public key, recover original data
uri> 
uri> -encrypt encrypt with public key
uri> 
uri> -decrypt decrypt with private key
uri> 
uri> -derive derive shared secret
uri> 
uri> -hexdump hex dump output
uri> 
uri> -engine e use engine e, possibly a hardware device.
uri> 
uri> -passin arg pass phrase source
uri> 
uri> $
uri> 
uri> I would appreciate guidance regarding how to accomplish what I’m
uri> trying to do, and whether it is possible to do so staying within the
uri> OpenSSL CLI.
uri> 
uri> Thanks!
uri> 
uri> P.S. I followed the README from
uri> https://github.com/OpenSC/engine_pkcs11 as an example of how to use
uri> OpenSSL with engine_pkcs11 and the token.
uri> --
uri> Regards,
uri> Uri Blumenthal

More information about the openssl-dev mailing list