[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu Dec 10 17:16:17 UTC 2015
> From previous private conversations, can you comments on if this is a PIV or
> NEO with a PIV applet?
I certainly can – this is NEO with a PIV applet. But side-stepping – note
that openssl dgst appeared to work fine. See my other posting to this list,
and duplicated here:
$ pkcs15-tool --read-public-key 02 -o pub.key
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
Please enter PIN [PIV Card Holder pin]:
$ openssl dgst -engine pkcs11 -keyform engine -sign
"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256 -out
t.sig < config.h
engine "pkcs11" set.
$ openssl dgst -verify pub.key -keyform PEM -signature t.sig -sha256 <
config.h
Verified OK
> Did you generate a key on the card using the piv-tool or NEO tool?
At this moment (test setting) the keys were generated off-card, and loaded
on the token using NEO tools.
For production, of course they’ll be generated on the card (except for the
KEY MAN key) and certified elsewhere.
> Did you create a certificate and load it on the card? I assume not.
For production this assumption would be correct. But not for this case
(testing, "feeling the water", so to say).
But in any case, fully-configured certificates with all the necessary
attributes (Key Usage, Extended Key Usage, etc.) have been loaded.
> There is a chicken and egg problem with the PIV. To determine if a key is on
> the card, and its attributes,
> the public key that was saved during key generate step is needed. In normal
> use the public key is in the certificate,
> on the card. But if there is NO certificate on the card, as when you are
> trying to generate the certificate, the OpenSC
> low level routines will look for the public key from a file off the card.
Got it. This will be very useful once I move to “real” from “testing”.
> https://github.com/OpenSC/OpenSC/wiki/PivTool#generate-a-certificate-request
>
> shows setting of the PIV_9A_KEY = environment variable.
> In your case because you are using the "SIGN key" you would need to set
> PIV_9C_KEY=path.to.pubkey.file.der
> This should work with other programs like openssl pkeyutl too.
>
> Once the certificate is then loaded, the PIV_9X_KEY environment variable will
> not be used.
Got it. Thanks!
On 12/10/2015 9:38 AM, Blumenthal, Uri - 0553 - MITLL wrote:
> On 12/10/15, 3:39 , "openssl-dev on behalf of Richard Levitte"
> <openssl-dev-bounces at openssl.org on behalf of levitte at openssl.org>
> <mailto:openssl-dev-bounces at openssl.orgonbehalfoflevitte@openssl.org> wrote:
>
>> This is an odity with 'openssl pkeyutl'. Try this option order:
> I see!
>
>> LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign
>> -keyform engine -inkey
>> "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out
>> config.status.sig -in config.status.hash
> Much better now - but at this time I hit “unsupported algorithm”. The key
> in question is RSA-2048, with SHA256.
>
> $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign
> -keyform engine -inkey
> "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out
> config.status.sig -in config.status.hash
> engine "pkcs11" set.
> Error initializing context
> 140735296230224:error:260C0065:engine
> routines:ENGINE_get_pkey_meth:unimplemented public key
> method:tb_pkmeth.c:128:
> 140735296230224:error:0609D09C:digital envelope
> routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164:
> Usage: pkeyutl [options]
> -in file input file
> -out file output file
> -sigfile file signature file (verify operation only)
> -inkey file input key
> -keyform arg private key format - default PEM
> -pubin input is a public key
> -certin input is a certificate carrying a public key
> -pkeyopt X:Y public key options
> -sign sign with private key
> -verify verify with public key
> -verifyrecover verify with public key, recover original data
> -encrypt encrypt with public key
> -decrypt decrypt with private key
> -derive derive shared secret
> -hexdump hex dump output
> -engine e use engine e, possibly a hardware device.
> -passin arg pass phrase source
> $
>
>
> I observed exactly the same happening with the decryption key.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151210/eaec1211/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151210/eaec1211/attachment.bin>
More information about the openssl-dev
mailing list