[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Dr. Stephen Henson
steve at openssl.org
Thu Dec 10 17:32:44 UTC 2015
On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote:
> Much better now - but at this time I hit ???unsupported algorithm???. The key
> in question is RSA-2048, with SHA256.
>
> $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign
> -keyform engine -inkey
> "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out
> config.status.sig -in config.status.hash
> engine "pkcs11" set.
> Error initializing context
> 140735296230224:error:260C0065:engine
> routines:ENGINE_get_pkey_meth:unimplemented public key
> method:tb_pkmeth.c:128:
> 140735296230224:error:0609D09C:digital envelope
> routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164:
The reason for that is because the -engine option sets the ENGINE to use for
everything and the PKCS#11 ENGINE doesn't support that public key method.
What we need is a way to load the private key from an ENGINE but not attempt
to use that for the actual operations. Temporary fix is to set the second
argument in EVP_PKEY_CTX_new to NULL in pkeyutl.c
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list