[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu Dec 10 19:00:23 UTC 2015
On 12/10/15, 12:32 , "openssl-dev on behalf of Dr. Stephen Henson"
<openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> wrote:
>The reason for that is because the -engine option sets the ENGINE to use
>for
>everything and the PKCS#11 ENGINE doesn't support that public key method.
I’m afraid I don’t understand. What good is a PKCS#11 engine if it doesn’t
support at least “sign” and “decrypt” methods?
>What we need is a way to load the private key from an ENGINE but not
>attempt
>to use that for the actual operations.
Could you please clarify what you mean by “load the private key”?
>Temporary fix is to set the second argument in EVP_PKEY_CTX_new to NULL
>in pkeyutl.c
With your proposed (temporary) fix, the signature both generated and
verified successfully (see below). Could I ask to push this fix to the
master, and maybe/hopefully to 1_0_2 branch?
$ apps/openssl version
OpenSSL 1.0.2f-dev xx XXX xxxx (Library: OpenSSL 1.0.2e 3 Dec 2015)
$ LOAD_CERT_CTRL=true VERBOSE=7 apps/openssl pkeyutl -engine pkcs11 -sign
-keyform engine -inkey
"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out
~/src/OpenSC/engine_pkcs11/config.status.sig -in
~/src/OpenSC/engine_pkcs11/config.status.hash
engine "pkcs11" set.
$ apps/openssl pkeyutl -verify -pubin -inkey
~/src/OpenSC/engine_pkcs11/pub.key -sigfile
~/src/OpenSC/engine_pkcs11/config.status.sig -in
~/src/OpenSC/engine_pkcs11/config.status.hash
Signature Verified Successfully
$
Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151210/ed8a43be/attachment.bin>
More information about the openssl-dev
mailing list