[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

Paweł Witas pw178860 at gmail.com
Fri Dec 11 11:57:44 UTC 2015 

Hello again.
I implemented this "temporary fix" in OpenSSL dynamically linked library
and engine_pkcs11.dll (with statically linked OpenSSL) and libp11-2.dll
(with statically linked OpenSSL), all compiled by mingw.
Unfortunatelly OpenSSL started crashing during my test key operations:

openssl req -engine pkcs11 -new -key
slot_0-id_d7f4b99792cc4dd708e408d3eb91b566e0a06c02 -keyform engine -x509
-out req.pem -text -days 365 -subj
"/C=PL/ST=woj./L=miejscowosc/O=firma/OU=dzial/CN=nazwisko/emailAddress=
ktos at domena.pl"

openssl x509 -engine pkcs11 -signkey
slot_0-id_d7f4b99792cc4dd708e408d3eb91b566e0a06c02 -keyform engine -in
req.pem -out test.pem

When I reverted this fix, OpenSSL stopped crashing and above operations
succeeded.
So this fix is unacceptable for me.

Regards
Pawel

On Thu, Dec 10, 2015 at 6:32 PM, Dr. Stephen Henson <steve at openssl.org>
wrote:

> On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote:
>
> > Much better now - but at this time I hit ???unsupported algorithm???.
> The key
> > in question is RSA-2048, with SHA256.
> >
> > $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign
> > -keyform engine -inkey
> > "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out
> > config.status.sig -in config.status.hash
> > engine "pkcs11" set.
> > Error initializing context
> > 140735296230224:error:260C0065:engine
> > routines:ENGINE_get_pkey_meth:unimplemented public key
> > method:tb_pkmeth.c:128:
> > 140735296230224:error:0609D09C:digital envelope
> > routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164:
>
> The reason for that is because the -engine option sets the ENGINE to use
> for
> everything and the PKCS#11 ENGINE doesn't support that public key method.
>
> What we need is a way to load the private key from an ENGINE but not
> attempt
> to use that for the actual operations. Temporary fix is to set the second
> argument in EVP_PKEY_CTX_new to NULL in pkeyutl.c
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151211/62ed5240/attachment-0001.html>

More information about the openssl-dev mailing list