[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Paweł Witas
pw178860 at gmail.com
Fri Dec 11 13:49:18 UTC 2015
Hmm, please ignore my previous post, I did this test again and it works, it
was an interference with OpenSSL compiled by VS2012, that installed itself
in my test directory.
On Fri, Dec 11, 2015 at 12:57 PM, Paweł Witas <pw178860 at gmail.com> wrote:
> Hello again.
> I implemented this "temporary fix" in OpenSSL dynamically linked library
> and engine_pkcs11.dll (with statically linked OpenSSL) and libp11-2.dll
> (with statically linked OpenSSL), all compiled by mingw.
> Unfortunatelly OpenSSL started crashing during my test key operations:
>
> openssl req -engine pkcs11 -new -key
> slot_0-id_d7f4b99792cc4dd708e408d3eb91b566e0a06c02 -keyform engine -x509
> -out req.pem -text -days 365 -subj
> "/C=PL/ST=woj./L=miejscowosc/O=firma/OU=dzial/CN=nazwisko/emailAddress=
> ktos at domena.pl"
>
> openssl x509 -engine pkcs11 -signkey
> slot_0-id_d7f4b99792cc4dd708e408d3eb91b566e0a06c02 -keyform engine -in
> req.pem -out test.pem
>
> When I reverted this fix, OpenSSL stopped crashing and above operations
> succeeded.
> So this fix is unacceptable for me.
>
> Regards
> Pawel
>
> On Thu, Dec 10, 2015 at 6:32 PM, Dr. Stephen Henson <steve at openssl.org>
> wrote:
>
>> On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote:
>>
>> > Much better now - but at this time I hit ???unsupported algorithm???.
>> The key
>> > in question is RSA-2048, with SHA256.
>> >
>> > $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign
>> > -keyform engine -inkey
>> > "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out
>> > config.status.sig -in config.status.hash
>> > engine "pkcs11" set.
>> > Error initializing context
>> > 140735296230224:error:260C0065:engine
>> > routines:ENGINE_get_pkey_meth:unimplemented public key
>> > method:tb_pkmeth.c:128:
>> > 140735296230224:error:0609D09C:digital envelope
>> > routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164:
>>
>> The reason for that is because the -engine option sets the ENGINE to use
>> for
>> everything and the PKCS#11 ENGINE doesn't support that public key method.
>>
>> What we need is a way to load the private key from an ENGINE but not
>> attempt
>> to use that for the actual operations. Temporary fix is to set the second
>> argument in EVP_PKEY_CTX_new to NULL in pkeyutl.c
>>
>> Steve.
>> --
>> Dr Stephen N. Henson. OpenSSL project core developer.
>> Commercial tech support now available see: http://www.openssl.org
>> _______________________________________________
>> openssl-dev mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151211/66e31cc8/attachment.html>
More information about the openssl-dev
mailing list