[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu Dec 17 22:06:20 UTC 2015
I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :).
This works:
$ openssl dgst -engine pkcs11 -keyform engine -sign
"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out sig1.out
~/src/wtls-verifier
engine "pkcs11" set.
$ pkcs15-tool --read-public-key 02 -o 02.pem
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
Please enter PIN [PIV Card Holder pin]:
$ openssl dgst -keyform PEM -verify 02.pem -sha256 -sigopt
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
~/src/wtls-verifier
Verified OK
$
But this doesn’t:
$ openssl dgst -engine pkcs11 -keyform engine -verify
"pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
~/src/wtls-verifier
engine "pkcs11" set.
The key ID is not a valid PKCS#11 URI as defined by
RFC7512.
PKCS11_load_public_key returned NULL
unable to load key file
$
And this one doesn’t either:
$ openssl dgst -engine pkcs11 -keyform engine -verify
"pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6d87283aaed2e
6a5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20pub
key;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt
rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier
engine "pkcs11" set.
The key ID is not a valid PKCS#11 URI as defined by
RFC7512.
PKCS11_load_public_key returned NULL
unable to load key file
$ openssl dgst -engine pkcs11 -keyform engine -verify
"pkcs11:object=SIGN%20pubkey;type=public" -sha256 -sigopt
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
~/src/wtls-verifier
engine "pkcs11" set.
The key ID is not a valid PKCS#11 URI as defined by
RFC7512.
PKCS11_load_public_key returned NULL
unable to load key file
Is it a bug, or what am I doing wrong?
Thanks!
--
Regards,
Uri Blumenthal
On 12/10/15, 17:17 , "openssl-dev on behalf of Blumenthal, Uri - 0553 -
MITLL" <openssl-dev-bounces at openssl.org on behalf of uri at ll.mit.edu> wrote:
>On 12/10/15, 16:56 , "openssl-dev on behalf of Dr. Stephen Henson"
><openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> wrote:
>
>>>>Temporary fix is to set the second argument in EVP_PKEY_CTX_new to NULL
>>> >in pkeyutl.c
>>>
>>> With your proposed (temporary) fix, the signature both generated and
>>> verified successfully (see below). Could I ask to push this fix to the
>>> master, and maybe/hopefully to 1_0_2 branch?
>>>
>>
>>As I indicated the fix I suggested it temporary. Sometimes a user will
>>want that behaviour so we'd need a new command line option indicating the
>>private key engine only.
>
>Ideally engine_pkcs11 should do it automatically, but I see your point.
>Perhaps the code in pkeyutl.c could check if (a) engine is set, and (b)
>the engine is PKCS11? And if so - automatically do the right thing? Do you
>envision other engines with similar needs? My assumption was that the only
>engine that talks to smart cards is pkcs11...
>
>In the meanwhile, in your opinion should rsautl need a similar patch, or
>would it work out of box, like dgst did?
>
>Thank you!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151217/ed671cab/attachment-0001.bin>
More information about the openssl-dev
mailing list