[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Fri Dec 18 16:40:30 UTC 2015
> "The key ID is not a valid PKCS#11 URI as defined by"
> comes from the OpenSC engine code in ./engine_pkcs11.c
Got it, thanks!
> looks like type or object-type= will be ignored, but must be cert or private,
> but if its not, rv may not be set correctly:……
>
> Try removing the "object-type=public" in your tests.
Replacing the URL to point at a certificate instead of the pub key, and/or
omitting the “object-type=“ altogether did not change the error message.
It is still “Unable to load key file”.
I suspect (Doug and Nikos, please correct if I’m wrong!) that since many
tokens (mine certainly) do not perform operations with the public keys, when
a public key on the token is referred – it needs to be retrieved and
processed entirely in software. So the key needs to be retrieved from the
card, and passed to the other components of pkeyutl, rsautl, or dgst…
What would be a good location in the code for that addition?
Thanks!
> On 12/17/2015 4:06 PM, Blumenthal, Uri - 0553 - MITLL wrote:
>> I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :).
>>
>> This works:
>>
>> $ openssl dgst -engine pkcs11 -keyform engine -sign
>> "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256
>> -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out sig1.out
>> ~/src/wtls-verifier
>> engine "pkcs11" set.
>> $ pkcs15-tool --read-public-key 02 -o 02.pem
>> Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
>> Please enter PIN [PIV Card Holder pin]:
>> $ openssl dgst -keyform PEM -verify 02.pem -sha256 -sigopt
>> rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
>> ~/src/wtls-verifier
>> Verified OK
>> $
>>
>>
>> But this doesn’t:
>>
>> $ openssl dgst -engine pkcs11 -keyform engine -verify
>> "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt
>> rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
>> ~/src/wtls-verifier
>> engine "pkcs11" set.
>> The key ID is not a valid PKCS#11 URI as defined by
>> RFC7512.
>> PKCS11_load_public_key returned NULL
>> unable to load key file
>> $
>>
>>
>>
>> And this one doesn’t either:
>>
>> $ openssl dgst -engine pkcs11 -keyform engine -verify
>> "pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6d87283aaed2e
>> 6a5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20pub
>> key;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt
>> rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier
>> engine "pkcs11" set.
>> The key ID is not a valid PKCS#11 URI as defined by
>> RFC7512.
>> PKCS11_load_public_key returned NULL
>> unable to load key file
>>
>>
>> $ openssl dgst -engine pkcs11 -keyform engine -verify
>> "pkcs11:object=SIGN%20pubkey;type=public" -sha256 -sigopt
>> rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
>> ~/src/wtls-verifier
>> engine "pkcs11" set.
>> The key ID is not a valid PKCS#11 URI as defined by
>> RFC7512.
>> PKCS11_load_public_key returned NULL
>> unable to load key file
>>
>>
>> Is it a bug, or what am I doing wrong?
>>
>> Thanks!
>>
>>
>> _______________________________________________
>> openssl-dev mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
> --
>
> Douglas E. Engert <DEEngert at gmail.com> <mailto:DEEngert at gmail.com>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151218/170fd5f5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151218/170fd5f5/attachment.bin>
More information about the openssl-dev
mailing list