[openssl-dev] openssl cms unable to access keys on token?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Mon Mar 14 21:28:45 UTC 2016 

You are right - the command line was wrong. Here’s the correct line, which
should work, but doesn’t:

$ openssl cms -engine pkcs11 -aes256 -encrypt -in data.txt -binary
-outform PEM -out data.txt.enc
"pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert"
engine "pkcs11" set.
Error opening recipient certificate file
pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert
140735201178448:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('pkcs11:object=Certificate%20for%20Key%20Man
agement;object-type=cert','r')
140735201178448:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:
unable to load certificate
$ openssl cms -engine pkcs11 -aes256 -encrypt -in data.txt -binary
-outform PEM -out data.txt.enc token.cert.pem
engine "pkcs11" set.
$




And yes, it’s about time for OpenSSL to incorporate proper support for
PKCS#11.
--
Regards,
Uri Blumenthal




On 3/14/16, 17:08, "David Woodhouse" <dwmw2 at infradead.org> wrote:

>On Mon, 2016-03-14 at 19:27 +0000, Blumenthal, Uri - 0553 - MITLL
>wrote:
>> $ openssl cms -engine pkcs11 -aes256 -encrypt -binary -in data.txt
>> -outform engine "pkcs11:object=KEY%20MAN%20pubkey;object-type=public"
>
>That isn't what -outform does. It controls the output format of the
>encrypted result:
>
>$ openssl cms -aes256 -encrypt -binary -in data.txt -outform PEM cert.pem
>-----BEGIN CMS-----
>MIICIgYJKoZIhvcNAQcDoIICEzCCAg8CAQAxggHKMIIBxgIBADCBrTCBpzELMAkG
>...
>
>There is no option which makes it obtain the *certificate* (to which it
>is encrypting the CMS message) from an engine. There isn't even a
>standard way for an engine to provide such functionality — the PKCS#11
>engine currently exposes it only with a custom "LOAD_CERT_CTRL"
>command.
>
>This is just one of many reasons why libp11/engine_pkcs11 needs to die
>as a separate project, and we need to incorporate proper PKCS#11
>support into OpenSSL natively.
>
>-- 
>David Woodhouse                            Open Source Technology Centre
>David.Woodhouse at intel.com                              Intel Corporation
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160314/9ddd19ce/attachment.bin>

More information about the openssl-dev mailing list