[openssl-users] openssl ca pkcs11 UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

Richard Levitte levitte at openssl.org
Tue Oct 16 08:23:06 UTC 2018 

I'm curious about this error line from the 'openssl ca' output:

> 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

It should be interesting to try and figure out what pass phrased was
passed and where it came from.  I'm afraid that's a debugging session.

Cheers,
Richard

In message <CANtcRX50e0bEwbG=U7L5bKif1StaEEny-01Bq7OfoO0xFvFC9Q at mail.gmail.com> on Tue, 16 Oct 2018 09:54:08 +0200, Peter Magnusson <blaufish.public.email at gmail.com> said:

> The error can be workaround by entering PIN = "..." into [pkcs11_section].
> pkcs11 engine version is libp11-0.4.9.
> Anyone know if this a 1) libp11 issue or 2) openssl issue or 3) me
> doing something wrong?
> On Mon, Oct 15, 2018 at 5:40 PM Peter Magnusson
> <blaufish.public.email at gmail.com> wrote:
> >
> > Hi,
> >
> > I'm trying to understand how to make "openssl ca" prompt for a PKCS#11
> > login pin. Version is openssl-1.1.1.
> >
> > openssl req works as I would expect, prompting for PIN:
> >
> > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
> > local-build/bin/openssl \
> >  req -config yubihsm2-openssl.conf -new \
> >  -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out
> > certs.dir/ca.csr.pem
> > engine "pkcs11" set.
> > Enter PKCS#11 token PIN for YubiHSM:
> >
> > openssl ca I fail to get working, no prompt presented, tried adding
> > -passin stdin but that has no effect.
> >
> > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
> >  local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform
> > engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \
> >  -config yubihsm2-openssl.conf \
> >  -days 3650 -extensions vpn_server_cert \
> >  -out server.cert.pem \
> >  -infiles ../server/certs.dir/server.csr.pem
> > engine "pkcs11" set.
> > Using configuration from yubihsm2-openssl.conf
> > Login failed
> > Login to token failed, returning NULL...
> > PKCS11_get_private_key returned NULL
> > cannot load CA private key from engine
> > 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too
> > large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters
> > 140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid
> > arguments:p11_slot.c:240:
> > 140735853761408:error:26096080:engine
> > routines:ENGINE_load_private_key:failed loading private
> > key:crypto/engine/eng_pkey.c:78:
> > unable to load CA private key
> >
> > Best Regards
> > //P
>

More information about the openssl-users mailing list