[openssl-users] openssl ca pkcs11 UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

Peter Magnusson blaufish.public.email at gmail.com
Tue Oct 16 08:34:31 UTC 2018 

Sorry, I am an idiot =)

Problem resolved, user error.  -key was the problem and should not be
used as I showed.

-key has a different meaning for openssl ca than for openssl req, so
my PIN was my -key argument. It got my keyfile from the openssl conf
file.
On Tue, Oct 16, 2018 at 10:23 AM Richard Levitte <levitte at openssl.org> wrote:
>
> I'm curious about this error line from the 'openssl ca' output:
>
> > 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters
>
> It should be interesting to try and figure out what pass phrased was
> passed and where it came from.  I'm afraid that's a debugging session.
>
> Cheers,
> Richard
>
> In message <CANtcRX50e0bEwbG=U7L5bKif1StaEEny-01Bq7OfoO0xFvFC9Q at mail.gmail.com> on Tue, 16 Oct 2018 09:54:08 +0200, Peter Magnusson <blaufish.public.email at gmail.com> said:
>
> > The error can be workaround by entering PIN = "..." into [pkcs11_section].
> > pkcs11 engine version is libp11-0.4.9.
> > Anyone know if this a 1) libp11 issue or 2) openssl issue or 3) me
> > doing something wrong?
> > On Mon, Oct 15, 2018 at 5:40 PM Peter Magnusson
> > <blaufish.public.email at gmail.com> wrote:
> > >
> > > Hi,
> > >
> > > I'm trying to understand how to make "openssl ca" prompt for a PKCS#11
> > > login pin. Version is openssl-1.1.1.
> > >
> > > openssl req works as I would expect, prompting for PIN:
> > >
> > > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
> > > local-build/bin/openssl \
> > >  req -config yubihsm2-openssl.conf -new \
> > >  -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out
> > > certs.dir/ca.csr.pem
> > > engine "pkcs11" set.
> > > Enter PKCS#11 token PIN for YubiHSM:
> > >
> > > openssl ca I fail to get working, no prompt presented, tried adding
> > > -passin stdin but that has no effect.
> > >
> > > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
> > >  local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform
> > > engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \
> > >  -config yubihsm2-openssl.conf \
> > >  -days 3650 -extensions vpn_server_cert \
> > >  -out server.cert.pem \
> > >  -infiles ../server/certs.dir/server.csr.pem
> > > engine "pkcs11" set.
> > > Using configuration from yubihsm2-openssl.conf
> > > Login failed
> > > Login to token failed, returning NULL...
> > > PKCS11_get_private_key returned NULL
> > > cannot load CA private key from engine
> > > 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too
> > > large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters
> > > 140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid
> > > arguments:p11_slot.c:240:
> > > 140735853761408:error:26096080:engine
> > > routines:ENGINE_load_private_key:failed loading private
> > > key:crypto/engine/eng_pkey.c:78:
> > > unable to load CA private key
> > >
> > > Best Regards
> > > //P
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list