[openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

Paras Shah (parashah) parashah at cisco.com
Mon Sep 17 22:15:08 UTC 2018 

That is not it. It results in the same error for the EC key.



It is not the URL or the ID. Because for a RSA key in the softhsm with id = 3333, it works fine with url containing id=%33%33



$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%33%33;object=rsa%20key;type=private" -engine pkcs11 -inform ENGINE

engine "pkcs11" set.

Enter PKCS#11 token PIN for token 2.5.0-rc1:

-----BEGIN PRIVATE KEY-----

MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDD3378F1XbXJvP

WP2GtZry0u6sL3eNYktQwJfhDMz5evDG+PahVjCMszV5CZvG+Kvap40xPBJoonqi

oMAQsoLu7/fTx82aEL3TbdjXNLFnQ2KKYmfG9ymx80sLHMmdmDXpNNE+bEKJz1dp

t1Q0cVduwmqSfB8JyIE6Udz7JX7HCXaVmxoK7z4Njh3dyHsqhdqKIx0dBuK0hCaq

4zPzGP/sORA3G9ZPxxpEvF3gvE/zsXj7ifihqbqr2eIFOpB/lQqAehsgQT5/6Iq+

9pAX2LCxNkaUHYYZpMkM8Oi37jzg8PX/FnHdm9HQU2IBqYhoqo7/VsNdUDln2QHN

dGAUprcbAgMBAAE=

-----END PRIVATE KEY-----



Coming back to EC key, looking at the error logs emitted, it does seem to recognize it to be EC (the logs contain EC_routines) somehow but then fails.



On 9/17/18, 2:22 PM, "openssl-users on behalf of Richard Levitte" <openssl-users-bounces at openssl.org on behalf of levitte at openssl.org> wrote:



    In message <4AC69FC3-BEC7-46F6-882A-671196FC0156 at contoso.com> on Mon, 17 Sep 2018 20:59:59 +0000, "Paras Shah (parashah)" <parashah at cisco.com> said:



    > 4. Import the key into softhsm

    >

    > []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token

    > "token 2.5.0-rc1"



    Ok, so here, the ID is "1111"



    > 5. Get the pkcs11 url for the private key

    >

    > []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all

    >

    > Object 0:

    >

    > URL:

    > pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private



    But here, the ID is "%11%11", and since those get percent decoded,

    that's actually two vertical tabs, or with C vector syntax,

    { 0x0b, 0x0b }



    I'm not sure what engine-pkcs11 asks of you otherwise, but one guess

    could be to change 'id=%11%11' to 'id=1111' in that URL and try again.



    Cheers,

    Richard



    --

    Richard Levitte         levitte at openssl.org

    OpenSSL Project         http://www.openssl.org/~levitte/

    --

    openssl-users mailing list

    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180917/d999bfe2/attachment-0001.html>

More information about the openssl-users mailing list