[openssl CMP with pkcs11 engine]

David von Oheimb dev at ddvo.net
Mon Jul 12 19:53:42 UTC 2021 

Hi Marc,

I just came across your below message of March, which arrived in a bit
weird form (I removed duplicate text sections in the below quote) and
appears unanswered - sorry for that.

It has been a while since I last used engines, but the following variant

   -newkey org.openssl.engine:pkcs11:<keyid>

should work, rather than

      -engine pkcs11 -keyform engine

because the latter pertains to all key options used, including -key,
which is not what you want.

HTH,

    David


On 25.03.21 18:56, mbalembo wrote:
>
> Hello all,
>
>
> I'm trying to do a CMP request using openssl with a private key inside
> a pkcs11 device (on linux).
> So i'm using opsenssl 3.0.0 alpha 13.
>
> I did compile fine (./config --prefix=/opt/openssl enable-deprecated
> --openssldir=/usr/local/ssl -Wl,-rpath=/opt/openssl/lib),
> but i ran into trouble when compiling libp11 to get my pkcs11 engine.
> (i had a similar issue while trying to use tpm2-tss-engine)
> I can't find a way to build openssl with ERR_put_error() symbol.
> I know it's deprecated so i changed the code in libp11 to use
> ERR_raise() instead, but again the symbol is also missing.
> I ended up removing the function call in the engine as a dirty fix,
> but i'd like to have a better solution.
>
>
> So, with everything compiled, I tried to use the engine only and
> create a CSR first.
>
>     # /opt/openssl/bin/openssl req -new -engine pkcs11 -keyform engine
>     -key
>     "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000"
>     -subj "<my subject>" -out testpkcs11.csr
>
>
> and, everything works so far !
>
> but i get errors when trying to do a CMP request with the engine,
> thing is, i'm not so sure of the command.
>
>     # /opt/openssl/bin/openssl cmp -cmd ir -engine pkcs11 -server <my
>     server>:8080 -path ejbca/publicweb/cmp/WKS-RA-Bootstrap_auth -cert
>     <path to my cert> -key file:<path to key file> -keypass
>     file:<password for the file> -keyform engine -newkey
>     "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000"
>     -subject '<my subject>' -certout testcmppkcs11.pem -trusted <> my
>     root CA> -reqexts san -config /opt/conf/openssl_reqext.cnf
>
>
> i get the following error :
>
>     cmp_main:apps/cmp.c:2728:CMP info: using section(s) 'cmp' of
>     OpenSSL configuration file '/opt/conf/openssl_reqext.cnf'
>     cmp_main:apps/cmp.c:2737:CMP info: no [cmp] section found in
>     config file '/opt/conf/openssl_reqext.cnf'; will thus use just
>     [default] and unnamed section if
>     present                                            
>                                                     
>     Engine "pkcs11"
>     set.                                                                                                                
>     Format not
>     recognized!                                                  
>                                                                 
>     The key ID is not a valid PKCS#11
>     URI                                                                                               
>     The PKCS#11 URI format is defined by RFC7512                
>                                                                           
>
>     The legacy ENGINE_pkcs11 ID format is also still accepted for
>     now                                                                 
>     Format not recognized!                        
>                                                                                       
>
>     The key ID is not a valid PKCS#11
>     URI                                                                                 
>
>     The PKCS#11 URI format is defined by
>     RFC7512                                                                           
>
>     The legacy ENGINE_pkcs11 ID format is also still accepted for
>     now                                           
>     PKCS11_get_private_key returned
>     NULL                                                                                                
>     Could not read private key for CMP client certificate from
>     org.openssl.engine:pkcs11:file:/foo/usine.boot.key.pem   
>     00E01783A47F0000:error:13000080:engine
>     routines:ENGINE_load_private_key:failed loading private
>     key:crypto/engine/eng_pkey.c:78:     
>     cmp_main:apps/cmp.c:2879:CMP error: cannot set up CMP context 
>
>
> I'm quite confuse about the PKCS11 error since i know from the req
> command that openssl rsa show that the passphrase for the CMP client
> certificate is good.
> my URI is good and openssl rsa show that the passphrase for the CMP
> client certificate is good.
>
> I've tried various modification of the command, mostly removing the
> "keyform engine" and using just 'newkey "pkcs11:(...)" ' with no succes.
>
> Maybe openssl is mixing engine format for everything and not just for
> the newkey ?
>
>
> Thanks,
> Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210712/30728980/attachment.html>

More information about the openssl-users mailing list