[openssl CMP with pkcs11 engine]

mbalembo marc.balemboy at csgroup.eu
Thu Mar 25 17:56:53 UTC 2021 

Hello all,


I'm trying to do a CMP request using openssl with a private key inside a 
pkcs11 device (on linux).
So i'm using opsenssl 3.0.0 alpha 13.

I did compile fine (./config --prefix=/opt/openssl enable-deprecated 
--openssldir=/usr/local/ssl -Wl,-rpath=/opt/openssl/lib),
but i ran into trouble when compiling libp11 to get my pkcs11 engine.
(i had a similar issue while trying to use tpm2-tss-engine)
I can't find a way to build openssl with ERR_put_error() symbol.
I know it's deprecated so i changed the code in libp11 to use 
ERR_raise() instead, but again the symbol is also missing.
I ended up removing the function call in the engine as a dirty fix, but 
i'd like to have a better solution.


So, with everything compiled, I tried to use the engine only and create 
a CSR first.

    # /opt/openssl/bin/openssl req -new -engine pkcs11 -keyform engine
    -key
    "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000"
    -subj "<my subject>" -out testpkcs11.csr


and, everything works so far !
Hello all,


I'm trying to do a CMP request using openssl with a private key inside a 
pkcs11 device (on linux).
So i'm using opsenssl 3.0.0 alpha 13.

I did compile fine (./config --prefix=/opt/openssl enable-deprecated 
--openssldir=/usr/local/ssl -Wl,-rpath=/opt/openssl/lib),
but i ran into trouble when compiling libp11 to get my pkcs11 engine.
(i had a similar issue while trying to use tpm2-tss-engine)
I can't find a way to build openssl with ERR_put_error() symbol.
I know it's deprecated so i changed the code in libp11 to use 
ERR_raise() instead, but again the symbol is also missing.
I ended up removing the function call in the engine as a dirty fix, but 
i'd like to have a better solution.


So, with everything compiled, I tried to use the engine only and create 
a CSR first.

    # /opt/openssl/bin/openssl req -new -engine pkcs11 -keyform engine
    -key
    "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000"
    -subj "<my subject>" -out testpkcs11.csr


and, everything works so far !

but i get errors when trying to do a CMP request with the engine, thing 
is, i'm not so sure of the command.

    # /opt/openssl/bin/openssl cmp -cmd ir -engine pkcs11 -server <my
    server>:8080 -path ejbca/publicweb/cmp/WKS-RA-Bootstrap_auth -cert
    <path to my cert> -key file:<path to key file> -keypass
    file:<password for the file> -keyform engine -newkey
    "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000"
    -subject '<my subject>' -certout testcmppkcs11.pem -trusted <> my
    root CA> -reqexts san -config /opt/conf/openssl_reqext.cnf



i get the following error :

    cmp_main:apps/cmp.c:2728:CMP info: using section(s) 'cmp' of OpenSSL
    configuration file '/opt/conf/openssl_reqext.cnf'
    cmp_main:apps/cmp.c:2737:CMP info: no [cmp] section found in config
    file '/opt/conf/openssl_reqext.cnf'; will thus use just
    [default] and unnamed section if present
    Engine "pkcs11" set.
    Format not recognized!
    The key ID is not a valid PKCS#11 URI
    The PKCS#11 URI format is defined by RFC7512
    The legacy ENGINE_pkcs11 ID format is also still accepted for now
    Format not recognized!
    The key ID is not a valid PKCS#11 URI
    The PKCS#11 URI format is defined by RFC7512
    The legacy ENGINE_pkcs11 ID format is also still accepted for now
    PKCS11_get_private_key returned NULL
    Could not read private key for CMP client certificate from
    org.openssl.engine:pkcs11:file:/foo/usine.boot.key.pem
    00E01783A47F0000:error:13000080:engine
    routines:ENGINE_load_private_key:failed loading private
    key:crypto/engine/eng_pkey.c:78:
    cmp_main:apps/cmp.c:2879:CMP error: cannot set up CMP context


I'm quite confuse about the PKCS11 error since i know from the req 
command that openssl rsa show that the passphrase for the CMP client 
certificate is good.
my URI is good and openssl rsa show that the passphrase for the CMP 
client certificate is good.

I've tried various modification of the command, mostly removing the 
"keyform engine" and using just 'newkey "pkcs11:(...)" ' with no succes.

Maybe openssl is mixing engine format for everything and not just for 
the newkey ?



Thanks,
Marc

but i get errors when trying to do a CMP request with the engine, thing 
is, i'm not so sure of the command.

    # /opt/openssl/bin/openssl cmp -cmd ir -engine pkcs11 -server <my
    server>:8080 -path ejbca/publicweb/cmp/WKS-RA-Bootstrap_auth -cert
    <path to my cert> -key file:<path to key file> -keypass
    file:<password for the file> -keyform engine -newkey
    "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000"
    -subject '<my subject>' -certout testcmppkcs11.pem -trusted <> my
    root CA> -reqexts san -config /opt/conf/openssl_reqext.cnf



i get the following error :

    cmp_main:apps/cmp.c:2728:CMP info: using section(s) 'cmp' of OpenSSL
    configuration file '/opt/conf/openssl_reqext.cnf'
    cmp_main:apps/cmp.c:2737:CMP info: no [cmp] section found in config
    file '/opt/conf/openssl_reqext.cnf'; will thus use just
    [default] and unnamed section if present
    Engine "pkcs11" set.
    Format not recognized!
    The key ID is not a valid PKCS#11 URI
    The PKCS#11 URI format is defined by RFC7512
    The legacy ENGINE_pkcs11 ID format is also still accepted for now
    Format not recognized!
    The key ID is not a valid PKCS#11 URI
    The PKCS#11 URI format is defined by RFC7512
    The legacy ENGINE_pkcs11 ID format is also still accepted for now
    PKCS11_get_private_key returned NULL
    Could not read private key for CMP client certificate from
    org.openssl.engine:pkcs11:file:/foo/usine.boot.key.pem
    00E01783A47F0000:error:13000080:engine
    routines:ENGINE_load_private_key:failed loading private
    key:crypto/engine/eng_pkey.c:78:
    cmp_main:apps/cmp.c:2879:CMP error: cannot set up CMP context


I'm quite confuse about the PKCS11 error since i know from the req 
command that openssl rsa show that the passphrase for the CMP client 
certificate is good.
my URI is good and openssl rsa show that the passphrase for the CMP 
client certificate is good.

I've tried various modification of the command, mostly removing the 
"keyform engine" and using just 'newkey "pkcs11:(...)" ' with no succes.

Maybe openssl is mixing engine format for everything and not just for 
the newkey ?



Thanks,
Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210325/5f9643f8/attachment.html>

More information about the openssl-users mailing list