<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
Hello all,<br>
<br>
<br>
I'm trying to do a CMP request using openssl with a private key
inside a pkcs11 device (on linux).<br>
So i'm using opsenssl 3.0.0 alpha 13.<br>
<br>
I did compile fine (./config --prefix=/opt/openssl enable-deprecated
--openssldir=/usr/local/ssl -Wl,-rpath=/opt/openssl/lib),<br>
but i ran into trouble when compiling libp11 to get my pkcs11
engine.<br>
(i had a similar issue while trying to use tpm2-tss-engine)<br>
I can't find a way to build openssl with ERR_put_error() symbol.<br>
I know it's deprecated so i changed the code in libp11 to use
ERR_raise() instead, but again the symbol is also missing.<br>
I ended up removing the function call in the engine as a dirty fix,
but i'd like to have a better solution.<br>
<br>
<br>
So, with everything compiled, I tried to use the engine only and
create a CSR first.<br>
<blockquote># /opt/openssl/bin/openssl req -new -engine pkcs11
-keyform engine -key
"pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000"
-subj "<my subject>" -out testpkcs11.csr<br>
</blockquote>
<br>
and, everything works so far !<br>
Hello all,<br>
<br>
<br>
I'm trying to do a CMP request using openssl with a private key
inside a pkcs11 device (on linux).<br>
So i'm using opsenssl 3.0.0 alpha 13.<br>
<br>
I did compile fine (./config --prefix=/opt/openssl enable-deprecated
--openssldir=/usr/local/ssl -Wl,-rpath=/opt/openssl/lib),<br>
but i ran into trouble when compiling libp11 to get my pkcs11
engine.<br>
(i had a similar issue while trying to use tpm2-tss-engine)<br>
I can't find a way to build openssl with ERR_put_error() symbol.<br>
I know it's deprecated so i changed the code in libp11 to use
ERR_raise() instead, but again the symbol is also missing.<br>
I ended up removing the function call in the engine as a dirty fix,
but i'd like to have a better solution.<br>
<br>
<br>
So, with everything compiled, I tried to use the engine only and
create a CSR first.<br>
<blockquote># /opt/openssl/bin/openssl req -new -engine pkcs11
-keyform engine -key
"pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000"
-subj "<my subject>" -out testpkcs11.csr<br>
</blockquote>
<br>
and, everything works so far !<br>
<br>
but i get errors when trying to do a CMP request with the engine,
thing is, i'm not so sure of the command.<br>
<br>
<blockquote># /opt/openssl/bin/openssl cmp -cmd ir -engine pkcs11
-server <my server>:8080 -path
ejbca/publicweb/cmp/WKS-RA-Bootstrap_auth -cert <path to my
cert> -key file:<path to key file> -keypass
file:<password for the file> -keyform engine -newkey
"pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000"
-subject '<my subject>' -certout testcmppkcs11.pem -trusted
<> my root CA> -reqexts san -config
/opt/conf/openssl_reqext.cnf<br>
</blockquote>
<br>
<br>
i get the following error :<br>
<blockquote><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">cmp_main:apps/cmp.c:2728:CMP info: using section(s)
'cmp' of OpenSSL configuration file
'/opt/conf/openssl_reqext.cnf'</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">cmp_main:apps/cmp.c:2737:CMP info: no [cmp] section
found in config file '/opt/conf/openssl_reqext.cnf'; will thus
use just </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">[default] and unnamed section if
present
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Engine
"pkcs11"
set. </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Format not
recognized!
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The key ID is not a valid PKCS#11
URI </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The PKCS#11 URI format is defined by
RFC7512
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The legacy ENGINE_pkcs11 ID format is also still
accepted for
now
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Format not recognized!
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The key ID is not a valid PKCS#11
URI
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The PKCS#11 URI format is defined by
RFC7512
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The legacy ENGINE_pkcs11 ID format is also still
accepted for now </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">PKCS11_get_private_key returned
NULL </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Could not read private key for CMP client
certificate from org.openssl.engine:pkcs11:<a
class="moz-txt-link-freetext">file:/foo/usine.boot.key.pem</a>
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">00E01783A47F0000:error:13000080:engine
routines:ENGINE_load_private_key:failed loading private
key:crypto/engine/eng_pkey.c:78: </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">cmp_main:apps/cmp.c:2879:CMP error: cannot set up
CMP context </span><br>
</blockquote>
<br>
I'm quite confuse about the PKCS11 error since i know from the req
command that openssl rsa show that the passphrase for the CMP client
certificate is good.<br>
my URI is good and openssl rsa show that the passphrase for the CMP
client certificate is good.<br>
<br>
I've tried various modification of the command, mostly removing the
"keyform engine" and using just 'newkey "pkcs11:(...)" ' with no
succes.<br>
<br>
Maybe openssl is mixing engine format for everything and not just
for the newkey ?<br>
<br>
<br>
<br>
Thanks,<br>
Marc <br>
<br>
but i get errors when trying to do a CMP request with the engine,
thing is, i'm not so sure of the command.<br>
<br>
<blockquote># /opt/openssl/bin/openssl cmp -cmd ir -engine pkcs11
-server <my server>:8080 -path
ejbca/publicweb/cmp/WKS-RA-Bootstrap_auth -cert <path to my
cert> -key file:<path to key file> -keypass
file:<password for the file> -keyform engine -newkey
"pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000"
-subject '<my subject>' -certout testcmppkcs11.pem -trusted
<> my root CA> -reqexts san -config
/opt/conf/openssl_reqext.cnf<br>
</blockquote>
<br>
<br>
i get the following error :<br>
<blockquote><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">cmp_main:apps/cmp.c:2728:CMP info: using section(s)
'cmp' of OpenSSL configuration file
'/opt/conf/openssl_reqext.cnf'</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">cmp_main:apps/cmp.c:2737:CMP info: no [cmp] section
found in config file '/opt/conf/openssl_reqext.cnf'; will thus
use just </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">[default] and unnamed section if
present
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Engine
"pkcs11"
set. </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Format not
recognized!
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The key ID is not a valid PKCS#11
URI </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The PKCS#11 URI format is defined by
RFC7512
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The legacy ENGINE_pkcs11 ID format is also still
accepted for
now
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Format not recognized!
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The key ID is not a valid PKCS#11
URI
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The PKCS#11 URI format is defined by
RFC7512
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">The legacy ENGINE_pkcs11 ID format is also still
accepted for now </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">PKCS11_get_private_key returned
NULL </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Could not read private key for CMP client
certificate from org.openssl.engine:pkcs11:<a
class="moz-txt-link-freetext">file:/foo/usine.boot.key.pem</a>
</span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">00E01783A47F0000:error:13000080:engine
routines:ENGINE_load_private_key:failed loading private
key:crypto/engine/eng_pkey.c:78: </span><br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">cmp_main:apps/cmp.c:2879:CMP error: cannot set up
CMP context </span><br>
</blockquote>
<br>
I'm quite confuse about the PKCS11 error since i know from the req
command that openssl rsa show that the passphrase for the CMP client
certificate is good.<br>
my URI is good and openssl rsa show that the passphrase for the CMP
client certificate is good.<br>
<br>
I've tried various modification of the command, mostly removing the
"keyform engine" and using just 'newkey "pkcs11:(...)" ' with no
succes.<br>
<br>
Maybe openssl is mixing engine format for everything and not just
for the newkey ?<br>
<br>
<br>
<br>
Thanks,<br>
Marc <br>
</body>
</html>