I've found where the problem is coming from. It is from OpenSSL's function *
o2i_ECPublicKey*, that is used to convert the asn1 octet string from
PKCS#11 *CKA_EC_POINT* attribute to internal OpenSSL stuff. This function is
called, like you said, at the file src/p11_ec.c from function *
pkcs11_get_ec_private*().
I've used *pkcs11-spy*, and it ouputs the following when calling *
C_GetAttributeValue* with *CKA_EC_POINT* parameter from the public key
object:
84: C_GetAttributeValue
[in] hSession = 0x10002
[in] hObject = 0x3
[in] pTemplate[1]:
CKA_EC_POINT requested with 136 buffer
[out] pTemplate[1]:
CKA_EC_POINT [size : 0x88 (136)]
04818504 017C713A 5A1ECAB3 0F7B0C54 35099B53 9AC9740A ED157D70 577D9AA3
3BB11767 95F02C07 9683AEA0 2C32422D DC9C7C9E 3BB9952B 7D692047 2F8B75D0
A23BB5EF CC3E01BE 240FFAFD 64A2F090 D2E8556F C108D251 4C9AD53C 270BE2AD
CA829853 57D26AF3 A65806FD 82CE2011 58C02629 B8E90961 4C00887E DD4184C7
37CE192C 2AB5ED47
Returned: 0 CKR_OK
*ec_pointlen* variable is, therefore, set to 136 bytes. After calling *
o2i_ECPublicKey* OpenSSL puts the following error in its stack:
*error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid
encoding*
So we have some encoding problem. By the way, why we should increment the
pointer by 2 before calling *o2i_ECPublicKey**? *Like you did in the
following:
...
/* PKCS#11 returns ASN1 octstring*/
const unsigned char * a;
/* TODO we have asn1 octet string, need to strip off 04 len */
a = ec_point + 2;
o2i_ECPublicKey(&ec, &a, ec_pointlen-2);
...
2011/9/7 Douglas E. Engert <deeng...@anl.gov>
>
>
> On 9/6/2011 4:53 PM, Felipe Blauth wrote:
>
>> I've tested your mods and they work well =). I can sign and verify with
>> most EC keys (I've tested with p-192, p-224, p-384 and p-521). However I
>> cannot load public keys when using p-521 curves. It
>> seems that I can load the private key and sign, but the public key is not
>> loaded.
>>
>> I confess that I didn't look much at engine_pkcs11 source code, but if you
>> could give me some appointments I can try to fix that.
>>
>
> It is not clear where the error could be, it could be in the actual
> encoding of the public key, or the ASN1 decoding or in in some size limit.
> All the other keys are a multiple of 8 bits. The 521 is not,
> and thus the asn1 octet would need an extra byte. Look at the
> libp11 src/p11_ec.c and pkcs11_get_ec_private() and the ec_pointlen
> variable.
>
> Do you have a dump of the public key?
>
> If you are using OpenSC's PKCS#11, you could turn on the OpenSC debug,
> by adding to the opensc.conf someting like:
> debug = 7;
> debug_file = /tmp/opensc-debug.log;
>
> You could use the OpenSC pkcs11-spy.so to trace the PKCS#11 calls,
> that should show the public key being transfered. This can
> work with any PKCS#11 module including the opensc-pkcs11.so
>
> Set the environment variables:
>
> export PKCS11SPY=/path/to/your/pkcs11**.module.so<http://pkcs11.module.so>
> export PKCS11SPY_OUTPUT=/tmp/tb.spy.**txt
>
>
>> OpenSSL error is the following, after loading the key:
>> error:10067066:elliptic curve routines:ec_GFp_simple_**oct2point:invalid
>> encoding
>>
>> Regards,
>>
>> 2011/8/13 Felipe Blauth <f...@inf.ufsc.br <mailto:f...@inf.ufsc.br>>
>>
>>
>> Thank you, I'll check it out.
>>
>> 2011/8/12 Douglas E. Engert <deeng...@anl.gov <mailto:deeng...@anl.gov
>> >>
>>
>>
>> No it has not been incorporated because it requires an OpenSSL
>> internal header file ecs_locl.h, thus making it impractical to
>> compile in to any package.
>>
>> This is a known bug:
>>
>> http://rt.openssl.org/Ticket/**Display.html?id=2459&user=**
>> guest&pass=guest<http://rt.openssl.org/Ticket/Display.html?id=2459&user=guest&pass=guest><
>> http://rt.openssl.org/Ticket/**Display.html?id=2459&user=**
>> guest&pass=guest<http://rt.openssl.org/Ticket/Display.html?id=2459&user=guest&pass=guest>
>> >
>>
>>
>> It also appeared on the OpenSSL mailing list.
>>
>> The patch should still work. Please try it, and you can
>> also add comments to the OpenSSL bug report.
>>
>>
>> On 8/12/2011 2:12 PM, Felipe Blauth wrote:
>> > Hello.
>> >
>> > I've started using engine_pkcs11 to access PKCS #11 tokens from
>> OpenSSL EVP_PKEY's trough "ENGINE_load_<key_type>_key" methods. It works
>> very well with RSA keys, but it doesn't recognize
>> ECDSA keys.
>> >
>> > Searching trough the web, I've found that Douglas had a patch
>> for it at http://www.mail-archive.com/**opensc-devel@lists.opensc-**
>> project.org/msg07785.html<http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg07785.html>
>> .
>> >
>> > Was that ever incorporated? I couldn't find in the latest
>> snapshots.
>> >
>> > Thank you very much.
>> >
>> > --
>> > Felipe Menegola Blauth
>> >
>> >
>> >
>> > ______________________________**_________________
>> > opensc-devel mailing list
>> >
>> opensc-devel@lists.opensc-**project.org<opensc-devel@lists.opensc-project.org><mailto:
>> opensc-devel@lists.**opensc-project.org<opensc-devel@lists.opensc-project.org>
>> >
>>
>> >
>> http://www.opensc-project.org/**mailman/listinfo/opensc-devel<http://www.opensc-project.org/mailman/listinfo/opensc-devel>
>>
>> --
>>
>> Douglas E. Engert <deeng...@anl.gov <mailto:deeng...@anl.gov>>
>>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444 <tel:%28630%29%20252-5444>
>> ______________________________**_________________
>> opensc-devel mailing list
>>
>> opensc-devel@lists.opensc-**project.org<opensc-devel@lists.opensc-project.org><mailto:
>> opensc-devel@lists.**opensc-project.org<opensc-devel@lists.opensc-project.org>
>> >
>>
>>
>> http://www.opensc-project.org/**mailman/listinfo/opensc-devel<http://www.opensc-project.org/mailman/listinfo/opensc-devel>
>>
>>
>>
>>
>> --
>> Felipe Menegola Blauth
>>
>>
>>
>>
>> --
>> Felipe Menegola Blauth
>>
>
> --
>
> Douglas E. Engert <deeng...@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
--
Felipe Menegola Blauth
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
