Yes the problem is 128 /* TODO we have asn1 octet string, need to strip off 04 len */ 129 130 a = ec_point + 2; 131 o2i_ECPublicKey(&ec, &a, ec_pointlen-2);
It is assuming the ASN1 is an octet string, with a single length byte But with a p - 521 the length is 2 bytes. 04 Octet string 81 the length is more then 127, and there is one more length byte 85 the length of the octet string. I can get you a possible patch later today. On 9/8/2011 11:48 AM, Felipe Blauth wrote: > I've found where the problem is coming from. It is from OpenSSL's function > *o2i_ECPublicKey*, that is used to convert the asn1 octet string from > PKCS#11 *CKA_EC_POINT* attribute to internal OpenSSL > stuff. This function is called, like you said, at the file src/p11_ec.c from > function *pkcs11_get_ec_private*(). > > I've used *pkcs11-spy*, and it ouputs the following when calling > *C_GetAttributeValue* with *CKA_EC_POINT* parameter from the public key > object: > > 84: C_GetAttributeValue > [in] hSession = 0x10002 > [in] hObject = 0x3 > [in] pTemplate[1]: > CKA_EC_POINT requested with 136 buffer > [out] pTemplate[1]: > CKA_EC_POINT [size : 0x88 (136)] > 04818504 017C713A 5A1ECAB3 0F7B0C54 35099B53 9AC9740A ED157D70 577D9AA3 > 3BB11767 95F02C07 9683AEA0 2C32422D DC9C7C9E 3BB9952B 7D692047 2F8B75D0 > A23BB5EF CC3E01BE 240FFAFD 64A2F090 D2E8556F C108D251 4C9AD53C 270BE2AD > CA829853 57D26AF3 A65806FD 82CE2011 58C02629 B8E90961 4C00887E DD4184C7 > 37CE192C 2AB5ED47 > Returned: 0 CKR_OK > > *ec_pointlen* variable is, therefore, set to 136 bytes. After calling > *o2i_ECPublicKey* OpenSSL puts the following error in its stack: > *error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid > encoding* > > So we have some encoding problem. By the way, why we should increment the > pointer by 2 before calling *o2i_ECPublicKey**? *Like you did in the > following: > ... > /* PKCS#11 returns ASN1 octstring*/ > const unsigned char * a; > /* TODO we have asn1 octet string, need to strip off 04 len */ > a = ec_point + 2; > o2i_ECPublicKey(&ec, &a, ec_pointlen-2); > ... > > 2011/9/7 Douglas E. Engert <deeng...@anl.gov <mailto:deeng...@anl.gov>> > > > > On 9/6/2011 4:53 PM, Felipe Blauth wrote: > > I've tested your mods and they work well =). I can sign and verify > with most EC keys (I've tested with p-192, p-224, p-384 and p-521). However I > cannot load public keys when using p-521 curves. It > seems that I can load the private key and sign, but the public key is > not loaded. > > I confess that I didn't look much at engine_pkcs11 source code, but > if you could give me some appointments I can try to fix that. > > > It is not clear where the error could be, it could be in the actual > encoding of the public key, or the ASN1 decoding or in in some size limit. > All the other keys are a multiple of 8 bits. The 521 is not, > and thus the asn1 octet would need an extra byte. Look at the > libp11 src/p11_ec.c and pkcs11_get_ec_private() and the ec_pointlen > variable. > > Do you have a dump of the public key? > > If you are using OpenSC's PKCS#11, you could turn on the OpenSC debug, > by adding to the opensc.conf someting like: > debug = 7; > debug_file = /tmp/opensc-debug.log; > > You could use the OpenSC pkcs11-spy.so to trace the PKCS#11 calls, > that should show the public key being transfered. This can > work with any PKCS#11 module including the opensc-pkcs11.so > > Set the environment variables: > > export PKCS11SPY=/path/to/your/pkcs11__.module.so > <http://pkcs11.module.so> > export PKCS11SPY_OUTPUT=/tmp/tb.spy.__txt > > > OpenSSL error is the following, after loading the key: > error:10067066:elliptic curve > routines:ec_GFp_simple___oct2point:invalid encoding > > Regards, > > 2011/8/13 Felipe Blauth <f...@inf.ufsc.br <mailto:f...@inf.ufsc.br> > <mailto:f...@inf.ufsc.br <mailto:f...@inf.ufsc.br>>> > > > Thank you, I'll check it out. > > 2011/8/12 Douglas E. Engert <deeng...@anl.gov > <mailto:deeng...@anl.gov> <mailto:deeng...@anl.gov <mailto:deeng...@anl.gov>>> > > > No it has not been incorporated because it requires an OpenSSL > internal header file ecs_locl.h, thus making it impractical to > compile in to any package. > > This is a known bug: > > > http://rt.openssl.org/Ticket/__Display.html?id=2459&user=__guest&pass=guest > <http://rt.openssl.org/Ticket/Display.html?id=2459&user=guest&pass=guest> > > <http://rt.openssl.org/Ticket/__Display.html?id=2459&user=__guest&pass=guest > <http://rt.openssl.org/Ticket/Display.html?id=2459&user=guest&pass=guest>> > > > It also appeared on the OpenSSL mailing list. > > The patch should still work. Please try it, and you can > also add comments to the OpenSSL bug report. > > > On 8/12/2011 2:12 PM, Felipe Blauth wrote: > > Hello. > > > > I've started using engine_pkcs11 to access PKCS #11 tokens from > OpenSSL EVP_PKEY's trough "ENGINE_load_<key_type>_key" methods. It works very > well with RSA keys, but it doesn't recognize > ECDSA keys. > > > > Searching trough the web, I've found that Douglas had a patch for > it at > http://www.mail-archive.com/__opensc-devel@lists.opensc-__project.org/msg07785.html > > <http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg07785.html>. > > > > Was that ever incorporated? I couldn't find in the latest > snapshots. > > > > Thank you very much. > > > > -- > > Felipe Menegola Blauth > > > > > > > > _________________________________________________ > > opensc-devel mailing list > > opensc-devel@lists.opensc-__project.org > <mailto:opensc-devel@lists.opensc-project.org> > <mailto:opensc-devel@lists.__opensc-project.org > <mailto:opensc-devel@lists.opensc-project.org>> > > > http://www.opensc-project.org/__mailman/listinfo/opensc-devel > <http://www.opensc-project.org/mailman/listinfo/opensc-devel> > > -- > > Douglas E. Engert <deeng...@anl.gov > <mailto:deeng...@anl.gov> <mailto:deeng...@anl.gov <mailto:deeng...@anl.gov>>> > > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 <tel:%28630%29%20252-5444> <tel:%28630%29%20252-5444> > _________________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-__project.org > <mailto:opensc-devel@lists.opensc-project.org> > <mailto:opensc-devel@lists.__opensc-project.org > <mailto:opensc-devel@lists.opensc-project.org>> > > http://www.opensc-project.org/__mailman/listinfo/opensc-devel > <http://www.opensc-project.org/mailman/listinfo/opensc-devel> > > > > > -- > Felipe Menegola Blauth > > > > > -- > Felipe Menegola Blauth > > > -- > > Douglas E. Engert <deeng...@anl.gov <mailto:deeng...@anl.gov>> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 <tel:%28630%29%20252-5444> > > > > > -- > Felipe Menegola Blauth -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
