On 9/16/2011 2:48 PM, Mike Tancsa wrote: > > Not sure if its related to the fact that I cannot used the openssl > pkcs11_engine ? > > OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem > -subj "/C=CA/ST=ON/L=Hespeler/O=Sentex > Communications/OU=support/CN=mdtancsa-cage64/emailAddress=mdtancsa-cag...@sentex.ca" > engine "pkcs11" set. > Invalid slot number: 0 > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 80187:error:26096080:engine routines:ENGINE_load_private_key:failed > loading private > key:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL>
A little closer. At least its prompting me for the PIN now. With the verbose flag set in the engine, I get 0(cage2)# openssl OpenSSL> engine -t dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/local/lib/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine initializing engine [ available ] OpenSSL> req -engine pkcs11 -new -key slot_1-id_45 -keyform engine -out req.pem -subj "/CN=mdtancsa-cage64" initializing engine engine "pkcs11" set. Looking in slot 1 for key: 45 Found 3 slots [18446744073709551615] Virtual hotplug slot no tok [1] Aladdin eToken PRO 64k login (mdtancsa-cage64 (mdtancsa-cage64) [5] OpenCT reader (detached) no tok Found slot: Aladdin eToken PRO 64k Found token: mdtancsa-cage64 (mdtancsa-cage64 Found 0 certificate: PKCS#11 token PIN: Found 1 key: 1 P Private Key 88558:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 88558:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_sign.c:281: error in req OpenSSL> The key generated with 12.2 looks like Private RSA Key [Private Key] Object Flags : [0x3], private, modifiable Usage : [0x2E], decrypt, sign, signRecover, unwrap Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 16 (0x10) Native : yes Path : 3f005015ffff Auth ID : 01 ID : 45 Public RSA Key [Private Key] Object Flags : [0x2], modifiable Usage : [0xD1], encrypt, wrap, verify, verifyRecover Access Flags : [0x0] ModLength : 2048 Key ref : 0 Native : no Path : 3f0050153003 ID : 45 PIN [Security Officer PIN] Object Flags : [0x3], private, modifiable ID : ff Flags : [0xB2], local, initialized, needs-padding, soPin Length : min_len:6, max_len:8, stored_len:8 Pad char : 0x00 Reference : 1 Type : ascii-numeric Path : 3f005015 PIN [mdtancsa-cage64] Object Flags : [0x3], private, modifiable ID : 01 Flags : [0x32], local, initialized, needs-padding Length : min_len:4, max_len:8, stored_len:8 Pad char : 0x00 Reference : 3 Type : ascii-numeric Path : 3f005015 where as generated with 11.8, Using reader with a card: Aladdin eToken PRO 64k Private RSA Key [Private Key] Com. Flags : 3 Usage : [0x22], decrypt, unwrap Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 16 Native : yes Path : 3f005015 Auth ID : 01 ID : 45 Private RSA Key [Private Key] Com. Flags : 3 Usage : [0x20C], sign, signRecover, nonRepudiation Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 17 Native : yes Path : 3f005015 Auth ID : 01 ID : 45 Public RSA Key [Public Key] Com. Flags : 2 Usage : [0x4], sign Access Flags: [0x0] ModLength : 2048 Key ref : 0 Native : no Path : 3f0050153048 Auth ID : ID : 45 PIN [Security Officer PIN] Com. Flags: 0x3 ID : ff Flags : [0xB2], local, initialized, needs-padding, soPin Length : min_len:6, max_len:8, stored_len:8 Pad char : 0x00 Reference : 1 Type : ascii-numeric Path : 3f005015 PIN [mdtancsa-cage64] Com. Flags: 0x3 ID : 01 Flags : [0x32], local, initialized, needs-padding Length : min_len:4, max_len:8, stored_len:8 Pad char : 0x00 Reference : 3 Type : ascii-numeric Path : 3f005015 ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel