Greetings. I'm working with a CardContact HSM, and would like to generate a keypair on the token, then get a certificate based on that key.
I'm using CardContact's branch of OpenSC (https://github.com/CardContact/OpenSC rev a4c3d4ec2436) and openssl 1.0.1c; I'm currently experimenting on an up-to-date Fedora 17 x86-64 box, but am hoping to deploy portions of this toolchain onto an embedded platform (linux ppc32). Just in case, I updated to the latest releases of libp11 (0.2.8) and engine_pkcs11 (0.1.8). I can successfully generate the keypair and extract the public key at the same time: $ d=/usr/local/opensc $ tool="$d/bin/pkcs11-tool --module $d/lib/opensc-pkcs11.so" $ $tool --login --pin 648219 \ --keypairgen --key-type rsa:2048 --id 10 \ --read-object --id 10 --type pubkey --output-file pub.spki Using slot 1 with a present token (0x1) Key pair generated: Private Key Object; RSA label: Private Key ID: 10 Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: Private Key ID: 10 Usage: encrypt, verify, wrap $ ls -al pub.spki -rw-rw-r--. 1 tony tony 270 Nov 9 22:20 pub.spki $ hexdump -C pub.spki 00000000 30 82 01 0a 02 82 01 01 00 95 42 87 7a 04 82 ab |0.........B.z...| 00000010 89 7f b2 07 9f 25 e3 c2 47 e7 0a 53 2e 8c a9 0b |.....%..G..S....| ... 000000f0 71 a7 17 18 f6 69 99 eb 5d d1 cb 18 33 60 29 c0 |q....i..]...3`).| 00000100 c5 22 28 5b 31 7d 3e 6d 99 02 03 01 00 01 |."([1}>m......| However, I haven't managed to find the right incantation to force openssl to use the (available) public key, but to sign with the private key on the token. I think I finally got the engine configured correctly: openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/local/lib/engines/engine_pkcs11.so MODULE_PATH = /usr/local/lib/opensc-pkcs11.so init = 0 But when I try to do the signing operation, it looks like openssl is trying to read the private key off the token, instead of asking the token to sign on the token: LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib/engines \ /usr/local/bin/openssl req -verbose \ -config ./token.conf -engine pkcs11 \ -key slot_1-id_10 -keyform engine -out foo.req Using configuration from ./token.conf engine "pkcs11" set. PKCS#11 token PIN: 648219 PKCS11_get_private_key returned NULL cannot load Private Key from engine 140416681797312:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: 140416681797312:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: unable to load Private Key On the wiki for the HSM (http://www.opensc-project.org/opensc/wiki/SmartCardHsm#Generatekeypair), there is a curious phrase: The SmartCard-HSM does not permanently store public keys, but generates the required PKCS#11 public key object from certificates stored on the device. As newly generated key pairs don't have a certificate initially, the public key is extracted from the card generated certificate signing request instead and made available for the duration of the session. To save the generated public key in Subject Public Key Information format as per RF3280 use the following command If I'm reading that correctly, then it seems that the HSM is creating a CSR internally -- but I don't see any way to retrieve that CSR (let alone specify the typical certificate properties like email address, DN, CN, etc.) There's the "moz-test" flag to the pkcs11-tool, which invokes test_kpgen_certwrite; this seems very close to what I'm trying to do -- but it's not exposed very clearly through the options (if at all). For the moment, I guess I'll just generate keys, CSRs, and certs in software, and use the HSM just for storage. I would love to figure out what I'm doing wrong, though. Best regards, Anthony Foiani _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel