I’m having a problem, and am not sure whether it’s due to my ignorance/misuse of the tool (i.e. it should be done differently), or a bug in the tool, or it’s just not capable of doing what I want it to.
What I’m trying to accomplish: use engine_pkcs11 <https://github.com/OpenSC/engine_pkcs11> with OpenSSL to sign and decrypt with private keys on a smart card, accessed as a PKCS#11 token. To support this engine, I’ve also installed libp11 <https://github.com/OpenSC/libp11> , and of course OpenSC <https://github.com/OpenSC/OpenSC> itself. This shows that OpenSC works and accesses the smart card successfully: $ p11tool --provider /Library/OpenSC/lib/opensc-pkcs11.dylib --list-privkeys --login Token 'PIV_II (PIV Card Holder pin)' with URL 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV _II%20%28PIV%20Card%20Holder%20pin%29' requires user PIN Enter PIN: Object 0: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_ II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-t ype=private Type: Private key Label: PIV AUTH key Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; ID: 01 Object 1: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_ II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=pr ivate Type: Private key Label: SIGN key Flags: CKA_PRIVATE; CKA_SENSITIVE; ID: 02 Object 2: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_ II%20%28PIV%20Card%20Holder%20pin%29;id=%03;object=KEY%20MAN%20key;object-ty pe=private Type: Private key Label: KEY MAN key Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; ID: 03 Object 3: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_ II%20%28PIV%20Card%20Holder%20pin%29;id=%04;object=CARD%20AUTH%20key;object- type=private Type: Private key Label: CARD AUTH key Flags: CKA_SENSITIVE; ID: 04 This shows that OpenSSL does seem to load the engine, but fails to access the key on the smart card: $ openssl engine pkcs11 -t (pkcs11) pkcs11 engine [ available ] $ openssl req -engine pkcs11 -new -key "pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV _II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=p rivate;pin-value=123456" -keyform engine -out req.pem -text -x509 -subj "/CN=Tester" engine "pkcs11" set. specified object not found PKCS11_get_private_key returned NULL cannot load Private Key from engine 140735296230224:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124: unable to load Private Key $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign -inkey "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -keyform engine -out config.status.sig -in config.status.hash engine "pkcs11" set. Error opening Private Key pkcs11:object=SIGN%20key;object-type=private;pin-value=123456 140735296230224:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('pkcs11:object=SIGN%20key;object-type=private ;pin-value=123456','r') 140735296230224:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load Private Key Error initializing context Usage: pkeyutl [options] -in file input file -out file output file -sigfile file signature file (verify operation only) -inkey file input key -keyform arg private key format - default PEM -pubin input is a public key -certin input is a certificate carrying a public key -pkeyopt X:Y public key options -sign sign with private key -verify verify with public key -verifyrecover verify with public key, recover original data -encrypt encrypt with public key -decrypt decrypt with private key -derive derive shared secret -hexdump hex dump output -engine e use engine e, possibly a hardware device. -passin arg pass phrase source $ I would appreciate guidance regarding how to accomplish what I’m trying to do, and whether it is possible to do so staying within the OpenSSL CLI. Thanks! P.S. I followed the README from https://github.com/OpenSC/engine_pkcs11 as an example of how to use OpenSSL with engine_pkcs11 and the token. -- Regards, Uri Blumenthal
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
