This is an odity with 'openssl pkeyutl'. Try this option order:
LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign -keyform
engine -inkey "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456"
-out config.status.sig -in config.status.hash
The reason for this is that pkeyutl (as opposed to most other openssl
subcommands) tries to load the key while parsing the options, so if
'-keyform engine' comes after '-inkey ...', it will try to load the
key before having seen that it should be loaded from engine.
I think a bugfix for this is in order...
Cheers,
Richard
In message <d28e0643.23c27%...@ll.mit.edu> on Wed, 9 Dec 2015 21:24:41 +0000,
"Blumenthal, Uri - 0553 - MITLL" <u...@ll.mit.edu> said:
uri> I’m having a problem, and am not sure whether it’s due to my
uri> ignorance/misuse of the tool (i.e. it should be done differently), or
uri> a bug in the tool, or it’s just not capable of doing what I want it
uri> to.
uri>
uri> What I’m trying to accomplish: use engine_pkcs11 with OpenSSL to sign
uri> and decrypt with private keys on a smart card, accessed as a PKCS#11
uri> token. To support this engine, I’ve also installed libp11, and of
uri> course OpenSC itself.
uri>
uri> This shows that OpenSC works and accesses the smart card successfully:
uri>
uri> $ p11tool --provider /Library/OpenSC/lib/opensc-pkcs11.dylib -
uri> -list-privkeys --login
uri>
uri> Token 'PIV_II (PIV Card Holder pin)' with URL
uri>
'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29'
uri> requires user PIN
uri>
uri> Enter PIN:
uri>
uri> Object 0:
uri>
uri> URL:
uri>
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-type=private
uri>
uri> Type: Private key
uri>
uri> Label: PIV AUTH key
uri>
uri> Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
uri>
uri> ID: 01
uri>
uri> Object 1:
uri>
uri> URL:
uri>
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private
uri>
uri> Type: Private key
uri>
uri> Label: SIGN key
uri>
uri> Flags: CKA_PRIVATE; CKA_SENSITIVE;
uri>
uri> ID: 02
uri>
uri> Object 2:
uri>
uri> URL:
uri>
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%03;object=KEY%20MAN%20key;object-type=private
uri>
uri> Type: Private key
uri>
uri> Label: KEY MAN key
uri>
uri> Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
uri>
uri> ID: 03
uri>
uri> Object 3:
uri>
uri> URL:
uri>
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%04;object=CARD%20AUTH%20key;object-type=private
uri>
uri> Type: Private key
uri>
uri> Label: CARD AUTH key
uri>
uri> Flags: CKA_SENSITIVE;
uri>
uri> ID: 04
uri>
uri> This shows that OpenSSL does seem to load the engine, but fails to
uri> access the key on the smart card:
uri>
uri> $ openssl engine pkcs11 -t
uri>
uri> (pkcs11) pkcs11 engine
uri>
uri> [ available ]
uri>
uri> $ openssl req -engine pkcs11 -new -key
uri>
"pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private;pin-value=123456"
uri> -keyform engine -out req.pem -text -x509 -subj "/CN=Tester"
uri>
uri> engine "pkcs11" set.
uri>
uri> specified object not found
uri>
uri> PKCS11_get_private_key returned NULL
uri>
uri> cannot load Private Key from engine
uri>
uri> 140735296230224:error:26096080:engine
uri> routines:ENGINE_load_private_key:failed loading private
uri> key:eng_pkey.c:124:
uri>
uri> unable to load Private Key
uri>
uri> $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign -
uri> inkey "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -
uri> keyform engine -out config.status.sig -in config.status.hash
uri>
uri> engine "pkcs11" set.
uri>
uri> Error opening Private Key
uri> pkcs11:object=SIGN%20key;object-type=private;pin-value=123456
uri>
uri> 140735296230224:error:02001002:system library:fopen:No such file or
uri> directory:bss_file.c:398:fopen
uri> ('pkcs11:object=SIGN%20key;object-type=private;pin-value=123456','r')
uri>
uri> 140735296230224:error:20074002:BIO routines:FILE_CTRL:system
uri> lib:bss_file.c:400:
uri>
uri> unable to load Private Key
uri>
uri> Error initializing context
uri>
uri> Usage: pkeyutl [options]
uri>
uri> -in file input file
uri>
uri> -out file output file
uri>
uri> -sigfile file signature file (verify operation only)
uri>
uri> -inkey file input key
uri>
uri> -keyform arg private key format - default PEM
uri>
uri> -pubin input is a public key
uri>
uri> -certin input is a certificate carrying a public key
uri>
uri> -pkeyopt X:Y public key options
uri>
uri> -sign sign with private key
uri>
uri> -verify verify with public key
uri>
uri> -verifyrecover verify with public key, recover original data
uri>
uri> -encrypt encrypt with public key
uri>
uri> -decrypt decrypt with private key
uri>
uri> -derive derive shared secret
uri>
uri> -hexdump hex dump output
uri>
uri> -engine e use engine e, possibly a hardware device.
uri>
uri> -passin arg pass phrase source
uri>
uri> $
uri>
uri> I would appreciate guidance regarding how to accomplish what I’m
uri> trying to do, and whether it is possible to do so staying within the
uri> OpenSSL CLI.
uri>
uri> Thanks!
uri>
uri> P.S. I followed the README from
uri> https://github.com/OpenSC/engine_pkcs11 as an example of how to use
uri> OpenSSL with engine_pkcs11 and the token.
uri> --
uri> Regards,
uri> Uri Blumenthal
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
