On 12/10/15, 3:39 , "openssl-dev on behalf of Richard Levitte" <openssl-dev-boun...@openssl.org on behalf of levi...@openssl.org> wrote:
>This is an odity with 'openssl pkeyutl'. Try this option order: I see! >LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign >-keyform engine -inkey >"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out >config.status.sig -in config.status.hash Much better now - but at this time I hit “unsupported algorithm”. The key in question is RSA-2048, with SHA256. $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign -keyform engine -inkey "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out config.status.sig -in config.status.hash engine "pkcs11" set. Error initializing context 140735296230224:error:260C0065:engine routines:ENGINE_get_pkey_meth:unimplemented public key method:tb_pkmeth.c:128: 140735296230224:error:0609D09C:digital envelope routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164: Usage: pkeyutl [options] -in file input file -out file output file -sigfile file signature file (verify operation only) -inkey file input key -keyform arg private key format - default PEM -pubin input is a public key -certin input is a certificate carrying a public key -pkeyopt X:Y public key options -sign sign with private key -verify verify with public key -verifyrecover verify with public key, recover original data -encrypt encrypt with public key -decrypt decrypt with private key -derive derive shared secret -hexdump hex dump output -engine e use engine e, possibly a hardware device. -passin arg pass phrase source $ I observed exactly the same happening with the decryption key. In case it helps: $ pkcs15-tool -k Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID Private RSA Key [PIV AUTH key] Object Flags : [0x1], private Usage : [0x2E], decrypt, sign, signRecover, unwrap Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 154 (0x9A) Native : yes Auth ID : 01 ID : 01 MD:guid : 0x'303165623538356130633436626635356438343233643936396232336465623700000000 00000000' Private RSA Key [SIGN key] Object Flags : [0x1], private Usage : [0x20E], decrypt, sign, signRecover, nonRepudiation Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 156 (0x9C) Native : yes Auth ID : 01 ID : 02 MD:guid : 0x'303265623538356130633436626635356438343233643936396232336465623700000000 00000000' Private RSA Key [KEY MAN key] Object Flags : [0x1], private Usage : [0x22], decrypt, unwrap Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 157 (0x9D) Native : yes Auth ID : 01 ID : 03 MD:guid : 0x'303365623538356130633436626635356438343233643936396232336465623700000000 00000000' Private RSA Key [CARD AUTH key] Object Flags : [0x0] Usage : [0xC], sign, signRecover Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 158 (0x9E) Native : yes ID : 04 MD:guid : 0x'303465623538356130633436626635356438343233643936396232336465623700000000 00000000' >The reason for this is that pkeyutl (as opposed to most other openssl >subcommands) tries to load the key while parsing the options, so if >'-keyform engine' comes after '-inkey ...', it will try to load the >key before having seen that it should be loaded from engine. > >I think a bugfix for this is in order... I appreciate your willingness to help - and your willingness to fix this even more. By the way, there appears to be another order-related issue also: -pkeyopt must follow -inkey. But in this case pkeyutl at least reports the problem correctly. Thanks! >In message <d28e0643.23c27%...@ll.mit.edu> on Wed, 9 Dec 2015 21:24:41 >+0000, "Blumenthal, Uri - 0553 - MITLL" <u...@ll.mit.edu> said: > >uri> I’m having a problem, and am not sure whether it’s due to my >uri> ignorance/misuse of the tool (i.e. it should be done differently), or >uri> a bug in the tool, or it’s just not capable of doing what I want it >uri> to. >uri> >uri> What I’m trying to accomplish: use engine_pkcs11 with OpenSSL to sign >uri> and decrypt with private keys on a smart card, accessed as a PKCS#11 >uri> token. To support this engine, I’ve also installed libp11, and of >uri> course OpenSC itself. >uri> >uri> This shows that OpenSC works and accesses the smart card >successfully: >uri> >uri> $ p11tool --provider /Library/OpenSC/lib/opensc-pkcs11.dylib - >uri> -list-privkeys --login >uri> >uri> Token 'PIV_II (PIV Card Holder pin)' with URL >uri> >'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=P >IV_II%20%28PIV%20Card%20Holder%20pin%29' >uri> requires user PIN >uri> >uri> Enter PIN: >uri> >uri> Object 0: >uri> >uri> URL: >uri> >pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PI >V_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;obje >ct-type=private >uri> >uri> Type: Private key >uri> >uri> Label: PIV AUTH key >uri> >uri> Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; >uri> >uri> ID: 01 >uri> >uri> Object 1: >uri> >uri> URL: >uri> >pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PI >V_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-typ >e=private >uri> >uri> Type: Private key >uri> >uri> Label: SIGN key >uri> >uri> Flags: CKA_PRIVATE; CKA_SENSITIVE; >uri> >uri> ID: 02 >uri> >uri> Object 2: >uri> >uri> URL: >uri> >pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PI >V_II%20%28PIV%20Card%20Holder%20pin%29;id=%03;object=KEY%20MAN%20key;objec >t-type=private >uri> >uri> Type: Private key >uri> >uri> Label: KEY MAN key >uri> >uri> Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; >uri> >uri> ID: 03 >uri> >uri> Object 3: >uri> >uri> URL: >uri> >pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=PI >V_II%20%28PIV%20Card%20Holder%20pin%29;id=%04;object=CARD%20AUTH%20key;obj >ect-type=private >uri> >uri> Type: Private key >uri> >uri> Label: CARD AUTH key >uri> >uri> Flags: CKA_SENSITIVE; >uri> >uri> ID: 04 >uri> >uri> This shows that OpenSSL does seem to load the engine, but fails to >uri> access the key on the smart card: >uri> >uri> $ openssl engine pkcs11 -t >uri> >uri> (pkcs11) pkcs11 engine >uri> >uri> [ available ] >uri> >uri> $ openssl req -engine pkcs11 -new -key >uri> >"pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=……..;token=P >IV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-ty >pe=private;pin-value=123456" >uri> -keyform engine -out req.pem -text -x509 -subj "/CN=Tester" >uri> >uri> engine "pkcs11" set. >uri> >uri> specified object not found >uri> >uri> PKCS11_get_private_key returned NULL >uri> >uri> cannot load Private Key from engine >uri> >uri> 140735296230224:error:26096080:engine >uri> routines:ENGINE_load_private_key:failed loading private >uri> key:eng_pkey.c:124: >uri> >uri> unable to load Private Key >uri> >uri> $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign >- >uri> inkey >"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" - >uri> keyform engine -out config.status.sig -in config.status.hash >uri> >uri> engine "pkcs11" set. >uri> >uri> Error opening Private Key >uri> pkcs11:object=SIGN%20key;object-type=private;pin-value=123456 >uri> >uri> 140735296230224:error:02001002:system library:fopen:No such file or >uri> directory:bss_file.c:398:fopen >uri> ('pkcs11:object=SIGN%20key;object-type=private;pin-value=123456','r') >uri> >uri> 140735296230224:error:20074002:BIO routines:FILE_CTRL:system >uri> lib:bss_file.c:400: >uri> >uri> unable to load Private Key >uri> >uri> Error initializing context >uri> >uri> Usage: pkeyutl [options] >uri> >uri> -in file input file >uri> >uri> -out file output file >uri> >uri> -sigfile file signature file (verify operation only) >uri> >uri> -inkey file input key >uri> >uri> -keyform arg private key format - default PEM >uri> >uri> -pubin input is a public key >uri> >uri> -certin input is a certificate carrying a public key >uri> >uri> -pkeyopt X:Y public key options >uri> >uri> -sign sign with private key >uri> >uri> -verify verify with public key >uri> >uri> -verifyrecover verify with public key, recover original data >uri> >uri> -encrypt encrypt with public key >uri> >uri> -decrypt decrypt with private key >uri> >uri> -derive derive shared secret >uri> >uri> -hexdump hex dump output >uri> >uri> -engine e use engine e, possibly a hardware device. >uri> >uri> -passin arg pass phrase source >uri> >uri> $ >uri> >uri> I would appreciate guidance regarding how to accomplish what I’m >uri> trying to do, and whether it is possible to do so staying within the >uri> OpenSSL CLI. >uri> >uri> Thanks! >uri> >uri> P.S. I followed the README from >uri> https://github.com/OpenSC/engine_pkcs11 as an example of how to use >uri> OpenSSL with engine_pkcs11 and the token. >uri> -- >uri> Regards, >uri> Uri Blumenthal >_______________________________________________ >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev