On 12/10/15, 12:32 , "openssl-dev on behalf of Dr. Stephen Henson" <openssl-dev-boun...@openssl.org on behalf of st...@openssl.org> wrote:
>The reason for that is because the -engine option sets the ENGINE to use >for >everything and the PKCS#11 ENGINE doesn't support that public key method. I’m afraid I don’t understand. What good is a PKCS#11 engine if it doesn’t support at least “sign” and “decrypt” methods? >What we need is a way to load the private key from an ENGINE but not >attempt >to use that for the actual operations. Could you please clarify what you mean by “load the private key”? >Temporary fix is to set the second argument in EVP_PKEY_CTX_new to NULL >in pkeyutl.c With your proposed (temporary) fix, the signature both generated and verified successfully (see below). Could I ask to push this fix to the master, and maybe/hopefully to 1_0_2 branch? $ apps/openssl version OpenSSL 1.0.2f-dev xx XXX xxxx (Library: OpenSSL 1.0.2e 3 Dec 2015) $ LOAD_CERT_CTRL=true VERBOSE=7 apps/openssl pkeyutl -engine pkcs11 -sign -keyform engine -inkey "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out ~/src/OpenSC/engine_pkcs11/config.status.sig -in ~/src/OpenSC/engine_pkcs11/config.status.hash engine "pkcs11" set. $ apps/openssl pkeyutl -verify -pubin -inkey ~/src/OpenSC/engine_pkcs11/pub.key -sigfile ~/src/OpenSC/engine_pkcs11/config.status.sig -in ~/src/OpenSC/engine_pkcs11/config.status.hash Signature Verified Successfully $ Thanks!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
