From previous private
conversations, can you comments on if this is a PIV or NEO
with a PIV applet?
I certainly can – this is NEO
with a PIV applet. But side-stepping – note that openssl dgst appeared to work fine. See my other
posting to this list, and duplicated here:
$
pkcs15-tool --read-public-key 02 -o pub.key
Using
reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
Please
enter PIN [PIV Card Holder pin]:
$
openssl dgst -engine pkcs11 -keyform engine -sign
"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456"
-sha256 -out t.sig < config.h
engine
"pkcs11" set.
$
openssl dgst -verify pub.key -keyform PEM -signature t.sig
-sha256 < config.h
Verified
OK
Did you generate a key
on the card using the piv-tool or NEO tool?
At this moment
(test setting) the keys were generated off-card, and loaded on
the token using NEO tools.
For production, of
course they’ll be generated on the card (except for the KEY MAN
key) and certified elsewhere.
Did you create a
certificate and load it on the card? I assume not.
For production this
assumption would be correct. But not for this case (testing,
"feeling the water", so to say).
But in any case,
fully-configured certificates with all the necessary attributes
(Key Usage, Extended Key Usage, etc.) have been loaded.
There is a chicken and
egg problem with the PIV. To determine if a key is on the
card, and its attributes,
the public key that was saved during key generate step is
needed. In normal use the public key is in the
certificate,
on the card. But if there is NO certificate on the card,
as when you are trying to generate the certificate, the
OpenSC
low level routines will look for the public key from a
file off the card.
Got it. This will
be very useful once I move to “real” from “testing”.
https://github.com/OpenSC/OpenSC/wiki/PivTool#generate-a-certificate-request
shows setting of the PIV_9A_KEY = environment variable.
In your case because you are using the "SIGN key" you
would need to set
PIV_9C_KEY=path.to.pubkey.file.der
This should work with other programs like openssl pkeyutl
too.
Once the certificate is then loaded, the PIV_9X_KEY
environment variable will not be used.
Got it. Thanks!
On 12/10/2015 9:38 AM,
Blumenthal, Uri - 0553 - MITLL wrote:
On 12/10/15, 3:39 , "openssl-dev on behalf of Richard Levitte"
<openssl-dev-boun...@openssl.org on behalf of levi...@openssl.org> wrote:
This is an odity with 'openssl pkeyutl'. Try this option order:
I see!
LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign
-keyform engine -inkey
"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out
config.status.sig -in config.status.hash
Much better now - but at this time I hit “unsupported algorithm”. The key
in question is RSA-2048, with SHA256.
$ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign
-keyform engine -inkey
"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out
config.status.sig -in config.status.hash
engine "pkcs11" set.
Error initializing context
140735296230224:error:260C0065:engine
routines:ENGINE_get_pkey_meth:unimplemented public key
method:tb_pkmeth.c:128:
140735296230224:error:0609D09C:digital envelope
routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164:
Usage: pkeyutl [options]
-in file input file
-out file output file
-sigfile file signature file (verify operation only)
-inkey file input key
-keyform arg private key format - default PEM
-pubin input is a public key
-certin input is a certificate carrying a public key
-pkeyopt X:Y public key options
-sign sign with private key
-verify verify with public key
-verifyrecover verify with public key, recover original data
-encrypt encrypt with public key
-decrypt decrypt with private key
-derive derive shared secret
-hexdump hex dump output
-engine e use engine e, possibly a hardware device.
-passin arg pass phrase source
$
I observed exactly the same happening with the decryption key.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
