"The key ID is not a valid PKCS#11 URI as defined by" comes from the OpenSC engine code in ./engine_pkcs11.c looks like type or object-type= will be ignored, but must be cert or private, but if its not, rv may not be set correctly: 486 } else if (!strncmp(p, "type=", 5) || !strncmp(p, "object-type=", 12)) { 487 p = strchr(p, '=') + 1; 488 489 if ((end - p == 4 && !strncmp(p, "cert", 4)) || 490 (end - p == 7 && !strncmp(p, "private", 7))) { 491 /* Actually, just ignore it */ 492 } else 493 rv = 0; Try removing the "object-type=public" in your tests. On 12/17/2015 4:06 PM, Blumenthal, Uri
- 0553 - MITLL wrote:
I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :).This works: $ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out sig1.out ~/src/wtls-verifier engine "pkcs11" set. $ pkcs15-tool --read-public-key 02 -o 02.pem Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID Please enter PIN [PIV Card Holder pin]: $ openssl dgst -keyform PEM -verify 02.pem -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier Verified OK $ But this doesn’t: $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file $ And this one doesn’t either: $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6d87283aaed2e 6a5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20pub key;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:object=SIGN%20pubkey;type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file Is it a bug, or what am I doing wrong? Thanks! -- Douglas E. Engert <deeng...@gmail.com> |
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev