Re: [openssl-dev] openssl cms unable to access keys on token?

Mon, 14 Mar 2016 14:30:00 -0700 

You are right - the command line was wrong. Here’s the correct line, which
should work, but doesn’t:

$ openssl cms -engine pkcs11 -aes256 -encrypt -in data.txt -binary
-outform PEM -out data.txt.enc
"pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert"
engine "pkcs11" set.
Error opening recipient certificate file
pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert
140735201178448:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('pkcs11:object=Certificate%20for%20Key%20Man
agement;object-type=cert','r')
140735201178448:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:
unable to load certificate
$ openssl cms -engine pkcs11 -aes256 -encrypt -in data.txt -binary
-outform PEM -out data.txt.enc token.cert.pem
engine "pkcs11" set.
$




And yes, it’s about time for OpenSSL to incorporate proper support for
PKCS#11.
--
Regards,
Uri Blumenthal




On 3/14/16, 17:08, "David Woodhouse" <dw...@infradead.org> wrote:

>On Mon, 2016-03-14 at 19:27 +0000, Blumenthal, Uri - 0553 - MITLL
>wrote:
>> $ openssl cms -engine pkcs11 -aes256 -encrypt -binary -in data.txt
>> -outform engine "pkcs11:object=KEY%20MAN%20pubkey;object-type=public"
>
>That isn't what -outform does. It controls the output format of the
>encrypted result:
>
>$ openssl cms -aes256 -encrypt -binary -in data.txt -outform PEM cert.pem
>-----BEGIN CMS-----
>MIICIgYJKoZIhvcNAQcDoIICEzCCAg8CAQAxggHKMIIBxgIBADCBrTCBpzELMAkG
>...
>
>There is no option which makes it obtain the *certificate* (to which it
>is encrypting the CMS message) from an engine. There isn't even a
>standard way for an engine to provide such functionality — the PKCS#11
>engine currently exposes it only with a custom "LOAD_CERT_CTRL"
>command.
>
>This is just one of many reasons why libp11/engine_pkcs11 needs to die
>as a separate project, and we need to incorporate proper PKCS#11
>support into OpenSSL natively.
>
>-- 
>David Woodhouse                            Open Source Technology Centre
>david.woodho...@intel.com                              Intel Corporation
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to