Hello,
I'm trying to put the signer key in a secure token/hsm, I succeed using
SmartCard-HSM and Nitrokey, but not YubiHSM2 (Unable to load module
yubihsm_pkcs11.so)
following is the configuration I did, for the one that worked with
SmartCard-HSM and Nitrokey (same config), and the failed ones with YubiHSM2
with the error log I have in OpenXPKI
Any help / idea would be appreciated
Thanks
=====
Debian: 10
openxpki: 3.24.1
openssl: OpenSSL 1.1.1n
### Smartcard-hsm / Nitrokey ### worked perfectly
#################################################
ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL
key: "10"
engine: PKCS11
engine_section: |
engine_id = pkcs11
dynamic_path =
/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
PIN = __PIN__
init = 0
engine_usage: 'ALWAYS'
key_store: ENGINE
shell: /usr/bin/openssl
randfile: /dev/random
wrapper: ''
secret: signer
secret:
signer:
label: SmartCard Pin
method: literal
value: 12345678
cache: daemon
### YubiHSM2 ###
################
ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL
# key: slot_0-label_rsakey
key: 0:0005
engine: PKCS11
engine_section: |
engine_id = pkcs11
# dynamic_path =
/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH =
/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
PIN = __PIN__
init = 0
engine_usage: 'ALWAYS'
key_store: ENGINE
shell: /usr/bin/openssl
randfile: /dev/random
wrapper: ''
secret: signer
secret:
signer:
label: YubiHSM2 Pin
method: literal
value: 0001password
cache: daemon
### environment variables ###
#############################
export YUBIHSM_PKCS11_CONF='/etc/yubihsm2/yubihsm_pkcs11.conf'
export
YUBIHSM_PKCS11_MODULE='/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so'
### yubihsm_pkcs11.conf ###
###########################
connector = http://127.0.0.1:12345
### /usr/lib/ssl/openssl.cnf ###
################################
...
openssl_conf = default_conf
[default_conf]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
INIT_ARGS = connector=http://127.0.0.1:12345 debug
init = 0
...
### test dealing with YubiHSM2 ###
##################################
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
--login --pin 0001password --keypairgen --key-type rsa:2048 --label
"my_key" --usage-sign
openssl req -new -x509 -days 365 -subj '/CN=my key/' -sha256 -engine pkcs11
-keyform engine -key slot_0-label_rsakey -out cert.pem
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
--login -O
All executed successfully
### openxpki error log ###
##########################
Unable to load module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
PKCS11_get_private_key returned NULL
cannot load signing key file from engine
139887530206400:error:82065007:PKCS#11 module:pkcs11_check_token:Invalid
arguments:p11_load.c:92:
139887530206400:error:26096080:engine
routines:ENGINE_load_private_key:failed loading private
key:../crypto/engine/eng_pkey.c:78:
unable to load signing key file
[pid=783|sid=wnxs]
2023/09/28 11:41:19 openxpki.system.ERROR
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in
/var/tmp/openxpki783zdpPQU49 -inkey 0:0005 -signer
/var/tmp/openxpki783Nf839thW -out /var/tmp/openxpki783DXlzdsaV -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=783|sid=wnxs]
2023/09/28 11:41:19 openxpki.system.ERROR
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in
/var/tmp/openxpki783zdpPQU49 -inkey 0:0005 -signer
/var/tmp/openxpki783Nf839thW -out /var/tmp/openxpki783DXlzdsaV -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=783|sid=wnxs]
--
*Regards*
*Montajab Saleh*
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
