Hi Lixin, It's a good sign, I also tried this way, *slot_0-label_rsakey* but I don't think this is the issue her, the OpenXPKI log says it's for some reasons can't load the *yubihsm_pkcs11.so* module but, as you used YubiHSM2 successfully, do you think that I did the configuration correctly? Thanks
On Thu, Sep 28, 2023 at 7:31 PM Lixin Liu <[email protected]> wrote: > I have successfully used YubiHSM2 (FIPS version). I used the label name > for the signing key: > > > > key: "slot_0-label_<label name>" > > > > Cheers, > > > > Lixin. > > > > *From:* Montajab Saleh <[email protected]> > *Sent:* Thursday, September 28, 2023 2:19 AM > *To:* [email protected] > *Subject:* [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load > module yubihsm_pkcs11 > > > > Hello, > > I'm trying to put the signer key in a secure token/hsm, I succeed using > SmartCard-HSM and Nitrokey, but not YubiHSM2 (Unable to load module > yubihsm_pkcs11.so) > > > > following is the configuration I did, for the one that worked with > SmartCard-HSM and Nitrokey (same config), and the failed ones with YubiHSM2 > with the error log I have in OpenXPKI > > > > Any help / idea would be appreciated > > Thanks > ===== > Debian: 10 > openxpki: 3.24.1 > openssl: OpenSSL 1.1.1n > > ### Smartcard-hsm / Nitrokey ### worked perfectly > ################################################# > ca-signer: > backend: OpenXPKI::Crypto::Backend::OpenSSL > key: "10" > engine: PKCS11 > engine_section: | > engine_id = pkcs11 > dynamic_path = > /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so > MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so > PIN = __PIN__ > init = 0 > engine_usage: 'ALWAYS' > key_store: ENGINE > shell: /usr/bin/openssl > randfile: /dev/random > wrapper: '' > secret: signer > > secret: > signer: > label: SmartCard Pin > method: literal > value: 12345678 > cache: daemon > > ### YubiHSM2 ### > ################ > ca-signer: > backend: OpenXPKI::Crypto::Backend::OpenSSL > # key: slot_0-label_rsakey > key: 0:0005 > engine: PKCS11 > engine_section: | > engine_id = pkcs11 > # dynamic_path = > /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so > MODULE_PATH = > /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so > PIN = __PIN__ > init = 0 > engine_usage: 'ALWAYS' > key_store: ENGINE > shell: /usr/bin/openssl > randfile: /dev/random > wrapper: '' > secret: signer > > secret: > signer: > label: YubiHSM2 Pin > method: literal > value: 0001password > cache: daemon > > ### environment variables ### > ############################# > export YUBIHSM_PKCS11_CONF='/etc/yubihsm2/yubihsm_pkcs11.conf' > export > YUBIHSM_PKCS11_MODULE='/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so' > > ### yubihsm_pkcs11.conf ### > ########################### > connector = http://127.0.0.1:12345 > > ### /usr/lib/ssl/openssl.cnf ### > ################################ > ... > openssl_conf = default_conf > > [default_conf] > engines = engine_section > > [engine_section] > pkcs11 = pkcs11_section > > [pkcs11_section] > engine_id = pkcs11 > > dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so > MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so > > INIT_ARGS = connector=http://127.0.0.1:12345 debug > init = 0 > ... > > ### test dealing with YubiHSM2 ### > ################################## > pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so > --login --pin 0001password --keypairgen --key-type rsa:2048 --label > "my_key" --usage-sign > openssl req -new -x509 -days 365 -subj '/CN=my key/' -sha256 -engine > pkcs11 -keyform engine -key slot_0-label_rsakey -out cert.pem > pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so > --login -O > > All executed successfully > > ### openxpki error log ### > ########################## > Unable to load module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so > PKCS11_get_private_key returned NULL > cannot load signing key file from engine > 139887530206400:error:82065007:PKCS#11 module:pkcs11_check_token:Invalid > arguments:p11_load.c:92: > 139887530206400:error:26096080:engine > routines:ENGINE_load_private_key:failed loading private > key:../crypto/engine/eng_pkey.c:78: > unable to load signing key file > [pid=783|sid=wnxs] > 2023/09/28 11:41:19 openxpki.system.ERROR > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary > -nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in > /var/tmp/openxpki783zdpPQU49 -inkey 0:0005 -signer > /var/tmp/openxpki783Nf839thW -out /var/tmp/openxpki783DXlzdsaV -passin > env:pwd, __EXIT_STATUS__ => 512 [pid=783|sid=wnxs] > 2023/09/28 11:41:19 openxpki.system.ERROR > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ => > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary > -nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in > /var/tmp/openxpki783zdpPQU49 -inkey 0:0005 -signer > /var/tmp/openxpki783Nf839thW -out /var/tmp/openxpki783DXlzdsaV -passin > env:pwd, __EXIT_STATUS__ => 512 [pid=783|sid=wnxs] > > -- > > *Regards* > > *Montajab Saleh* > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- *Regards* *Montajab Saleh*
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
