On 9/6/2011 4:53 PM, Felipe Blauth wrote:
I've tested your mods and they work well =). I can sign and verify with most
EC keys (I've tested with p-192, p-224, p-384 and p-521). However I cannot
load public keys when using p-521 curves. It
seems that I can load the private key and sign, but the public key is not
loaded.
I confess that I didn't look much at engine_pkcs11 source code, but if you
could give me some appointments I can try to fix that.
It is not clear where the error could be, it could be in the actual
encoding of the public key, or the ASN1 decoding or in in some size limit.
All the other keys are a multiple of 8 bits. The 521 is not,
and thus the asn1 octet would need an extra byte. Look at the
libp11 src/p11_ec.c and pkcs11_get_ec_private() and the ec_pointlen
variable.
Do you have a dump of the public key?
If you are using OpenSC's PKCS#11, you could turn on the OpenSC debug,
by adding to the opensc.conf someting like:
debug = 7;
debug_file = /tmp/opensc-debug.log;
You could use the OpenSC pkcs11-spy.so to trace the PKCS#11 calls,
that should show the public key being transfered. This can
work with any PKCS#11 module including the opensc-pkcs11.so
Set the environment variables:
export PKCS11SPY=/path/to/your/pkcs11.module.so
export PKCS11SPY_OUTPUT=/tmp/tb.spy.txt
OpenSSL error is the following, after loading the key:
error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid
encoding
Regards,
2011/8/13 Felipe Blauth f...@inf.ufsc.br mailto:f...@inf.ufsc.br
Thank you, I'll check it out.
2011/8/12 Douglas E. Engert deeng...@anl.gov mailto:deeng...@anl.gov
No it has not been incorporated because it requires an OpenSSL
internal header file ecs_locl.h, thus making it impractical to
compile in to any package.
This is a known bug:
http://rt.openssl.org/Ticket/Display.html?id=2459user=guestpass=guest
http://rt.openssl.org/Ticket/Display.html?id=2459user=guestpass=guest
It also appeared on the OpenSSL mailing list.
The patch should still work. Please try it, and you can
also add comments to the OpenSSL bug report.
On 8/12/2011 2:12 PM, Felipe Blauth wrote:
Hello.
I've started using engine_pkcs11 to access PKCS #11 tokens from
OpenSSL EVP_PKEY's trough ENGINE_load_key_type_key methods. It works very
well with RSA keys, but it doesn't recognize
ECDSA keys.
Searching trough the web, I've found that Douglas had a patch for
it at
http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg07785.html.
Was that ever incorporated? I couldn't find in the latest
snapshots.
Thank you very much.
--
Felipe Menegola Blauth
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
mailto:opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Douglas E. Engert deeng...@anl.gov mailto:deeng...@anl.gov
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444 tel:%28630%29%20252-5444
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
mailto:opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Felipe Menegola Blauth
--
Felipe Menegola Blauth
--
Douglas E. Engert deeng...@anl.gov
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel