Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

2018-09-22 Thread Paras Shah (parashah) via openssl-users 
To update this thread. Please follow the commentary on the 
https://github.com/OpenSC/libp11/issues/249

From: "Blumenthal, Uri - 0553 - MITLL" 
Date: Friday, September 21, 2018 at 5:07 AM
To: "Paras Shah (parashah)" , "openssl-users@openssl.org" 

Cc: Nicola 
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys 
fail.

Note that the key to reproducing this issue is compiling SoftHSMv2 with 1.1.1.  
When compiled with 1.0.2p, everything else can be compiled against 1.1.1 and it 
works ok.
Regards,
Uri

Sent from my iPhone

On Sep 21, 2018, at 02:09, Paras Shah (parashah) via openssl-users 
mailto:openssl-users@openssl.org>> wrote:
I opened the issue https://github.com/openssl/openssl/issues/7258
Also, opened issue https://github.com/OpenSC/libp11/issues/249
and https://github.com/opendnssec/SoftHSMv2/issues/417

Found the root cause to be the openssl version 1.1.1 that was used to compile 
the engine_pkcs11 and SoftHSM.
When I recompiled with openssl-1.0.2p, it worked fine. See 
https://github.com/OpenSC/libp11/issues/249 for details.

From: "Paras Shah (parashah)" mailto:paras...@cisco.com>>
Date: Tuesday, September 18, 2018 at 10:06 AM
To: Nicola mailto:nic@gmail.com>>, 
"openssl-users@openssl.org" 
mailto:openssl-users@openssl.org>>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys 
fail.

Sure. I will open the issue.

From: Nicola mailto:nic@gmail.com>>
Date: Monday, September 17, 2018 at 10:05 PM
To: "Paras Shah (parashah)" mailto:paras...@cisco.com>>, 
"openssl-users@openssl.org" 
mailto:openssl-users@openssl.org>>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys 
fail.

Would it be possible for you to open this as an issue on Github and include 
there your first email and the full logs?

Thanks,

Nicola Tuveri

On Tue, 18 Sep 2018 at 01:15, Paras Shah (parashah) via openssl-users 
mailto:openssl-users@openssl.org>> wrote:

That is not it. It results in the same error for the EC key.



It is not the URL or the ID. Because for a RSA key in the softhsm with id = 
, it works fine with url containing id=%33%33



$ openssl pkey -in 
"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%33%33;object=rsa%20key;type=private"
 -engine pkcs11 -inform ENGINE

engine "pkcs11" set.

Enter PKCS#11 token PIN for token 2.5.0-rc1:

-BEGIN PRIVATE KEY-

MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDD3378F1XbXJvP

WP2GtZry0u6sL3eNYktQwJfhDMz5evDG+PahVjCMszV5CZvG+Kvap40xPBJoonqi

oMAQsoLu7/fTx82aEL3TbdjXNLFnQ2KKYmfG9ymx80sLHMmdmDXpNNE+bEKJz1dp

t1Q0cVduwmqSfB8JyIE6Udz7JX7HCXaVmxoK7z4Njh3dyHsqhdqKIx0dBuK0hCaq

4zPzGP/sORA3G9ZPxxpEvF3gvE/zsXj7ifihqbqr2eIFOpB/lQqAehsgQT5/6Iq+

9pAX2LCxNkaUHYYZpMkM8Oi37jzg8PX/FnHdm9HQU2IBqYhoqo7/VsNdUDln2QHN

dGAUprcbAgMBAAE=

-END PRIVATE KEY-



Coming back to EC key, looking at the error logs emitted, it does seem to 
recognize it to be EC (the logs contain EC_routines) somehow but then fails.



On 9/17/18, 2:22 PM, "openssl-users on behalf of Richard Levitte" 
mailto:openssl-users-boun...@openssl.org> on 
behalf of levi...@openssl.org> wrote:



In message 
<4ac69fc3-bec7-46f6-882a-671196fc0...@contoso.com>
 on Mon, 17 Sep 2018 20:59:59 +, "Paras Shah (parashah)" 
mailto:paras...@cisco.com>> said:



> 4. Import the key into softhsm

>

> []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec 
key" --id  --token

> "token 2.5.0-rc1"



Ok, so here, the ID is ""



> 5. Get the pkcs11 url for the private key

>

> []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so 
--set-pin= --list-all

>

> Object 0:

>

> URL:

> 
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private



But here, the ID is "%11%11", and since those get percent decoded,

that's actually two vertical tabs, or with C vector syntax,

{ 0x0b, 0x0b }



I'm not sure what engine-pkcs11 asks of you otherwise, but one guess

could be to change 'id=%11%11' to 'id=' in that URL and try again.



Cheers,

Richard



--

Richard Levitte levi...@openssl.org

OpenSSL Project http://www.openssl.org/~levitte/

--

openssl-users mailing list

To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Manpages still say "pre-release"

2018-09-22 Thread Dr. Matthias St. Pierre 
Thanks for the reminder, see   https://github.com/openssl/web/pull/83.

Matthias

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] [openssl]: Subject alternative names not recognized when signing certificates

2018-09-22 Thread Carsten 

Hi list,

this is about setting up a certificate authority to sign incoming 
(forgeign) certificate requests.

I have installed

/var/caintermed # openssl version -a
OpenSSL 1.1.2-dev  xx XXX 
built on: Fri Sep 21 10:19:51 2018 UTC
platform: linux-armv4
options:  bn(64,32) rc4(char) des(long) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread  -march=armv7-a -Wa,--noexecstack -Wall -O3 
-DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 
-DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM 
-DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG

OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
Seeding source: os-specific


My setup is based on this:
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html

I can sign certificate requests successfully, BUT
if the request contains SAN attributs (subjectalternatenames) they are 
ignored -not visible in the signed certificate.


I found many exambles how to create a SAN-Certificate using the 
selfsigned mechanism, but that is not what I want.


Is there any how-to in the wild, how to set up a fully working CA 
including SAN (v3) attributs?


br
Carsten
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users