Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

On 12/10/15, 16:56 , "openssl-dev on behalf of Dr. Stephen Henson" wrote: >On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote: >... > >> >Temporary fix is to set the second argument in EVP_PKEY_CTX_new to NULL >> >in

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

>>> $ openssl dgst -engine pkcs11 -keyform engine -verify >> > "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt >> >> The current implementation of engine_pkcs11 seems to work with private >> keys and certificates only. I've added a fix in engine_pkcs11, but it >> seems that

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

On Fri, 2015-12-18 at 16:46 +0100, Nikos Mavrogiannopoulos wrote: > On Thu, 2015-12-17 at 22:06 +, Blumenthal, Uri - 0553 - MITLL > wrote: > > I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :). > [...] > > But this doesn’t: > > > > $ openssl dgst -engine pkcs11 -keyform

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

On Thu, 2015-12-17 at 22:06 +, Blumenthal, Uri - 0553 - MITLL wrote: > I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :). [...] > But this doesn’t: > > $ openssl dgst -engine pkcs11 -keyform engine -verify > "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

> "The key ID is not a valid PKCS#11 URI as defined by" > comes from the OpenSC engine code in ./engine_pkcs11.c Got it, thanks! > looks like type or object-type= will be ignored, but must be cert or private, > but if its not, rv may not be set correctly:…… > > Try removing the

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

On 12/18/15, 10:46 , "openssl-dev on behalf of Nikos Mavrogiannopoulos" wrote: >On Thu, 2015-12-17 at 22:06 +, Blumenthal, Uri - 0553 - MITLL >wrote: >> I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :). >[...]

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :). This works: $ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out sig1.out ~/src/wtls-verifier

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

"The key ID is not a valid PKCS#11 URI as defined by" comes from the OpenSC  engine code in ./engine_pkcs11.c looks like type or object-type=  will be ignored, but must be cert or private, but if its not, rv may not be set correctly:  486 } else

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

Hello again. I implemented this "temporary fix" in OpenSSL dynamically linked library and engine_pkcs11.dll (with statically linked OpenSSL) and libp11-2.dll (with statically linked OpenSSL), all compiled by mingw. Unfortunatelly OpenSSL started crashing during my test key operations: openssl req

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

Hmm, please ignore my previous post, I did this test again and it works, it was an interference with OpenSSL compiled by VS2012, that installed itself in my test directory. On Fri, Dec 11, 2015 at 12:57 PM, Paweł Witas wrote: > Hello again. > I implemented this "temporary

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

Hi Doug, John and I implemented an ECDSA/ECDH/ECDHE engine. We are in the process of final testing and cleaning up. Changes to OpenSSL were pretty minor. Would you like to review this code? We are planing to publish it on github in a week or so. Regards. Alex Sent from my iPhone > On Dec

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

Sure. On 12/11/2015 11:03 AM, Alexander Gostrer wrote: Hi Doug, John and I implemented an ECDSA/ECDH/ECDHE engine. We are in the process of final testing and cleaning up.  Changes to OpenSSL were pretty minor.

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

On 12/10/15, 12:32 , "openssl-dev on behalf of Dr. Stephen Henson" wrote: >The reason for that is because the -engine option sets the ENGINE to use >for >everything and the PKCS#11 ENGINE doesn't support that public key method. I’m

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

> From previous private conversations, can you comments on if this is a PIV or > NEO with a PIV applet? I certainly can – this is NEO with a PIV applet. But side-stepping – note that openssl dgst appeared to work fine. See my other posting to this list, and duplicated here: $ pkcs15-tool

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote: > Much better now - but at this time I hit ???unsupported algorithm???. The key > in question is RSA-2048, with SHA256. > > $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign > -keyform engine -inkey >

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

This is an odity with 'openssl pkeyutl'. Try this option order: LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign -keyform engine -inkey "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out config.status.sig -in config.status.hash The reason for this is that

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote: > On 12/10/15, 16:56 , "openssl-dev on behalf of Dr. Stephen Henson" > wrote: > > > > >As I indicated the fix I suggested it temporary. Sometimes a user will > >want >

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

The OpenSC engine code does not support ECDH.  It is on the TODO list. It took forever to get the ECDSA  changes needed into OpenSSL to work with engines, that I never got to doing the ECDH in engine and libp11.  On 12/10/2015 10:59 AM, Blumenthal, Uri -

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

OK, its not the chicken and egg issue then. A opensc-debug.log might show something as to what the openssl pkeyutl is trying to do with the engine. On 12/10/2015 11:16 AM, Blumenthal, Uri - 0553 - MITLL wrote: From

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

From previous private conversations, can you comments on if this is a PIV or NEO with a PIV applet? Did you generate a key on the card using the piv-tool or NEO tool?   https://github.com/OpenSC/OpenSC/wiki/PivTool  

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

I want to add that apparently some openssl commands work OK with this token and pkcs11 engine: $ openssl version OpenSSL 1.0.2e 3 Dec 2015 $ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256 -out t.sig < config.h engine

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

On 12/10/15, 3:39 , "openssl-dev on behalf of Richard Levitte" wrote: >This is an odity with 'openssl pkeyutl'. Try this option order: I see! >LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign >-keyform engine

[openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

I’m having a problem, and am not sure whether it’s due to my ignorance/misuse of the tool (i.e. it should be done differently), or a bug in the tool, or it’s just not capable of doing what I want it to. What I’m trying to accomplish: use engine_pkcs11

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

Correction: I forgot to paste my token ID. openssl x509 -engine pkcs11 -signkey slot_0-id_d7f4b99792cc4dd708e408d3eb91b566e0a06c02 -keyform engine -in req.pem -out test.pem On Thu, Dec 10, 2015 at 8:54 AM, Paweł Witas wrote: > C:\Libs\openssl\bin>pkcs11-tool.exe --module

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

C:\Libs\openssl\bin>pkcs11-tool.exe --module enigmap11.dll --login --login-type user --type privkey -O Using slot 0 with a present token (0x0) Logging in to "ENCARD Token kwalifikowany". Please enter User PIN: Private Key Object; RSA label: ID: d7f4b99792cc4dd708e408d3eb91b566e0a06c02