Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

[Andreas S. <and...@ca...>]

Dear Ronny,

issuing ECDSA keys and certificates via openssl does currently not work
with OpenSC, as the EC_PARAMS attribute is only defined if a certificate
for the key exists on the device. For newly generated keys, this is
obviously not the case. We are working on a fix, but that requires quite
some rework in the OpenSC code (see [1]).

The issue with RSA 2048 keys has been been fixed in [2]. Are you using
the official 0.13 release from November ?

Kind regards,

Andreas


[1] https://devnet.cardcontact.de/issues/3
[2]
https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc230541072c60afb

On 06/11/2013 03:02 PM, Ronny Schütz wrote:
> Hi,
> 
> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. 
> 
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
> Available slots:
> Slot 0 (0xffffffffffffffff): Virtual hotplug slot
>   (empty)
> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00
>   token label        : SmartCard-HSM (UserPIN)
>   token manufacturer : www.CardContact.de
>   token model        : PKCS#15 emulated
>   token flags        : rng, login required, PIN initialized, token initialized
>   hardware version   : 24.13
>   firmware version   : 1.1
>   serial num         : DECC0100157
> 
> When creating the EC keypair, I get an error concerning the public key:
> 
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca
> Using slot 1 with a present token (0x1)
> Key pair generated:
> Private Key Object; EC
>   label:      ca
>   ID:         60
>   Usage:      decrypt, sign, unwrap
> Public Key Object; EC EC_POINT 264 bits
>  EC_POINT:  0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c
> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
> 
>   label:      ca
>   ID:         60
>   Usage:      encrypt, verify, wrap
> 
> And the public key isn't listed either
> 
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
> Private Key Object; EC
>   label:      ca
>   ID:         60
>   Usage:      decrypt, sign, unwrap
> 
> Now OpenSSL / req cannot find the private key for whatever reason.
> 
> $ openssl
> OpenSSL> version
> OpenSSL 1.0.1 14 Mar 2012
> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> [Success]: VERBOSE
> Loaded: (pkcs11) pkcs11 engine
> initializing engine
>      [ available ]
> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: 60
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok          
> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
> Found slot:  SCM SCR 355 [CCID Interface] 00 00
> Found token: SmartCard-HSM (UserPIN)
> Found 0 certificate:
> PKCS#11 token PIN: 
> No keys found.
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
> unable to load Private Key
> error in req
> OpenSSL>
> 
> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well.
> 
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa
> Using slot 1 with a present token (0x1)
> Key pair generated:
> Private Key Object; RSA 
>   label:      ca-rsa
>   ID:         70
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      ca-rsa
>   ID:         70
>   Usage:      encrypt, verify, wrap
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
> Private Key Object; RSA 
>   label:      ca-rsa
>   ID:         70
>   Usage:      decrypt, sign, unwrap
> $ openssl
> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> [Success]: VERBOSE
> Loaded: (pkcs11) pkcs11 engine
> initializing engine
>      [ available ]
> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: 70
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok          
> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
> Found slot:  SCM SCR 355 [CCID Interface] 00 00
> Found token: SmartCard-HSM (UserPIN)
> Found 0 certificate:
> PKCS#11 token PIN: 
> Found 1 key:
>    1 P  ca-rsa
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
> unable to load Private Key
> error in req
> OpenSSL>
> 
> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token?
> 
> Thanks & Best regards,
> Ronny
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
> 
> Build for Windows Store.
> 
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>