[Opensc-devel] pkcs11_engine on windows

[mike t. <mi...@se...>]

Hi,
	I am having some challenges successfully compiling/using the 
pkcs11_engine on Windows and was hoping someone could point me in the 
right direction.....

I setup a cygwin environment on Windows 7 64bit. I have the latest 
OpenSC installed, and built and installed libP11 from the github repo. I 
then built the dll
  export set LIBS='-lp11'
  export set LDFLAGS='-L/usr/local/lib/'
  ./bootstrap
  ./configure
  make
  make install

$ ls -l  ~/work/engine_pkcs11/src/.libs
total 215
-rw-r--r-- 1 mdtancsa None     20 Apr 24 11:07 engine_pkcs11.def
-rwxr-xr-x 1 mdtancsa None 128513 Apr 24 11:07 engine_pkcs11.dll
-rw-r--r-- 1 mdtancsa None   2036 Apr 24 11:07 engine_pkcs11.dll.a
-rw-r--r-- 1 mdtancsa None     28 Apr 24 11:07 engine_pkcs11.dll.def
lrwxrwxrwx 1 mdtancsa None     19 Apr 24 11:07 engine_pkcs11.la -> 
../engine_pkcs11.la
-rw-r--r-- 1 mdtancsa None   1003 Apr 24 11:07 engine_pkcs11.lai
-rw-r--r-- 1 mdtancsa None  52803 Apr 24 11:07 
engine_pkcs11_la-engine_pkcs11.o
-rw-r--r-- 1 mdtancsa None  21561 Apr 24 11:07 engine_pkcs11_la-hw_pkcs11.o

$ file engine_pkcs11.dll
engine_pkcs11.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows




Then I try and generate a key (both with the old non java etokens using 
the opensc-pkcs11.dll and the java etokens using the safenet dll) which 
seems to work.  But I am not able to get the openssl portion working so 
I can then generate a request.


$ ./pkcs15-init.exe -E
Using reader with a card: AKS ifdh 0

$ ./pkcs15-init.exe -C -P --pin 12345 --puk 12345 -a 01 --label "mike" 
--so-pin 123456 --so-puk 123456 -T
2015-04-24 11:49:06.573 cannot lock memory, sensitive data may be paged 
to disk
2015-04-24 11:49:08.124 cannot lock memory, sensitive data may be paged 
to disk
2015-04-24 11:49:09.031 cannot lock memory, sensitive data may be paged 
to disk
Using reader with a card: AKS ifdh 0


$ ./pkcs15-init.exe -G rsa/2048 -a 01 --pin 12345 --so-pin 123456 -u 
sign,decrypt --id 45
2015-04-24 11:49:48.705 cannot lock memory, sensitive data may be paged 
to disk
2015-04-24 11:49:58.254 cannot lock memory, sensitive data may be paged 
to disk
2015-04-24 11:49:59.082 cannot lock memory, sensitive data may be paged 
to disk
2015-04-24 11:49:59.696 cannot lock memory, sensitive data may be paged 
to disk
Using reader with a card: AKS ifdh 0


$ ./pkcs15-tool.exe --list-keys -k -c -C
Private RSA Key [Private Key]
         Object Flags   : [0x3], private, modifiable
         Usage          : [0x2E], decrypt, sign, signRecover, unwrap
         Access Flags   : [0x1D], sensitive, alwaysSensitive, 
neverExtract, local
         ModLength      : 2048
         Key ref        : 16 (0x10)
         Native         : yes
         Path           : 3f005015
         Auth ID        : 01
         ID             : 45
         MD:guid        : {ce92c7be-ec89-8a73-acae-68759a047368}
           :cmap flags  : 0x0
           :sign        : 0
           :key-exchange: 0

Using reader with a card: AKS ifdh 0

$ ./pkcs11-tool.exe --pin 12345 -O --module ./opensc-pkcs11.dll
Public Key Object; RSA 2048 bits
   label:      Private Key
   ID:         45
   Usage:      encrypt, verify, wrap
Using slot 1 with a present token (0x1)


$ ./openssl.exe
OpenSSL> engine dynamic -pre 
SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre 
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key 1:45 -keyform engine -out req.pem 
-text -x509 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot 
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed 
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req
OpenSSL>


Trying with the SafeNet DLL gives the same / similar problem


$ ./pkcs11-tool.exe --module ./eTPKCS11.dll -l --pin 12345 --keypairgen 
--key-type rsa:2048 --id 45
Key pair generated:
Private Key Object; RSA
   label:
   ID:         45
   Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
   label:
   ID:         45
   Usage:      encrypt, verify, wrap
Using slot 2 with a present token (0x2)

Trying with slot 2
OpenSSL> req -engine pkcs11 -new -key 2:45 -keyform engine -out cert.pem 
-text -x509 -days 3640 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot 
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed 
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req
OpenSSL> q

And just specifying the key also fails

OpenSSL> engine dynamic -pre 
SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre 
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key 45 -keyform engine -out cert.pem 
-text -x509 -days 3640 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot 
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed 
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req


	---Mike