Re: [Opensc-devel] pkcs11_engine on windows

[Douglas E E. <dee...@gm...>]

On 4/24/2015 11:20 AM, mike tancsa wrote:
> Hi,
> 	I am having some challenges successfully compiling/using the
> pkcs11_engine on Windows and was hoping someone could point me in the
> right direction.....
>
> I setup a cygwin environment on Windows 7 64bit. I have the latest
> OpenSC installed, and built and installed libP11 from the github repo. I
> then built the dll
>    export set LIBS='-lp11'
>    export set LDFLAGS='-L/usr/local/lib/'
>    ./bootstrap
>    ./configure
>    make
>    make install
>
> $ ls -l  ~/work/engine_pkcs11/src/.libs
> total 215
> -rw-r--r-- 1 mdtancsa None     20 Apr 24 11:07 engine_pkcs11.def
> -rwxr-xr-x 1 mdtancsa None 128513 Apr 24 11:07 engine_pkcs11.dll
> -rw-r--r-- 1 mdtancsa None   2036 Apr 24 11:07 engine_pkcs11.dll.a
> -rw-r--r-- 1 mdtancsa None     28 Apr 24 11:07 engine_pkcs11.dll.def
> lrwxrwxrwx 1 mdtancsa None     19 Apr 24 11:07 engine_pkcs11.la ->
> ../engine_pkcs11.la
> -rw-r--r-- 1 mdtancsa None   1003 Apr 24 11:07 engine_pkcs11.lai
> -rw-r--r-- 1 mdtancsa None  52803 Apr 24 11:07
> engine_pkcs11_la-engine_pkcs11.o
> -rw-r--r-- 1 mdtancsa None  21561 Apr 24 11:07 engine_pkcs11_la-hw_pkcs11.o
>
> $ file engine_pkcs11.dll
> engine_pkcs11.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows
>
>
>
>
> Then I try and generate a key (both with the old non java etokens using
> the opensc-pkcs11.dll and the java etokens using the safenet dll) which
> seems to work.  But I am not able to get the openssl portion working so
> I can then generate a request.
>
>
> $ ./pkcs15-init.exe -E
> Using reader with a card: AKS ifdh 0
>
> $ ./pkcs15-init.exe -C -P --pin 12345 --puk 12345 -a 01 --label "mike"
> --so-pin 123456 --so-puk 123456 -T
> 2015-04-24 11:49:06.573 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:08.124 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:09.031 cannot lock memory, sensitive data may be paged
> to disk
> Using reader with a card: AKS ifdh 0
>
>
> $ ./pkcs15-init.exe -G rsa/2048 -a 01 --pin 12345 --so-pin 123456 -u
> sign,decrypt --id 45
> 2015-04-24 11:49:48.705 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:58.254 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:59.082 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:59.696 cannot lock memory, sensitive data may be paged
> to disk
> Using reader with a card: AKS ifdh 0
>
>
> $ ./pkcs15-tool.exe --list-keys -k -c -C
> Private RSA Key [Private Key]
>           Object Flags   : [0x3], private, modifiable
>           Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>           Access Flags   : [0x1D], sensitive, alwaysSensitive,
> neverExtract, local
>           ModLength      : 2048
>           Key ref        : 16 (0x10)
>           Native         : yes
>           Path           : 3f005015
>           Auth ID        : 01
>           ID             : 45
>           MD:guid        : {ce92c7be-ec89-8a73-acae-68759a047368}
>             :cmap flags  : 0x0
>             :sign        : 0
>             :key-exchange: 0
>
> Using reader with a card: AKS ifdh 0
>
> $ ./pkcs11-tool.exe --pin 12345 -O --module ./opensc-pkcs11.dll
> Public Key Object; RSA 2048 bits
>     label:      Private Key
>     ID:         45
>     Usage:      encrypt, verify, wrap
> Using slot 1 with a present token (0x1)
>
>
> $ ./openssl.exe
> OpenSSL> engine dynamic -pre
> SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre
> LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL> req -engine pkcs11 -new -key 1:45 -keyform engine -out req.pem
> -text -x509 -subj "/CN=Mike Tancsa"
> engine "pkcs11" set.
> failed to enumerate slots
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
> ID:p11_slot.c:314:
> 2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
> loading private key:eng_pkey.c:124:
> unable to load Private Key
> error in req
> OpenSSL>
>
>
> Trying with the SafeNet DLL gives the same / similar problem
>
>
> $ ./pkcs11-tool.exe --module ./eTPKCS11.dll -l --pin 12345 --keypairgen
> --key-type rsa:2048 --id 45
> Key pair generated:
> Private Key Object; RSA
>     label:
>     ID:         45
>     Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>     label:
>     ID:         45
>     Usage:      encrypt, verify, wrap
> Using slot 2 with a present token (0x2)
>
> Trying with slot 2
> OpenSSL> req -engine pkcs11 -new -key 2:45 -keyform engine -out cert.pem
> -text -x509 -days 3640 -subj "/CN=Mike Tancsa"
> engine "pkcs11" set.
> failed to enumerate slots
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
> ID:p11_slot.c:314:
> 2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
> loading private key:eng_pkey.c:124:
> unable to load Private Key
> error in req
> OpenSSL> q
>
> And just specifying the key also fails
>
> OpenSSL> engine dynamic -pre
> SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre
> LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL> req -engine pkcs11 -new -key 45 -keyform engine -out cert.pem
> -text -x509 -days 3640 -subj "/CN=Mike Tancsa"
> engine "pkcs11" set.
> failed to enumerate slots
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
> ID:p11_slot.c:314:
> 2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
> loading private key:eng_pkey.c:124:
> unable to load Private Key
> error in req
>
>
> 	---Mike
>
>

First, I have not used cygwin in years...

You may need a LD_LIBRARY_PATH=
In your examples, you refer to some absolute paths like:
/home/mdtancsa/opensc-pkcs11.dll
/usr/local/lib/engines/engine_pkcs11.dll
but run from the current directory, using ./ but don't say what that directory is.

./pkcs11-tool.exe appears to have worked using ./opensc-pkcs11.dll
What directory was this?

Do you have two copies of opensc-pkcs11.dll?
one in /usr/local/lib/
and one in /home/mdtancsa/

Should you be using MODULE_PATH=/usr/local/lib/opensc-pkcs11.dll?

>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>