Menu
▾
▴
opensc-devel
|
From: Ronny S. <Ron...@to...> - 2013-06-11 13:15:45
|
Hi, I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots Available slots: Slot 0 (0xffffffffffffffff): Virtual hotplug slot (empty) Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 token label : SmartCard-HSM (UserPIN) token manufacturer : www.CardContact.de token model : PKCS#15 emulated token flags : rng, login required, PIN initialized, token initialized hardware version : 24.13 firmware version : 1.1 serial num : DECC0100157 When creating the EC keypair, I get an error concerning the public key: $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1 with a present token (0x1) Key pair generated: Private Key Object; EC label: ca ID: 60 Usage: decrypt, sign, unwrap Public Key Object; EC EC_POINT 264 bits EC_POINT: 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) label: ca ID: 60 Usage: encrypt, verify, wrap And the public key isn't listed either $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects Private Key Object; EC label: ca ID: 60 Usage: decrypt, sign, unwrap Now OpenSSL / req cannot find the private key for whatever reason. $ openssl OpenSSL> version OpenSSL 1.0.1 14 Mar 2012 OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so [Success]: VERBOSE Loaded: (pkcs11) pkcs11 engine initializing engine [ available ] OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" initializing engine engine "pkcs11" set. Looking in slot 1 for key: 60 Found 2 slots [18446744073709551615] Virtual hotplug slot no tok [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: SmartCard-HSM (UserPIN) Found 0 certificate: PKCS#11 token PIN: No keys found. PKCS11_get_private_key returned NULL cannot load Private Key from engine 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: unable to load Private Key error in req OpenSSL> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1 with a present token (0x1) Key pair generated: Private Key Object; RSA label: ca-rsa ID: 70 Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: ca-rsa ID: 70 Usage: encrypt, verify, wrap $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects Private Key Object; RSA label: ca-rsa ID: 70 Usage: decrypt, sign, unwrap $ openssl OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so [Success]: VERBOSE Loaded: (pkcs11) pkcs11 engine initializing engine [ available ] OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" initializing engine engine "pkcs11" set. Looking in slot 1 for key: 70 Found 2 slots [18446744073709551615] Virtual hotplug slot no tok [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: SmartCard-HSM (UserPIN) Found 0 certificate: PKCS#11 token PIN: Found 1 key: 1 P ca-rsa PKCS11_get_private_key returned NULL cannot load Private Key from engine 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: unable to load Private Key error in req OpenSSL> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? Thanks & Best regards, Ronny |
|
From: Andreas S. <and...@ca...> - 2013-06-11 14:24:50
|
Dear Ronny, issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]). The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? Kind regards, Andreas [1] https://devnet.cardcontact.de/issues/3 [2] https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc230541072c60afb On 06/11/2013 03:02 PM, Ronny Schütz wrote: > Hi, > > I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots > Available slots: > Slot 0 (0xffffffffffffffff): Virtual hotplug slot > (empty) > Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 > token label : SmartCard-HSM (UserPIN) > token manufacturer : www.CardContact.de > token model : PKCS#15 emulated > token flags : rng, login required, PIN initialized, token initialized > hardware version : 24.13 > firmware version : 1.1 > serial num : DECC0100157 > > When creating the EC keypair, I get an error concerning the public key: > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > Public Key Object; EC EC_POINT 264 bits > EC_POINT: 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c > warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) > > label: ca > ID: 60 > Usage: encrypt, verify, wrap > > And the public key isn't listed either > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > > Now OpenSSL / req cannot find the private key for whatever reason. > > $ openssl > OpenSSL> version > OpenSSL 1.0.1 14 Mar 2012 > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 60 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > No keys found. > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > Public Key Object; RSA 2048 bits > label: ca-rsa > ID: 70 > Usage: encrypt, verify, wrap > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > $ openssl > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 70 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > Found 1 key: > 1 P ca-rsa > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: > 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? > > Thanks & Best regards, > Ronny > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Douglas E. E. <dee...@an...> - 2013-06-11 14:29:17
|
The problem is most likely related to what was reported 9/20/2012 and an outlined of how to fix it: http://www.mail-archive.com/ope...@li.../msg10067.html On 6/11/2013 8:02 AM, Ronny Schütz wrote: > Hi, > > I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots > Available slots: > Slot 0 (0xffffffffffffffff): Virtual hotplug slot > (empty) > Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 > token label : SmartCard-HSM (UserPIN) > token manufacturer : www.CardContact.de > token model : PKCS#15 emulated > token flags : rng, login required, PIN initialized, token initialized > hardware version : 24.13 > firmware version : 1.1 > serial num : DECC0100157 > > When creating the EC keypair, I get an error concerning the public key: > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > Public Key Object; EC EC_POINT 264 bits > EC_POINT: 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c > warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) > > label: ca > ID: 60 > Usage: encrypt, verify, wrap > > And the public key isn't listed either > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > > Now OpenSSL / req cannot find the private key for whatever reason. > > $ openssl > OpenSSL> version > OpenSSL 1.0.1 14 Mar 2012 > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 60 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > No keys found. > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > Public Key Object; RSA 2048 bits > label: ca-rsa > ID: 70 > Usage: encrypt, verify, wrap > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > $ openssl > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 70 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > Found 1 key: > 1 P ca-rsa > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: > 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? > > Thanks & Best regards, > Ronny > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > . > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Martin P. <ma...@ma...> - 2013-06-11 14:40:57
|
Hello, You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA. -- Martin +372 515 6495 On Tue, Jun 11, 2013 at 4:02 PM, Ronny Schütz <Ron...@to...> wrote: > Hi, > > I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots > Available slots: > Slot 0 (0xffffffffffffffff): Virtual hotplug slot > (empty) > Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 > token label : SmartCard-HSM (UserPIN) > token manufacturer : www.CardContact.de > token model : PKCS#15 emulated > token flags : rng, login required, PIN initialized, token initialized > hardware version : 24.13 > firmware version : 1.1 > serial num : DECC0100157 > > When creating the EC keypair, I get an error concerning the public key: > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > Public Key Object; EC EC_POINT 264 bits > EC_POINT: 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c > warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) > > label: ca > ID: 60 > Usage: encrypt, verify, wrap > > And the public key isn't listed either > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > > Now OpenSSL / req cannot find the private key for whatever reason. > > $ openssl > OpenSSL> version > OpenSSL 1.0.1 14 Mar 2012 > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 60 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > No keys found. > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > Public Key Object; RSA 2048 bits > label: ca-rsa > ID: 70 > Usage: encrypt, verify, wrap > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > $ openssl > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 70 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > Found 1 key: > 1 P ca-rsa > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: > 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? > > Thanks & Best regards, > Ronny > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Douglas E. E. <dee...@an...> - 2013-06-11 15:37:09
|
On 6/11/2013 9:40 AM, Martin Paljak wrote: > Hello, > > You did not specify a card (which must also support ECC), but keep in > mind that at least engine_pkcs11 only speaks RSA. See Re: [openssl.org #2568] enhancement request: remove ECC engine support's limitation from 2011. I have some code for the engine and p11 form 2011 for ECC. > > -- > Martin > +372 515 6495 > > > On Tue, Jun 11, 2013 at 4:02 PM, Ronny Schütz <Ron...@to...> wrote: >> Hi, >> >> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots >> Available slots: >> Slot 0 (0xffffffffffffffff): Virtual hotplug slot >> (empty) >> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 >> token label : SmartCard-HSM (UserPIN) >> token manufacturer : www.CardContact.de >> token model : PKCS#15 emulated >> token flags : rng, login required, PIN initialized, token initialized >> hardware version : 24.13 >> firmware version : 1.1 >> serial num : DECC0100157 >> >> When creating the EC keypair, I get an error concerning the public key: >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca >> Using slot 1 with a present token (0x1) >> Key pair generated: >> Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> Public Key Object; EC EC_POINT 264 bits >> EC_POINT: 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c >> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) >> >> label: ca >> ID: 60 >> Usage: encrypt, verify, wrap >> >> And the public key isn't listed either >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects >> Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> >> Now OpenSSL / req cannot find the private key for whatever reason. >> >> $ openssl >> OpenSSL> version >> OpenSSL 1.0.1 14 Mar 2012 >> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 60 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 >> Found token: SmartCard-HSM (UserPIN) >> Found 0 certificate: >> PKCS#11 token PIN: >> No keys found. >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa >> Using slot 1 with a present token (0x1) >> Key pair generated: >> Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> Public Key Object; RSA 2048 bits >> label: ca-rsa >> ID: 70 >> Usage: encrypt, verify, wrap >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects >> Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> $ openssl >> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 70 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 >> Found token: SmartCard-HSM (UserPIN) >> Found 0 certificate: >> PKCS#11 token PIN: >> Found 1 key: >> 1 P ca-rsa >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: >> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? >> >> Thanks & Best regards, >> Ronny >> >> >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Ronny S. <Ron...@to...> - 2013-06-12 16:27:59
|
Hi all, thanks a lot for all your replies. > The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue. > issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either. > You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA. Ok, then we most likely need to drop ECC anyway and use RSA instead. Best regards, Ronny -----Original Message----- From: Andreas Schwier [mailto:and...@ca...] Sent: Dienstag, 11. Juni 2013 16:25 To: ope...@li... Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues Dear Ronny, issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]). The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? Kind regards, Andreas [1] https://devnet.cardcontact.de/issues/3 [2] https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc230541072c60afb On 06/11/2013 03:02 PM, Ronny Schütz wrote: > Hi, > > I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots > Available slots: > Slot 0 (0xffffffffffffffff): Virtual hotplug slot > (empty) > Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 > token label : SmartCard-HSM (UserPIN) > token manufacturer : www.CardContact.de > token model : PKCS#15 emulated > token flags : rng, login required, PIN initialized, token initialized > hardware version : 24.13 > firmware version : 1.1 > serial num : DECC0100157 > > When creating the EC keypair, I get an error concerning the public key: > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 > --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1 > with a present token (0x1) Key pair generated: > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > Public Key Object; EC EC_POINT 264 bits > EC_POINT: > 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987 > c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c > warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = > CKR_ATTRIBUTE_TYPE_INVALID (0x12) > > label: ca > ID: 60 > Usage: encrypt, verify, wrap > > And the public key isn't listed either > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login > --pin 725570 --list-objects Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > > Now OpenSSL / req cannot find the private key for whatever reason. > > $ openssl > OpenSSL> version > OpenSSL 1.0.1 14 Mar 2012 > OpenSSL> engine -t dynamic -pre > OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre > OpenSSL> LIST_ADD:1 -pre LOAD -pre > OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 60 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: > SmartCard-HSM (UserPIN) Found 0 certificate: > PKCS#11 token PIN: > No keys found. > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 > --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1 > with a present token (0x1) Key pair generated: > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > Public Key Object; RSA 2048 bits > label: ca-rsa > ID: 70 > Usage: encrypt, verify, wrap > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login > --pin 725570 --list-objects Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > $ openssl > OpenSSL> engine -t dynamic -pre > OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre > OpenSSL> LIST_ADD:1 -pre LOAD -pre > OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 70 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: > SmartCard-HSM (UserPIN) Found 0 certificate: > PKCS#11 token PIN: > Found 1 key: > 1 P ca-rsa > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: > 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? > > Thanks & Best regards, > Ronny > > > > > ---------------------------------------------------------------------- > -------- This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Opensc-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Andreas S. <and...@ca...> - 2013-06-12 19:52:51
|
Hi Ronny, On 06/12/2013 06:27 PM, Ronny Schütz wrote: > Hi all, > > thanks a lot for all your replies. > >> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? > > Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue. > >> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. > > Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either. The SmartCard-HSM does not support key import in plain. Only keys previously exported under the Device Key Encryption Key (DKEK) can be imported > >> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA. > > Ok, then we most likely need to drop ECC anyway and use RSA instead. I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. > > Best regards, > Ronny > > -----Original Message----- > From: Andreas Schwier [mailto:and...@ca...] > Sent: Dienstag, 11. Juni 2013 16:25 > To: ope...@li... > Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues > > Dear Ronny, > > issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]). > > The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? > > Kind regards, > > Andreas > > > [1] https://devnet.cardcontact.de/issues/3 > [2] > https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc230541072c60afb > > On 06/11/2013 03:02 PM, Ronny Schütz wrote: >> Hi, >> >> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots >> Available slots: >> Slot 0 (0xffffffffffffffff): Virtual hotplug slot >> (empty) >> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 >> token label : SmartCard-HSM (UserPIN) >> token manufacturer : www.CardContact.de >> token model : PKCS#15 emulated >> token flags : rng, login required, PIN initialized, token initialized >> hardware version : 24.13 >> firmware version : 1.1 >> serial num : DECC0100157 >> >> When creating the EC keypair, I get an error concerning the public key: >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1 >> with a present token (0x1) Key pair generated: >> Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> Public Key Object; EC EC_POINT 264 bits >> EC_POINT: >> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987 >> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c >> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = >> CKR_ATTRIBUTE_TYPE_INVALID (0x12) >> >> label: ca >> ID: 60 >> Usage: encrypt, verify, wrap >> >> And the public key isn't listed either >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >> --pin 725570 --list-objects Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> >> Now OpenSSL / req cannot find the private key for whatever reason. >> >> $ openssl >> OpenSSL> version >> OpenSSL 1.0.1 14 Mar 2012 >> OpenSSL> engine -t dynamic -pre >> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre >> OpenSSL> LIST_ADD:1 -pre LOAD -pre >> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 60 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >> SmartCard-HSM (UserPIN) Found 0 certificate: >> PKCS#11 token PIN: >> No keys found. >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1 >> with a present token (0x1) Key pair generated: >> Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> Public Key Object; RSA 2048 bits >> label: ca-rsa >> ID: 70 >> Usage: encrypt, verify, wrap >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >> --pin 725570 --list-objects Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> $ openssl >> OpenSSL> engine -t dynamic -pre >> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre >> OpenSSL> LIST_ADD:1 -pre LOAD -pre >> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 70 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >> SmartCard-HSM (UserPIN) Found 0 certificate: >> PKCS#11 token PIN: >> Found 1 key: >> 1 P ca-rsa >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: >> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? >> >> Thanks & Best regards, >> Ronny >> >> >> >> >> ---------------------------------------------------------------------- >> -------- This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Ronny S. <Ron...@to...> - 2013-06-13 10:25:51
|
Hi Andreas, > I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. That would be helpful, thanks! What I actually want to achieve is to use the SmartCard-HSM to carry a custom CA keypair + certificate (RSA:2048 or better EC:secp256r1) and use the token to either process CSRs and generate X.509 certificates or to at least generate the signature to issue client certificates using OpenSSL. Would this work considering that: "at least engine_pkcs11 only speaks RSA" (Martin)? Best regards, Ronny -----Original Message----- From: Andreas Schwier [mailto:and...@ca...] Sent: Mittwoch, 12. Juni 2013 21:53 To: ope...@li... Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues Hi Ronny, On 06/12/2013 06:27 PM, Ronny Schütz wrote: > Hi all, > > thanks a lot for all your replies. > >> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? > > Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue. > >> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. > > Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either. The SmartCard-HSM does not support key import in plain. Only keys previously exported under the Device Key Encryption Key (DKEK) can be imported > >> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA. > > Ok, then we most likely need to drop ECC anyway and use RSA instead. I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. > > Best regards, > Ronny > > -----Original Message----- > From: Andreas Schwier [mailto:and...@ca...] > Sent: Dienstag, 11. Juni 2013 16:25 > To: ope...@li... > Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 > keypair creation issues > > Dear Ronny, > > issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]). > > The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? > > Kind regards, > > Andreas > > > [1] https://devnet.cardcontact.de/issues/3 > [2] > https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc > 230541072c60afb > > On 06/11/2013 03:02 PM, Ronny Schütz wrote: >> Hi, >> >> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots >> Available slots: >> Slot 0 (0xffffffffffffffff): Virtual hotplug slot >> (empty) >> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 >> token label : SmartCard-HSM (UserPIN) >> token manufacturer : www.CardContact.de >> token model : PKCS#15 emulated >> token flags : rng, login required, PIN initialized, token initialized >> hardware version : 24.13 >> firmware version : 1.1 >> serial num : DECC0100157 >> >> When creating the EC keypair, I get an error concerning the public key: >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1 >> with a present token (0x1) Key pair generated: >> Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> Public Key Object; EC EC_POINT 264 bits >> EC_POINT: >> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da98 >> 7 >> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c >> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = >> CKR_ATTRIBUTE_TYPE_INVALID (0x12) >> >> label: ca >> ID: 60 >> Usage: encrypt, verify, wrap >> >> And the public key isn't listed either >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >> --pin 725570 --list-objects Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> >> Now OpenSSL / req cannot find the private key for whatever reason. >> >> $ openssl >> OpenSSL> version >> OpenSSL 1.0.1 14 Mar 2012 >> OpenSSL> engine -t dynamic -pre >> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 >> OpenSSL> -pre >> OpenSSL> LIST_ADD:1 -pre LOAD -pre >> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 60 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >> SmartCard-HSM (UserPIN) Found 0 certificate: >> PKCS#11 token PIN: >> No keys found. >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1 >> with a present token (0x1) Key pair generated: >> Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> Public Key Object; RSA 2048 bits >> label: ca-rsa >> ID: 70 >> Usage: encrypt, verify, wrap >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >> --pin 725570 --list-objects Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> $ openssl >> OpenSSL> engine -t dynamic -pre >> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 >> OpenSSL> -pre >> OpenSSL> LIST_ADD:1 -pre LOAD -pre >> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 70 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >> SmartCard-HSM (UserPIN) Found 0 certificate: >> PKCS#11 token PIN: >> Found 1 key: >> 1 P ca-rsa >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: >> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? >> >> Thanks & Best regards, >> Ronny >> >> >> >> >> --------------------------------------------------------------------- >> - >> -------- This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > ---------------------------------------------------------------------- > -------- This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > ---------------------------------------------------------------------- > -------- This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Opensc-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Douglas E. E. <dee...@an...> - 2013-06-13 14:45:28
|
If you are willing to do some development, back in 2011 I had mods to openssl, engine-pkcs11 and libp11 to support ECDSA signatures. See this last message in the thread: http://www.mail-archive.com/ope...@li.../msg08848.html (Felipe Blauth got the mods working) I have attached the updated mods, but I have not used them in some time. As noted in the mods there is an outstanding OpenSSL bug. +#if defined(BUILD_WITH_EC) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDSA) +/* OpenSSL has ECDSA_METHOD defined in internal header file ecs_locl.h + * For now: + * CPPFLAGS="-DBUILD_WITH_EC -I/path.to.openssl-1.0.0a/crypto/ecdh" + * See OpenSSL bug report #2459 02/23/2011 + * When this is fixed, the BUILD_WITH_EC test can be removed + * + * TODO ECDH_METHOD is in ech_locl.h too! + */ On 6/13/2013 5:25 AM, Ronny Schütz wrote: > Hi Andreas, > >> I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. > > That would be helpful, thanks! What I actually want to achieve is to use the SmartCard-HSM to carry a custom CA keypair + certificate (RSA:2048 or better EC:secp256r1) and use the token to either process CSRs and generate X.509 certificates or to at least generate the signature to issue client certificates using OpenSSL. Would this work considering that: "at least engine_pkcs11 only speaks RSA" (Martin)? > > Best regards, > Ronny > > -----Original Message----- > From: Andreas Schwier [mailto:and...@ca...] > Sent: Mittwoch, 12. Juni 2013 21:53 > To: ope...@li... > Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues > > Hi Ronny, > > On 06/12/2013 06:27 PM, Ronny Schütz wrote: >> Hi all, >> >> thanks a lot for all your replies. >> >>> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? >> >> Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue. >> >>> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. >> >> Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either. > The SmartCard-HSM does not support key import in plain. Only keys previously exported under the Device Key Encryption Key (DKEK) can be imported >> >>> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA. >> >> Ok, then we most likely need to drop ECC anyway and use RSA instead. > I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. >> >> Best regards, >> Ronny >> >> -----Original Message----- >> From: Andreas Schwier [mailto:and...@ca...] >> Sent: Dienstag, 11. Juni 2013 16:25 >> To: ope...@li... >> Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 >> keypair creation issues >> >> Dear Ronny, >> >> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]). >> >> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? >> >> Kind regards, >> >> Andreas >> >> >> [1] https://devnet.cardcontact.de/issues/3 >> [2] >> https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc >> 230541072c60afb >> >> On 06/11/2013 03:02 PM, Ronny Schütz wrote: >>> Hi, >>> >>> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. >>> >>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots >>> Available slots: >>> Slot 0 (0xffffffffffffffff): Virtual hotplug slot >>> (empty) >>> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 >>> token label : SmartCard-HSM (UserPIN) >>> token manufacturer : www.CardContact.de >>> token model : PKCS#15 emulated >>> token flags : rng, login required, PIN initialized, token initialized >>> hardware version : 24.13 >>> firmware version : 1.1 >>> serial num : DECC0100157 >>> >>> When creating the EC keypair, I get an error concerning the public key: >>> >>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >>> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1 >>> with a present token (0x1) Key pair generated: >>> Private Key Object; EC >>> label: ca >>> ID: 60 >>> Usage: decrypt, sign, unwrap >>> Public Key Object; EC EC_POINT 264 bits >>> EC_POINT: >>> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da98 >>> 7 >>> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c >>> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = >>> CKR_ATTRIBUTE_TYPE_INVALID (0x12) >>> >>> label: ca >>> ID: 60 >>> Usage: encrypt, verify, wrap >>> >>> And the public key isn't listed either >>> >>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >>> --pin 725570 --list-objects Private Key Object; EC >>> label: ca >>> ID: 60 >>> Usage: decrypt, sign, unwrap >>> >>> Now OpenSSL / req cannot find the private key for whatever reason. >>> >>> $ openssl >>> OpenSSL> version >>> OpenSSL 1.0.1 14 Mar 2012 >>> OpenSSL> engine -t dynamic -pre >>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 >>> OpenSSL> -pre >>> OpenSSL> LIST_ADD:1 -pre LOAD -pre >>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >>> (dynamic) Dynamic engine loading support >>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >>> [Success]: ID:pkcs11 >>> [Success]: LIST_ADD:1 >>> [Success]: LOAD >>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >>> [Success]: VERBOSE >>> Loaded: (pkcs11) pkcs11 engine >>> initializing engine >>> [ available ] >>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >>> initializing engine >>> engine "pkcs11" set. >>> Looking in slot 1 for key: 60 >>> Found 2 slots >>> [18446744073709551615] Virtual hotplug slot no tok >>> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >>> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >>> SmartCard-HSM (UserPIN) Found 0 certificate: >>> PKCS#11 token PIN: >>> No keys found. >>> PKCS11_get_private_key returned NULL >>> cannot load Private Key from engine >>> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >>> unable to load Private Key >>> error in req >>> OpenSSL> >>> >>> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. >>> >>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >>> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1 >>> with a present token (0x1) Key pair generated: >>> Private Key Object; RSA >>> label: ca-rsa >>> ID: 70 >>> Usage: decrypt, sign, unwrap >>> Public Key Object; RSA 2048 bits >>> label: ca-rsa >>> ID: 70 >>> Usage: encrypt, verify, wrap >>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >>> --pin 725570 --list-objects Private Key Object; RSA >>> label: ca-rsa >>> ID: 70 >>> Usage: decrypt, sign, unwrap >>> $ openssl >>> OpenSSL> engine -t dynamic -pre >>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 >>> OpenSSL> -pre >>> OpenSSL> LIST_ADD:1 -pre LOAD -pre >>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >>> (dynamic) Dynamic engine loading support >>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >>> [Success]: ID:pkcs11 >>> [Success]: LIST_ADD:1 >>> [Success]: LOAD >>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >>> [Success]: VERBOSE >>> Loaded: (pkcs11) pkcs11 engine >>> initializing engine >>> [ available ] >>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >>> initializing engine >>> engine "pkcs11" set. >>> Looking in slot 1 for key: 70 >>> Found 2 slots >>> [18446744073709551615] Virtual hotplug slot no tok >>> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >>> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >>> SmartCard-HSM (UserPIN) Found 0 certificate: >>> PKCS#11 token PIN: >>> Found 1 key: >>> 1 P ca-rsa >>> PKCS11_get_private_key returned NULL >>> cannot load Private Key from engine >>> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: >>> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >>> unable to load Private Key >>> error in req >>> OpenSSL> >>> >>> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? >>> >>> Thanks & Best regards, >>> Ronny >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> - >>> -------- This SF.net email is sponsored by Windows: >>> >>> Build for Windows Store. >>> >>> http://p.sf.net/sfu/windows-dev2dev >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >> >> >> ---------------------------------------------------------------------- >> -------- This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> ---------------------------------------------------------------------- >> -------- This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > . > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X