Menu
▾
▴
opensc-devel
|
From: mike t. <mi...@se...> - 2015-04-24 16:20:58
|
Hi,
I am having some challenges successfully compiling/using the
pkcs11_engine on Windows and was hoping someone could point me in the
right direction.....
I setup a cygwin environment on Windows 7 64bit. I have the latest
OpenSC installed, and built and installed libP11 from the github repo. I
then built the dll
export set LIBS='-lp11'
export set LDFLAGS='-L/usr/local/lib/'
./bootstrap
./configure
make
make install
$ ls -l ~/work/engine_pkcs11/src/.libs
total 215
-rw-r--r-- 1 mdtancsa None 20 Apr 24 11:07 engine_pkcs11.def
-rwxr-xr-x 1 mdtancsa None 128513 Apr 24 11:07 engine_pkcs11.dll
-rw-r--r-- 1 mdtancsa None 2036 Apr 24 11:07 engine_pkcs11.dll.a
-rw-r--r-- 1 mdtancsa None 28 Apr 24 11:07 engine_pkcs11.dll.def
lrwxrwxrwx 1 mdtancsa None 19 Apr 24 11:07 engine_pkcs11.la ->
../engine_pkcs11.la
-rw-r--r-- 1 mdtancsa None 1003 Apr 24 11:07 engine_pkcs11.lai
-rw-r--r-- 1 mdtancsa None 52803 Apr 24 11:07
engine_pkcs11_la-engine_pkcs11.o
-rw-r--r-- 1 mdtancsa None 21561 Apr 24 11:07 engine_pkcs11_la-hw_pkcs11.o
$ file engine_pkcs11.dll
engine_pkcs11.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows
Then I try and generate a key (both with the old non java etokens using
the opensc-pkcs11.dll and the java etokens using the safenet dll) which
seems to work. But I am not able to get the openssl portion working so
I can then generate a request.
$ ./pkcs15-init.exe -E
Using reader with a card: AKS ifdh 0
$ ./pkcs15-init.exe -C -P --pin 12345 --puk 12345 -a 01 --label "mike"
--so-pin 123456 --so-puk 123456 -T
2015-04-24 11:49:06.573 cannot lock memory, sensitive data may be paged
to disk
2015-04-24 11:49:08.124 cannot lock memory, sensitive data may be paged
to disk
2015-04-24 11:49:09.031 cannot lock memory, sensitive data may be paged
to disk
Using reader with a card: AKS ifdh 0
$ ./pkcs15-init.exe -G rsa/2048 -a 01 --pin 12345 --so-pin 123456 -u
sign,decrypt --id 45
2015-04-24 11:49:48.705 cannot lock memory, sensitive data may be paged
to disk
2015-04-24 11:49:58.254 cannot lock memory, sensitive data may be paged
to disk
2015-04-24 11:49:59.082 cannot lock memory, sensitive data may be paged
to disk
2015-04-24 11:49:59.696 cannot lock memory, sensitive data may be paged
to disk
Using reader with a card: AKS ifdh 0
$ ./pkcs15-tool.exe --list-keys -k -c -C
Private RSA Key [Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive,
neverExtract, local
ModLength : 2048
Key ref : 16 (0x10)
Native : yes
Path : 3f005015
Auth ID : 01
ID : 45
MD:guid : {ce92c7be-ec89-8a73-acae-68759a047368}
:cmap flags : 0x0
:sign : 0
:key-exchange: 0
Using reader with a card: AKS ifdh 0
$ ./pkcs11-tool.exe --pin 12345 -O --module ./opensc-pkcs11.dll
Public Key Object; RSA 2048 bits
label: Private Key
ID: 45
Usage: encrypt, verify, wrap
Using slot 1 with a present token (0x1)
$ ./openssl.exe
OpenSSL> engine dynamic -pre
SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key 1:45 -keyform engine -out req.pem
-text -x509 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req
OpenSSL>
Trying with the SafeNet DLL gives the same / similar problem
$ ./pkcs11-tool.exe --module ./eTPKCS11.dll -l --pin 12345 --keypairgen
--key-type rsa:2048 --id 45
Key pair generated:
Private Key Object; RSA
label:
ID: 45
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label:
ID: 45
Usage: encrypt, verify, wrap
Using slot 2 with a present token (0x2)
Trying with slot 2
OpenSSL> req -engine pkcs11 -new -key 2:45 -keyform engine -out cert.pem
-text -x509 -days 3640 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req
OpenSSL> q
And just specifying the key also fails
OpenSSL> engine dynamic -pre
SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key 45 -keyform engine -out cert.pem
-text -x509 -days 3640 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req
---Mike
|
|
From: Douglas E E. <dee...@gm...> - 2015-04-24 18:07:23
|
On 4/24/2015 11:20 AM, mike tancsa wrote:
> Hi,
> I am having some challenges successfully compiling/using the
> pkcs11_engine on Windows and was hoping someone could point me in the
> right direction.....
>
> I setup a cygwin environment on Windows 7 64bit. I have the latest
> OpenSC installed, and built and installed libP11 from the github repo. I
> then built the dll
> export set LIBS='-lp11'
> export set LDFLAGS='-L/usr/local/lib/'
> ./bootstrap
> ./configure
> make
> make install
>
> $ ls -l ~/work/engine_pkcs11/src/.libs
> total 215
> -rw-r--r-- 1 mdtancsa None 20 Apr 24 11:07 engine_pkcs11.def
> -rwxr-xr-x 1 mdtancsa None 128513 Apr 24 11:07 engine_pkcs11.dll
> -rw-r--r-- 1 mdtancsa None 2036 Apr 24 11:07 engine_pkcs11.dll.a
> -rw-r--r-- 1 mdtancsa None 28 Apr 24 11:07 engine_pkcs11.dll.def
> lrwxrwxrwx 1 mdtancsa None 19 Apr 24 11:07 engine_pkcs11.la ->
> ../engine_pkcs11.la
> -rw-r--r-- 1 mdtancsa None 1003 Apr 24 11:07 engine_pkcs11.lai
> -rw-r--r-- 1 mdtancsa None 52803 Apr 24 11:07
> engine_pkcs11_la-engine_pkcs11.o
> -rw-r--r-- 1 mdtancsa None 21561 Apr 24 11:07 engine_pkcs11_la-hw_pkcs11.o
>
> $ file engine_pkcs11.dll
> engine_pkcs11.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows
>
>
>
>
> Then I try and generate a key (both with the old non java etokens using
> the opensc-pkcs11.dll and the java etokens using the safenet dll) which
> seems to work. But I am not able to get the openssl portion working so
> I can then generate a request.
>
>
> $ ./pkcs15-init.exe -E
> Using reader with a card: AKS ifdh 0
>
> $ ./pkcs15-init.exe -C -P --pin 12345 --puk 12345 -a 01 --label "mike"
> --so-pin 123456 --so-puk 123456 -T
> 2015-04-24 11:49:06.573 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:08.124 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:09.031 cannot lock memory, sensitive data may be paged
> to disk
> Using reader with a card: AKS ifdh 0
>
>
> $ ./pkcs15-init.exe -G rsa/2048 -a 01 --pin 12345 --so-pin 123456 -u
> sign,decrypt --id 45
> 2015-04-24 11:49:48.705 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:58.254 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:59.082 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:59.696 cannot lock memory, sensitive data may be paged
> to disk
> Using reader with a card: AKS ifdh 0
>
>
> $ ./pkcs15-tool.exe --list-keys -k -c -C
> Private RSA Key [Private Key]
> Object Flags : [0x3], private, modifiable
> Usage : [0x2E], decrypt, sign, signRecover, unwrap
> Access Flags : [0x1D], sensitive, alwaysSensitive,
> neverExtract, local
> ModLength : 2048
> Key ref : 16 (0x10)
> Native : yes
> Path : 3f005015
> Auth ID : 01
> ID : 45
> MD:guid : {ce92c7be-ec89-8a73-acae-68759a047368}
> :cmap flags : 0x0
> :sign : 0
> :key-exchange: 0
>
> Using reader with a card: AKS ifdh 0
>
> $ ./pkcs11-tool.exe --pin 12345 -O --module ./opensc-pkcs11.dll
> Public Key Object; RSA 2048 bits
> label: Private Key
> ID: 45
> Usage: encrypt, verify, wrap
> Using slot 1 with a present token (0x1)
>
>
> $ ./openssl.exe
> OpenSSL> engine dynamic -pre
> SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre
> LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL> req -engine pkcs11 -new -key 1:45 -keyform engine -out req.pem
> -text -x509 -subj "/CN=Mike Tancsa"
> engine "pkcs11" set.
> failed to enumerate slots
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
> ID:p11_slot.c:314:
> 2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
> loading private key:eng_pkey.c:124:
> unable to load Private Key
> error in req
> OpenSSL>
>
>
> Trying with the SafeNet DLL gives the same / similar problem
>
>
> $ ./pkcs11-tool.exe --module ./eTPKCS11.dll -l --pin 12345 --keypairgen
> --key-type rsa:2048 --id 45
> Key pair generated:
> Private Key Object; RSA
> label:
> ID: 45
> Usage: decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
> label:
> ID: 45
> Usage: encrypt, verify, wrap
> Using slot 2 with a present token (0x2)
>
> Trying with slot 2
> OpenSSL> req -engine pkcs11 -new -key 2:45 -keyform engine -out cert.pem
> -text -x509 -days 3640 -subj "/CN=Mike Tancsa"
> engine "pkcs11" set.
> failed to enumerate slots
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
> ID:p11_slot.c:314:
> 2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
> loading private key:eng_pkey.c:124:
> unable to load Private Key
> error in req
> OpenSSL> q
>
> And just specifying the key also fails
>
> OpenSSL> engine dynamic -pre
> SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre
> LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL> req -engine pkcs11 -new -key 45 -keyform engine -out cert.pem
> -text -x509 -days 3640 -subj "/CN=Mike Tancsa"
> engine "pkcs11" set.
> failed to enumerate slots
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
> ID:p11_slot.c:314:
> 2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
> loading private key:eng_pkey.c:124:
> unable to load Private Key
> error in req
>
>
> ---Mike
>
>
First, I have not used cygwin in years...
You may need a LD_LIBRARY_PATH=
In your examples, you refer to some absolute paths like:
/home/mdtancsa/opensc-pkcs11.dll
/usr/local/lib/engines/engine_pkcs11.dll
but run from the current directory, using ./ but don't say what that directory is.
./pkcs11-tool.exe appears to have worked using ./opensc-pkcs11.dll
What directory was this?
Do you have two copies of opensc-pkcs11.dll?
one in /usr/local/lib/
and one in /home/mdtancsa/
Should you be using MODULE_PATH=/usr/local/lib/opensc-pkcs11.dll?
>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
--
Douglas E. Engert <DEE...@gm...>
|
|
From: mike t. <mi...@se...> - 2015-04-24 18:28:29
|
On 4/24/2015 2:01 PM, Douglas E Engert wrote: > > First, I have not used cygwin in years... What is the best way to compile ? Cross compile on a *nix box ? > > You may need a LD_LIBRARY_PATH= > In your examples, you refer to some absolute paths like: > /home/mdtancsa/opensc-pkcs11.dll > /usr/local/lib/engines/engine_pkcs11.dll > but run from the current directory, using ./ but don't say what that directory is. > > ./pkcs11-tool.exe appears to have worked using ./opensc-pkcs11.dll > What directory was this? Hi, Its in my home dir. /home/mdtancsa/ > > Do you have two copies of opensc-pkcs11.dll? > one in /usr/local/lib/ > and one in /home/mdtancsa/ Just in /home/mdtancsa > > Should you be using MODULE_PATH=/usr/local/lib/opensc-pkcs11.dll? I havent installed opensc inside my cygwin environment, I just copied the libs/dlls there. If I give openssl the wrong location, it messes up in a different way, so I think its getting the right path info ---Mike > >> >> >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > |
|
From: Douglas E E. <dee...@gm...> - 2015-04-24 22:09:29
|
On 4/24/2015 1:28 PM, mike tancsa wrote:
> On 4/24/2015 2:01 PM, Douglas E Engert wrote:
>>
>> First, I have not used cygwin in years...
>
> What is the best way to compile ? Cross compile on a *nix box ?
As far as I know, cygwin should work.
>
>>
>> You may need a LD_LIBRARY_PATH=
>> In your examples, you refer to some absolute paths like:
>> /home/mdtancsa/opensc-pkcs11.dll
>> /usr/local/lib/engines/engine_pkcs11.dll
>> but run from the current directory, using ./ but don't say what that directory is.
>>
>> ./pkcs11-tool.exe appears to have worked using ./opensc-pkcs11.dll
>> What directory was this?
>
> Hi,
> Its in my home dir. /home/mdtancsa/
>
>>
>> Do you have two copies of opensc-pkcs11.dll?
>> one in /usr/local/lib/
>> and one in /home/mdtancsa/
>
> Just in /home/mdtancsa
>
>>
>> Should you be using MODULE_PATH=/usr/local/lib/opensc-pkcs11.dll?
>
> I havent installed opensc inside my cygwin environment, I just copied the libs/dlls there. If I give openssl the wrong location, it messes up in a different way, so I think its getting the right path
> info
What dlls do you have in the directory? Do all the dates match?
From the traces:
OpenSSL> req -engine pkcs11 -new -key 2:45 -keyform engine -out cert.pem
-text -x509 -days 3640 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
loading private key:eng_pkey.c:124:
unable to load Private Key
p11_slot.c:314:
313 rv = CRYPTOKI_call(ctx, C_GetSlotInfo(id, &info));
314 CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_SLOTS, rv);
So the error message may be misleading, as it does not like the slot.
I have always use the -key format of slot_<n>-id_<n>
The code immpies 1:45 should work.
Can you try: slot_1-id_45
You could also try using pkcs11-spy to see what slot is being passed to PKCS#11 C_GetSlotInfo
The following is from a unix script as an example:
if [ $SPY -eq 0 ] ; then
MODULE=$OPENSC_LIB/opensc-pkcs11.so
else
MODULE=$OPENSC_LIB/pkcs11-spy.so
PKCS11SPY=$OPENSC_LIB/opensc-pkcs11.so
export PKCS11SPY
PKCS11SPY_OUTPUT=/tmp/pkcs11.spy.log
export PKCS11SPY_OUTPUT
fi
# openssl.conf has prompt = no, no need for extra blank line at end...
cat >/tmp/genreq.openssl.input << EOT
engine dynamic -vvvv -pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:$MODULE
req $SSLEAY_CONFIG -engine pkcs11 -keyform engine -sha256 -new -key slot_1-id_$ID -out cards/$1.myreq.$KEYID.pem -text
EOT
openssl < /tmp/genreq.openssl.input
>
> ---Mike
>
>
>
>
>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+ applications
>>> Performance metrics, stats and reports that give you Actionable Insights
>>> Deep dive visibility with transaction tracing using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> Ope...@li...
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>
>
--
Douglas E. Engert <DEE...@gm...>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X