I'm trying to use Coolkey with OpenSSL via the engines interface, but I
couldn't find any documentation on how to get at the various keys and
certificates on the device. Following what I've found over on OpenSC's
engine_pkcs11 page I was able to put together this OpenSSL command:
openssl engine -t dynamic \
-pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so \
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
-pre MODULE_PATH:/usr/lib/pkcs11/libcoolkeypk11.so
Which when I run that I get this output:
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/pkcs11/libcoolkeypk11.so
Loaded: (pkcs11) pkcs11 engine
[ available ]
OpenSSL>
From there however I can't seem to access any of the certificates on my
ActivIdenity token. The engine_pkcs11 page references "-signkey
slot_0-id45" but that format doesn't seem to work. Using pkcs11-tool I
can determine that the certificate I'm interested in is in slot 1 and
is id 0001, but when I try to reference slot_1-0001 I get an fopen error
of file not found, so its not looking on the token. Does anyone know
how can I access those certs?
fwiw, here is the pkcs11-tool output
pkcs11-tool --module /usr/lib/pkcs11/libcoolkeypk11.so -Ll -O
Available slots:
Slot 1 Activkey Sim 00 00
token label: Matt R Anderson
token manuf:
token model:
token flags: readonly, login required, PIN initialized, token
initialized
serial num :
Please enter User PIN:
Private Key Object; RSA
label: CAC ID Certificate
ID: 0001
Usage: sign
warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv =
CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Public Key Object; RSA 0 bits
label: CAC ID Certificate
ID: 0001
Usage: verify
Certificate Object, type = X.509 cert
label: CAC ID Certificate
ID: 0001
And I can get the public certificate out using pkcs11-tool using
pkcs11-tool --module /usr/lib/pkcs11/libcoolkeypk11.so -Llv -r --type
cert --id 0001 -o foo
Available slots:
Slot 1 Activkey Sim 00 00
manufacturer: Unknown
hardware ver: 255.255
firmware ver: 0.0
flags: token present, removable device, hardware slot
token label: Matt R Anderson
token manuf:
token model:
token flags: readonly, login required, PIN initialized, token
initialized
serial num :
Please enter User PIN:
After running that I have a DER formated public certificate in the file
foo. Since my end goal is to be able to use stunnel I really need to
get OpenSSL to be able to access this certificate, but I can't seem to
do that yet. What am I missing?
-matt
_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel