Coolkey and OpenSSL Engines

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm trying to use Coolkey with OpenSSL via the engines interface, but I couldn't find any documentation on how to get at the various keys and certificates on the device. Following what I've found over on OpenSC's engine_pkcs11 page I was able to put together this OpenSSL command:

openssl engine -t dynamic \
 -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so \
 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
 -pre MODULE_PATH:/usr/lib/pkcs11/libcoolkeypk11.so

Which when I run that I get this output:
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/pkcs11/libcoolkeypk11.so
Loaded: (pkcs11) pkcs11 engine
     [ available ]
OpenSSL>


From there however I can't seem to access any of the certificates on my ActivIdenity token. The engine_pkcs11 page references "-signkey slot_0-id45" but that format doesn't seem to work. Using pkcs11-tool I can determine that the certificate I'm interested in is in slot 1 and is id 0001, but when I try to reference slot_1-0001 I get an fopen error of file not found, so its not looking on the token. Does anyone know how can I access those certs?

fwiw, here is the pkcs11-tool output

pkcs11-tool --module /usr/lib/pkcs11/libcoolkeypk11.so -Ll -O
Available slots:
Slot 1           Activkey Sim 00 00
  token label:   Matt R Anderson
  token manuf:
  token model:
token flags: readonly, login required, PIN initialized, token initialized
  serial num  :
Please enter User PIN:
Private Key Object; RSA
  label:      CAC ID Certificate
  ID:         0001
  Usage:      sign
warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Public Key Object; RSA 0 bits
  label:      CAC ID Certificate
  ID:         0001
  Usage:      verify
Certificate Object, type = X.509 cert
  label:      CAC ID Certificate
  ID:         0001

And I can get the public certificate out using pkcs11-tool using

pkcs11-tool --module /usr/lib/pkcs11/libcoolkeypk11.so -Llv -r --type cert --id 0001 -o foo
Available slots:
Slot 1           Activkey Sim 00 00
  manufacturer:  Unknown
  hardware ver:  255.255
  firmware ver:  0.0
  flags:         token present, removable device, hardware slot
  token label:   Matt R Anderson
  token manuf:
  token model:
token flags: readonly, login required, PIN initialized, token initialized
  serial num  :
Please enter User PIN:

After running that I have a DER formated public certificate in the file foo. Since my end goal is to be able to use stunnel I really need to get OpenSSL to be able to access this certificate, but I can't seem to do that yet. What am I missing?

-matt

_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Women]

  Powered by Linux