Softhsm + engine_pkcs11 + openssl with EC keys fail.

["Paras Shah \(parashah\) via openssl-users" <openssl-users@xxxxxxxxxxx>]

I have softhsm-v2.5.0-rc1 which has ec keys imported in it. Now, when I try to use these keys from openssl CLI using the pkcs11 engine, it fails.

 

1. SoftHSM version

 

[]:~$ softhsm2-util --version

2.5.0rc1

 

2. SoftHSM token init

 

[]:~$ softhsm2-util --init-token --slot 0 --label "token 2.5.0-rc1"

=== SO PIN (4-255 characters) ===

Please enter SO PIN: ****

Please reenter SO PIN: ****

=== User PIN (4-255 characters) ===

Please enter user PIN: ****

Please reenter user PIN: ****

The token has been initialized and is reassigned to slot 928024111

 

3. ECC key in pkcs8 format

 

[]:~$ openssl pkey -in ~/tmp/secp256k1-key.pem.pkcs8 -text

-----BEGIN PRIVATE KEY-----

MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgYCXpIJyEAexhkvrCMGlF

A4sQItcIp6wm83WVoeOFzEyhRANCAATMfAkLtsynHRmRyYLn+uRpJUm6bOZJBQhK

N81nJv06fN6MY0nEzWG9jJsvSNlf5jW7yecbje2wWQL/JYqviFwr

-----END PRIVATE KEY-----

Private-Key: (256 bit)

priv:

    60:25:e9:20:9c:84:01:ec:61:92:fa:c2:30:69:45:

    03:8b:10:22:d7:08:a7:ac:26:f3:75:95:a1:e3:85:

    cc:4c

pub:

    04:cc:7c:09:0b:b6:cc:a7:1d:19:91:c9:82:e7:fa:

    e4:69:25:49:ba:6c:e6:49:05:08:4a:37:cd:67:26:

    fd:3a:7c:de:8c:63:49:c4:cd:61:bd:8c:9b:2f:48:

    d9:5f:e6:35:bb:c9:e7:1b:8d:ed:b0:59:02:ff:25:

    8a:af:88:5c:2b

ASN1 OID: secp256k1

 

4. Import the key into softhsm

 

[]:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token "token 2.5.0-rc1"

Found slot 928024111 with matching token label.

=== User PIN (4-255 characters) ===

Please enter user PIN: ****

Please reenter user PIN: ****

The key pair has been imported.

 

5. Get the pkcs11 url for the private key

 

[]:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all

Object 0:

                URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private

                Type: Private key

                Label: ec key

                Flags: CKA_PRIVATE; CKA_SENSITIVE; 

                ID: 11:11

 

Object 1:

                URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=public

                Type: Public key

                Label: ec key

                ID: 11:11

 

6. Try to access key with openssl engine. 

 

[]:~$ openssl version

OpenSSL 1.1.1  11 Sep 2018

 

[]:~$ more ~/tmp/openssl.cnf 

openssl_conf = openssl_init

 

[openssl_init]

engines=engine_section

 

[engine_section]

pkcs11 = pkcs11_section

 

[pkcs11_section]

engine_id = pkcs11

dynamic_path = /Users/parashah/Downloads/libp11-0.4.9/src/.libs/pkcs11.dylib

MODULE_PATH = /usr/local/lib/softhsm/libsofthsm2.so 

init = 0

 

[]:~$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private" -inform ENGINE -engine pkcs11 -text

engine "pkcs11" set.

Enter PKCS#11 token PIN for token 2.5.0-rc1:

140736065815424:error:100C0010:elliptic curve routines:i2d_ECPrivateKey:EC lib:crypto/ec/ec_asn1.c:995:

140736065815424:error:100D6010:elliptic curve routines:eckey_priv_encode:EC lib:crypto/ec/ec_ameth.c:242:

140736065815424:error:06071092:digital envelope routines:EVP_PKEY2PKCS8:private key encode error:crypto/evp/evp_pkey.c:72:

140736065815424:error:0907E073:PEM routines:do_pk8pkey:error converting private key:crypto/pem/pem_pk8.c:73:

====

 

Please let me know if I am missing anything. Note that the same operations work fine on a RSA key.

 

 

-- 

Paras

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users