Re: Softhsm + engine_pkcs11 + openssl with EC keys fail.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I opened the issue https://github.com/openssl/openssl/issues/7258

Also, opened issue https://github.com/OpenSC/libp11/issues/249

and https://github.com/opendnssec/SoftHSMv2/issues/417

 

Found the root cause to be the openssl version 1.1.1 that was used to compile the engine_pkcs11 and SoftHSM.

When I recompiled with openssl-1.0.2p, it worked fine. See https://github.com/OpenSC/libp11/issues/249 for details.

 

From: "Paras Shah (parashah)" <parashah@xxxxxxxxx>
Date: Tuesday, September 18, 2018 at 10:06 AM
To: Nicola <nic.tuv@xxxxxxxxx>, "openssl-users@xxxxxxxxxxx" <openssl-users@xxxxxxxxxxx>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

 

Sure. I will open the issue.

 

From: Nicola <nic.tuv@xxxxxxxxx>
Date: Monday, September 17, 2018 at 10:05 PM
To: "Paras Shah (parashah)" <parashah@xxxxxxxxx>, "openssl-users@xxxxxxxxxxx" <openssl-users@xxxxxxxxxxx>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

 

Would it be possible for you to open this as an issue on Github and include there your first email and the full logs?

 

Thanks,

 

Nicola Tuveri

 

On Tue, 18 Sep 2018 at 01:15, Paras Shah (parashah) via openssl-users <openssl-users@xxxxxxxxxxx> wrote:

That is not it. It results in the same error for the EC key.

 

It is not the URL or the ID. Because for a RSA key in the softhsm with id = 3333, it works fine with url containing id=%33%33

 

$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%33%33;object=rsa%20key;type=private" -engine pkcs11 -inform ENGINE

engine "pkcs11" set.

Enter PKCS#11 token PIN for token 2.5.0-rc1:

-----BEGIN PRIVATE KEY-----

MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDD3378F1XbXJvP

WP2GtZry0u6sL3eNYktQwJfhDMz5evDG+PahVjCMszV5CZvG+Kvap40xPBJoonqi

oMAQsoLu7/fTx82aEL3TbdjXNLFnQ2KKYmfG9ymx80sLHMmdmDXpNNE+bEKJz1dp

t1Q0cVduwmqSfB8JyIE6Udz7JX7HCXaVmxoK7z4Njh3dyHsqhdqKIx0dBuK0hCaq

4zPzGP/sORA3G9ZPxxpEvF3gvE/zsXj7ifihqbqr2eIFOpB/lQqAehsgQT5/6Iq+

9pAX2LCxNkaUHYYZpMkM8Oi37jzg8PX/FnHdm9HQU2IBqYhoqo7/VsNdUDln2QHN

dGAUprcbAgMBAAE=

-----END PRIVATE KEY-----

 

Coming back to EC key, looking at the error logs emitted, it does seem to recognize it to be EC (the logs contain EC_routines) somehow but then fails.

 

On 9/17/18, 2:22 PM, "openssl-users on behalf of Richard Levitte" <openssl-users-bounces@xxxxxxxxxxx on behalf of levitte@xxxxxxxxxxx> wrote:

 

    In message <4AC69FC3-BEC7-46F6-882A-671196FC0156@xxxxxxxxxxx> on Mon, 17 Sep 2018 20:59:59 +0000, "Paras Shah (parashah)" <parashah@xxxxxxxxx> said:

   

    > 4. Import the key into softhsm

    >

    > []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token

    > "token 2.5.0-rc1"

   

    Ok, so here, the ID is "1111"

   

    > 5. Get the pkcs11 url for the private key

    >

    > []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all

    >

    > Object 0:

    >

    > URL:

    > pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private

   

    But here, the ID is "%11%11", and since those get percent decoded,

    that's actually two vertical tabs, or with C vector syntax,

    { 0x0b, 0x0b }

   

    I'm not sure what engine-pkcs11 asks of you otherwise, but one guess

    could be to change 'id=%11%11' to 'id=1111' in that URL and try again.

   

    Cheers,

    Richard

   

    --

    Richard Levitte         levitte@xxxxxxxxxxx

    OpenSSL Project         http://www.openssl.org/~levitte/

    --

    openssl-users mailing list

    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux