I would like to use openssl to create CMS Advanced Electronic Signatures (CAdES)
I have the certificates on an Italian smart card that is recognized by the system after installing:
pcsclite ccid opensc
And in fact using the proprietary sw provided by the smartcard supplier I can successfully affix the CAdES signature.To use openssl I installed:
libp11
and added the following lines to /usr/lib/ssl/openssl.cnfopenssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-3/pkcs11.so
MODULE_PATH = /usr/lib/onepin-opensc-pkcs11.so
Then I tried to sign with the same command that worked on ubuntu
openssl cms -nosmimecap -md sha256 -nodetach -binary -cades \
-stream -outform DER -sign -signer $cert_pem -inkey $ID \
-keyform engine -in "$infile" -out "$outfile" -engine pkcs11
where $ID is the ID of the key read from the smartcard using pkcs11-tool
while $cert_pem is obtained by converting the binary certificate extracted with pkcs11-tool.
Unfortunately I get the following output:
Engine "pkcs11" set.
Failed to enumerate slots
PKCS11_get_private_key returned NULL
Could not find private key of signing key from org.openssl.engine:pkcs11:01
806BDA451E730000:error:40000067:pkcs11 engine:ERR_ENG_error:invalid parameter:eng_back.c:699:
806BDA451E730000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:79:
Thanks for any contribution towards the solution --
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/3be365cb-4c94-4a58-ad45-677f6cc15a06n%40openssl.org.
