It works =). I've tested sign/verify with p-192, p-224, p-256, p-384 and p-521. No problems found.
Thank you for your attention. 2011/9/8 Douglas E. Engert <deeng...@anl.gov> > Try the attached patch. It compiles, but I have not tested it. > > > On 9/8/2011 11:48 AM, Felipe Blauth wrote: > >> I've found where the problem is coming from. It is from OpenSSL's function >> *o2i_ECPublicKey*, that is used to convert the asn1 octet string from >> PKCS#11 *CKA_EC_POINT* attribute to internal OpenSSL >> stuff. This function is called, like you said, at the file src/p11_ec.c >> from function *pkcs11_get_ec_private*(). >> >> I've used *pkcs11-spy*, and it ouputs the following when calling >> *C_GetAttributeValue* with *CKA_EC_POINT* parameter from the public key >> object: >> >> 84: C_GetAttributeValue >> [in] hSession = 0x10002 >> [in] hObject = 0x3 >> [in] pTemplate[1]: >> CKA_EC_POINT requested with 136 buffer >> [out] pTemplate[1]: >> CKA_EC_POINT [size : 0x88 (136)] >> 04818504 017C713A 5A1ECAB3 0F7B0C54 35099B53 9AC9740A ED157D70 >> 577D9AA3 >> 3BB11767 95F02C07 9683AEA0 2C32422D DC9C7C9E 3BB9952B 7D692047 >> 2F8B75D0 >> A23BB5EF CC3E01BE 240FFAFD 64A2F090 D2E8556F C108D251 4C9AD53C >> 270BE2AD >> CA829853 57D26AF3 A65806FD 82CE2011 58C02629 B8E90961 4C00887E >> DD4184C7 >> 37CE192C 2AB5ED47 >> Returned: 0 CKR_OK >> >> *ec_pointlen* variable is, therefore, set to 136 bytes. After calling >> *o2i_ECPublicKey* OpenSSL puts the following error in its stack: >> *error:10067066:elliptic curve routines:ec_GFp_simple_**oct2point:invalid >> encoding* >> >> So we have some encoding problem. By the way, why we should increment the >> pointer by 2 before calling *o2i_ECPublicKey**? *Like you did in the >> following: >> ... >> > > Because the PKCS#11 returns the point as an octet_string, but OpenSSL does > not want the octet_string > for the o2i_ECPublicKey. All my testing was done with named cureves of 256, > or 384, > and the ans1 header was always 2 bytes. The TODO comment was to come back > in fix this. > Hopfuly the patch will. > > /* PKCS#11 returns ASN1 octstring*/ >> const unsigned char * a; >> /* TODO we have asn1 octet string, need to strip off 04 len */ >> a = ec_point + 2; >> o2i_ECPublicKey(&ec, &a, ec_pointlen-2); >> ... >> >> 2011/9/7 Douglas E. Engert <deeng...@anl.gov <mailto:deeng...@anl.gov>> >> >> >> >> >> On 9/6/2011 4:53 PM, Felipe Blauth wrote: >> >> I've tested your mods and they work well =). I can sign and verify >> with most EC keys (I've tested with p-192, p-224, p-384 and p-521). However >> I cannot load public keys when using p-521 curves. It >> seems that I can load the private key and sign, but the public key >> is not loaded. >> >> I confess that I didn't look much at engine_pkcs11 source code, but >> if you could give me some appointments I can try to fix that. >> >> >> It is not clear where the error could be, it could be in the actual >> encoding of the public key, or the ASN1 decoding or in in some size >> limit. >> All the other keys are a multiple of 8 bits. The 521 is not, >> and thus the asn1 octet would need an extra byte. Look at the >> libp11 src/p11_ec.c and pkcs11_get_ec_private() and the ec_pointlen >> variable. >> >> Do you have a dump of the public key? >> >> If you are using OpenSC's PKCS#11, you could turn on the OpenSC debug, >> by adding to the opensc.conf someting like: >> debug = 7; >> debug_file = /tmp/opensc-debug.log; >> >> You could use the OpenSC pkcs11-spy.so to trace the PKCS#11 calls, >> that should show the public key being transfered. This can >> work with any PKCS#11 module including the opensc-pkcs11.so >> >> Set the environment variables: >> >> export PKCS11SPY=/path/to/your/**pkcs11__.module.so < >> http://pkcs11.module.so> >> >> export PKCS11SPY_OUTPUT=/tmp/tb.spy._**_txt >> >> >> OpenSSL error is the following, after loading the key: >> error:10067066:elliptic curve >> routines:ec_GFp_simple___**oct2point:invalid >> encoding >> >> Regards, >> >> 2011/8/13 Felipe Blauth <f...@inf.ufsc.br <mailto:f...@inf.ufsc.br> >> <mailto:f...@inf.ufsc.br <mailto:f...@inf.ufsc.br>>> >> >> >> >> Thank you, I'll check it out. >> >> 2011/8/12 Douglas E. Engert <deeng...@anl.gov <mailto: >> deeng...@anl.gov> <mailto:deeng...@anl.gov <mailto:deeng...@anl.gov>>> >> >> >> >> No it has not been incorporated because it requires an >> OpenSSL >> internal header file ecs_locl.h, thus making it impractical >> to >> compile in to any package. >> >> This is a known bug: >> >> http://rt.openssl.org/Ticket/_**_Display.html?id=2459&user=__** >> guest&pass=guest<http://rt.openssl.org/Ticket/__Display.html?id=2459&user=__guest&pass=guest>< >> http://rt.openssl.org/Ticket/**Display.html?id=2459&user=** >> guest&pass=guest<http://rt.openssl.org/Ticket/Display.html?id=2459&user=guest&pass=guest> >> > >> <http://rt.openssl.org/Ticket/**__Display.html?id=2459&user=__** >> guest&pass=guest<http://rt.openssl.org/Ticket/__Display.html?id=2459&user=__guest&pass=guest>< >> http://rt.openssl.org/Ticket/**Display.html?id=2459&user=** >> guest&pass=guest<http://rt.openssl.org/Ticket/Display.html?id=2459&user=guest&pass=guest> >> >> >> >> >> It also appeared on the OpenSSL mailing list. >> >> The patch should still work. Please try it, and you can >> also add comments to the OpenSSL bug report. >> >> >> On 8/12/2011 2:12 PM, Felipe Blauth wrote: >> > Hello. >> > >> > I've started using engine_pkcs11 to access PKCS #11 tokens from >> OpenSSL EVP_PKEY's trough "ENGINE_load_<key_type>_key" methods. It works >> very well with RSA keys, but it doesn't recognize >> ECDSA keys. >> > >> > Searching trough the web, I've found that Douglas had a patch >> for it at http://www.mail-archive.com/__**opensc-devel@lists.opensc-__** >> project.org/msg07785.html<http://www.mail-archive.com/__opensc-devel@lists.opensc-__project.org/msg07785.html> >> <http://www.mail-archive.com/**opensc-devel@lists.opensc-** >> project.org/msg07785.html<http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg07785.html> >> >. >> > >> > Was that ever incorporated? I couldn't find in the latest >> snapshots. >> > >> > Thank you very much. >> > >> > -- >> > Felipe Menegola Blauth >> > >> > >> > >> > ______________________________**___________________ >> > opensc-devel mailing list >> > >> opensc-devel@lists.opensc-__**project.org<opensc-devel@lists.opensc-__project.org><mailto: >> opensc-devel@lists.**opensc-project.org<opensc-devel@lists.opensc-project.org>> >> <mailto:opensc-devel@lists.__o**pensc-project.org<http://opensc-project.org><mailto: >> opensc-devel@lists.**opensc-project.org<opensc-devel@lists.opensc-project.org> >> >> >> >> > http://www.opensc-project.org/**__mailman/listinfo/opensc-** >> devel <http://www.opensc-project.org/__mailman/listinfo/opensc-devel> < >> http://www.opensc-project.**org/mailman/listinfo/opensc-**devel<http://www.opensc-project.org/mailman/listinfo/opensc-devel> >> > >> >> -- >> >> Douglas E. Engert <deeng...@anl.gov <mailto: >> deeng...@anl.gov> <mailto:deeng...@anl.gov <mailto:deeng...@anl.gov>>> >> >> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 <tel:%28630%29%20252-5444> >> <tel:%28630%29%20252-5444> >> ______________________________**___________________ >> opensc-devel mailing list >> >> opensc-devel@lists.opensc-__**project.org<opensc-devel@lists.opensc-__project.org><mailto: >> opensc-devel@lists.**opensc-project.org<opensc-devel@lists.opensc-project.org>> >> <mailto:opensc-devel@lists.__o**pensc-project.org<http://opensc-project.org><mailto: >> opensc-devel@lists.**opensc-project.org<opensc-devel@lists.opensc-project.org> >> >> >> >> >> http://www.opensc-project.org/**__mailman/listinfo/opensc-**devel<http://www.opensc-project.org/__mailman/listinfo/opensc-devel>< >> http://www.opensc-project.**org/mailman/listinfo/opensc-**devel<http://www.opensc-project.org/mailman/listinfo/opensc-devel> >> > >> >> >> >> >> >> -- >> Felipe Menegola Blauth >> >> >> >> >> -- >> Felipe Menegola Blauth >> >> >> -- >> >> Douglas E. Engert <deeng...@anl.gov <mailto:deeng...@anl.gov>> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 <tel:%28630%29%20252-5444> >> >> >> >> >> -- >> Felipe Menegola Blauth >> > > -- > > Douglas E. Engert <deeng...@anl.gov> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > -- Felipe Menegola Blauth
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
