RE: [OpenCA-Devel] Question about LunaCA3

Mon, 11 Apr 2005 06:09:22 -0700 

Another note

Is it possible that you have not yet authenticated to the token, I have seen it 
doing this when there is no session open with the token.

Best regards,
Bahaa Al-amood

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:openca-devel-
> [EMAIL PROTECTED] On Behalf Of Chris Covell
> Sent: Monday, April 11, 2005 9:01 AM
> To: openca-devel@lists.sourceforge.net
> Subject: Re: [OpenCA-Devel] Question about LunaCA3
> 
> Have you generated a new key pair like I sugested ? And stored the
> result as "server.key" ? The error looks to me like the file is not in
> the correct format for the LunaCA3 plug in to recognise it. Which seems
> strange if you used the cautil utility to generate the key pair.
> 
> Chris...
> 
> Jakub Musiałek wrote:
> > Hy
> >
> > You got right i've a problem with openssl here is my output of it
> >
> >
> > /usr/luna_ssl/bin/openssl rsa -engine LunaCA3 -in server.key -text
> > -noout
> >
> > engine "LunaCA3" set.
> > unable to load Private Key
> > 22277:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
> > missing:tasn_dec.c:391:Field=iqmp, Type=RSA
> > 22277:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > lib:d2i_pr.c:96:
> > 22277:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > lib:pem_pkey.c:122:
> >
> > Any idea what's wrong. I tryed to used openssl-0.9.6 witch is provided
> > by Chrysalis and here is output
> >
> > /root/luna/luna_orig/usr/local/ssl/bin/openssl  rsa -engine LunaCA3
> > -in /root/server.key  -text -noout
> > engine "LunaCA3" set.
> > read RSA key
> > unable to load key
> > 22369:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too
> > long:asn1_lib.c:139:
> > 22369:error:0D080065:asn1 encoding routines:d2i_ASN1_INTEGER:bad object
> > header:a_int.c:204:
> > 22369:error:0D09D082:asn1 encoding
> > routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:116:
> > 22369:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > lib:d2i_pr.c:89:
> > 22369:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > lib:pem_lib.c:290:
> >
> > I'm loging to Luna by ca3util before of executing all of this.
> >
> > Rastlin
> >
> > On Mon, 2005-04-11 at 09:13 +0100, [EMAIL PROTECTED] wrote:
> >
> >>Rastlin,
> >>
> >>OK, before we start, can you confirm that you have OpenSSL talking to
> the
> >>Luna CA3 correctly. As you (probably) know the OpenSSL does not support
> >>the Luna devices out of the box, you must patch the source code. SafeNet
> >>(ex Chrysalis) only provide a patch for OpenSSL 0.9.7 (I have got it
> going
> >>with OpenSSL 0.9.7e but I had to edit the patch). So have you:
> >>
> >>1. Patched the OpenSSL 0.9.7 source code with the SafeNet patch
> >>2. Installed the SafeNet tools (calogin, cautil etc.)
> >>3. Used the cautil tools to check that you have got the CA3 working
> >>(create a new key pair)
> >>4. Used OpenSSL from the command line to check that it can talk to the
> CA3
> >>(something like "openssl rsa -engine LunaCA3 -in /root/test/test.key -
> text
> >>-noout")
> >>
> >>Only when you can do all of the above can you start thinking about
> OpenCA.
> >>
> >>Now, OpenCA 0.9.1-7 works with the CA3, but the lowest version of the
> >>OpenCA 0.9.2 series that is Luna compatable is 0.9.2.2. Earlier versions
> >>of 0.9.2 will _not_ work.
> >>
> >>As for your issues with already created keys on the Luna, I think you
> will
> >>be OK as long as you have the "cakey.pem" file. This is a PEM file
> >>containing a pointer to the location of the private key on the HSM
> device.
> >>What I would do is use OpenCA to create a normal soft key, and then
> >>replace the cakey.pem (in ../openca/var/crypto/cakeys) file with your
> HSM
> >>generated pem file. This should work fine.
> >>
> >>I hope this helps.
> >>
> >>Chris...
> >>
> >>
> >>>I've such problem. Installed openca 0.9.2
> >>>Installed openssl-0.9.7
> >>>
> >>>Configured openssl and openca. Right know when
> >>>i'm starting openca i have to login to Luna so
> >>>this is fine.
> >>>
> >>>Right now i have a problem witch is:
> >>>Generate new CA secret key (from openca menu) <- schould i create it if
> >>>my secret key is on LunaCa3 ?
> >>>Anyway i'm creating it and it is in DER format,but couldn't be
> >>>read in any way
> >>>
> >>>/usr/luna_ssl/bin/openssl rsa -engine LunaCA3 -inform DER
> >>>-in /usr/local/pki/var/crypto/keys/cakey.pem -text
> >>>ofcourse i'm login in this session to Luna and have initialized token.
> >>>
> >>>engine "LunaCA3" set.
> >>>unable to load Private Key
> >>>1679:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> >>>tag:a_set.c:179:
> >>>1679:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> >>>tag:tasn_dec.c:939:
> >>>1679:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> >>>error:tasn_dec.c:304:Type=RSA
> >>>1679:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> >>>lib:d2i_pr.c:96:
> >>>
> >>>If i try to read it as a PEM i got inform that there is iqmp missing.
> >>>And also when trying to do req (from openca Administrative) i also got
> >>>error.
> >>>First i'm executing this command from web
> >>>
> >>>req -new -config /usr/local/pki/etc/openssl/openssl.cnf -subj
> >>>"/C=PL/O=BLA/OU=Pixel
> Technology/CN=BLE/[EMAIL PROTECTED]"
> >>>-engine LunaCA3 -keyform PEM
> >>>-key /usr/local/pki/var/crypto/keys/cakey.pem
> >>>-out /usr/local/pki/var/crypto/reqs/careq.pem
> >>>
> >>>and got this error
> >>>OpenCA::OpenSSL->genReq: Cannot execute command (7777067). engine
> >>>"LunaCA3" set.
> >>>unable to load Private Key
> >>>1928:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
> >>>missing:tasn_dec.c:391:Field=iqmp, Type=RSA
> >>>1928:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> >>>lib:d2i_pr.c:96:
> >>>1928:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> >>>lib:pem_pkey.c:117:
> >>>error in req
> >>>
> >>>I've try to google something without success. Waiting for help.
> >>>
> >>>Rastlin
> >>>
> >>>
> >>
> >>
> >>
> >>-------------------------------------------------------
> >>SF email is sponsored by - The IT Product Guide
> >>Read honest & candid reviews on hundreds of IT Products from real users.
> >>Discover which products truly live up to the hype. Start reading now.
> >>http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> >>_______________________________________________
> >>OpenCA-Devel mailing list
> >>OpenCA-Devel@lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/openca-devel
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> OpenCA-Devel mailing list
> OpenCA-Devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-devel



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to