Jakub, do you have entries like this in your /usr/luna/etc/Chrystoki.conf file?
EngineLunaCA3 = {
LibPath=/usr/luna/lib/libcrystoki2.so;
EngineInit=1:11:10;
}
where 1 = slot
11:10 = app id
you need those so openssl can find the token and session
best regards,
Bahaa Al-amood
On Tue, 2005-04-12 at 21:51 +0200, Jakub MusiaÅek wrote:
> Hy Bahha
>
> I'm doing this in that way:
> - /usr/bn/enabler <- token inicjalization
> When the token successfully initialized i'm going to login to lunaca3
>
> - /usr/luna/bin/ca3util -o -s 1 -i 10:11
> And loging into Luna
>
> - /usr/luna/bin/ca3util -g 1024 -f server.key -s 1 -i 10:11
> And here is key generation
>
> - when the key is generated it has only one line ofcourse except
> RSA BEGIN and END.
>
> And this file couldn't be read by openssl when i'm still login to the
> luna
>
> Thnx for help and sorry for troubling you.
>
> Rastlin
> On Mon, 2005-04-11 at 09:08 -0400, Alamood, Bahaaldin wrote:
> > Another note
> >
> > Is it possible that you have not yet authenticated to the token, I have
> > seen it doing this when there is no session open with the token.
> >
> > Best regards,
> > Bahaa Al-amood
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:openca-devel-
> > > [EMAIL PROTECTED] On Behalf Of Chris Covell
> > > Sent: Monday, April 11, 2005 9:01 AM
> > > To: [email protected]
> > > Subject: Re: [OpenCA-Devel] Question about LunaCA3
> > >
> > > Have you generated a new key pair like I sugested ? And stored the
> > > result as "server.key" ? The error looks to me like the file is not in
> > > the correct format for the LunaCA3 plug in to recognise it. Which seems
> > > strange if you used the cautil utility to generate the key pair.
> > >
> > > Chris...
> > >
> > > Jakub MusiaÅek wrote:
> > > > Hy
> > > >
> > > > You got right i've a problem with openssl here is my output of it
> > > >
> > > >
> > > > /usr/luna_ssl/bin/openssl rsa -engine LunaCA3 -in server.key -text
> > > > -noout
> > > >
> > > > engine "LunaCA3" set.
> > > > unable to load Private Key
> > > > 22277:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
> > > > missing:tasn_dec.c:391:Field=iqmp, Type=RSA
> > > > 22277:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > > > lib:d2i_pr.c:96:
> > > > 22277:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > > > lib:pem_pkey.c:122:
> > > >
> > > > Any idea what's wrong. I tryed to used openssl-0.9.6 witch is provided
> > > > by Chrysalis and here is output
> > > >
> > > > /root/luna/luna_orig/usr/local/ssl/bin/openssl rsa -engine LunaCA3
> > > > -in /root/server.key -text -noout
> > > > engine "LunaCA3" set.
> > > > read RSA key
> > > > unable to load key
> > > > 22369:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too
> > > > long:asn1_lib.c:139:
> > > > 22369:error:0D080065:asn1 encoding routines:d2i_ASN1_INTEGER:bad object
> > > > header:a_int.c:204:
> > > > 22369:error:0D09D082:asn1 encoding
> > > > routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:116:
> > > > 22369:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > > > lib:d2i_pr.c:89:
> > > > 22369:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > > > lib:pem_lib.c:290:
> > > >
> > > > I'm loging to Luna by ca3util before of executing all of this.
> > > >
> > > > Rastlin
> > > >
> > > > On Mon, 2005-04-11 at 09:13 +0100, [EMAIL PROTECTED] wrote:
> > > >
> > > >>Rastlin,
> > > >>
> > > >>OK, before we start, can you confirm that you have OpenSSL talking to
> > > the
> > > >>Luna CA3 correctly. As you (probably) know the OpenSSL does not support
> > > >>the Luna devices out of the box, you must patch the source code. SafeNet
> > > >>(ex Chrysalis) only provide a patch for OpenSSL 0.9.7 (I have got it
> > > going
> > > >>with OpenSSL 0.9.7e but I had to edit the patch). So have you:
> > > >>
> > > >>1. Patched the OpenSSL 0.9.7 source code with the SafeNet patch
> > > >>2. Installed the SafeNet tools (calogin, cautil etc.)
> > > >>3. Used the cautil tools to check that you have got the CA3 working
> > > >>(create a new key pair)
> > > >>4. Used OpenSSL from the command line to check that it can talk to the
> > > CA3
> > > >>(something like "openssl rsa -engine LunaCA3 -in /root/test/test.key -
> > > text
> > > >>-noout")
> > > >>
> > > >>Only when you can do all of the above can you start thinking about
> > > OpenCA.
> > > >>
> > > >>Now, OpenCA 0.9.1-7 works with the CA3, but the lowest version of the
> > > >>OpenCA 0.9.2 series that is Luna compatable is 0.9.2.2. Earlier versions
> > > >>of 0.9.2 will _not_ work.
> > > >>
> > > >>As for your issues with already created keys on the Luna, I think you
> > > will
> > > >>be OK as long as you have the "cakey.pem" file. This is a PEM file
> > > >>containing a pointer to the location of the private key on the HSM
> > > device.
> > > >>What I would do is use OpenCA to create a normal soft key, and then
> > > >>replace the cakey.pem (in ../openca/var/crypto/cakeys) file with your
> > > HSM
> > > >>generated pem file. This should work fine.
> > > >>
> > > >>I hope this helps.
> > > >>
> > > >>Chris...
> > > >>
> > > >>
> > > >>>I've such problem. Installed openca 0.9.2
> > > >>>Installed openssl-0.9.7
> > > >>>
> > > >>>Configured openssl and openca. Right know when
> > > >>>i'm starting openca i have to login to Luna so
> > > >>>this is fine.
> > > >>>
> > > >>>Right now i have a problem witch is:
> > > >>>Generate new CA secret key (from openca menu) <- schould i create it if
> > > >>>my secret key is on LunaCa3 ?
> > > >>>Anyway i'm creating it and it is in DER format,but couldn't be
> > > >>>read in any way
> > > >>>
> > > >>>/usr/luna_ssl/bin/openssl rsa -engine LunaCA3 -inform DER
> > > >>>-in /usr/local/pki/var/crypto/keys/cakey.pem -text
> > > >>>ofcourse i'm login in this session to Luna and have initialized token.
> > > >>>
> > > >>>engine "LunaCA3" set.
> > > >>>unable to load Private Key
> > > >>>1679:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> > > >>>tag:a_set.c:179:
> > > >>>1679:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> > > >>>tag:tasn_dec.c:939:
> > > >>>1679:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> > > >>>error:tasn_dec.c:304:Type=RSA
> > > >>>1679:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > > >>>lib:d2i_pr.c:96:
> > > >>>
> > > >>>If i try to read it as a PEM i got inform that there is iqmp missing.
> > > >>>And also when trying to do req (from openca Administrative) i also got
> > > >>>error.
> > > >>>First i'm executing this command from web
> > > >>>
> > > >>>req -new -config /usr/local/pki/etc/openssl/openssl.cnf -subj
> > > >>>"/C=PL/O=BLA/OU=Pixel
> > > Technology/CN=BLE/[EMAIL PROTECTED]"
> > > >>>-engine LunaCA3 -keyform PEM
> > > >>>-key /usr/local/pki/var/crypto/keys/cakey.pem
> > > >>>-out /usr/local/pki/var/crypto/reqs/careq.pem
> > > >>>
> > > >>>and got this error
> > > >>>OpenCA::OpenSSL->genReq: Cannot execute command (7777067). engine
> > > >>>"LunaCA3" set.
> > > >>>unable to load Private Key
> > > >>>1928:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
> > > >>>missing:tasn_dec.c:391:Field=iqmp, Type=RSA
> > > >>>1928:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > > >>>lib:d2i_pr.c:96:
> > > >>>1928:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > > >>>lib:pem_pkey.c:117:
> > > >>>error in req
> > > >>>
> > > >>>I've try to google something without success. Waiting for help.
> > > >>>
> > > >>>Rastlin
> > > >>>
> > > >>>
> > > >>
> > > >>
> > > >>
> > > >>-------------------------------------------------------
> > > >>SF email is sponsored by - The IT Product Guide
> > > >>Read honest & candid reviews on hundreds of IT Products from real users.
> > > >>Discover which products truly live up to the hype. Start reading now.
> > > >>http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > >>_______________________________________________
> > > >>OpenCA-Devel mailing list
> > > >>[email protected]
> > > >>https://lists.sourceforge.net/lists/listinfo/openca-devel
> > >
> > >
> > > -------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT Products from real users.
> > > Discover which products truly live up to the hype. Start reading now.
> > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > OpenCA-Devel mailing list
> > > [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/openca-devel
> >
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
> > _______________________________________________
> > OpenCA-Devel mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/openca-devel
smime.p7s
Description: S/MIME cryptographic signature
