RE: [OpenCA-Devel] Question about LunaCA3

Wed, 13 Apr 2005 05:46:33 -0700 

Hy Bahha

I'm doing this in that way:
- /usr/bn/enabler <- token inicjalization
When the token successfully initialized i'm going to login to lunaca3

- /usr/luna/bin/ca3util -o -s 1 -i 10:11
And loging into Luna

- /usr/luna/bin/ca3util -g 1024 -f server.key -s 1 -i 10:11
And here is key generation 

- when the key is generated it has only one line ofcourse except
RSA BEGIN and END.

And this file couldn't be read by openssl when i'm still login to the
luna

Thnx for help and sorry for troubling you.

Rastlin
On Mon, 2005-04-11 at 09:08 -0400, Alamood, Bahaaldin wrote:
> Another note
> 
> Is it possible that you have not yet authenticated to the token, I have seen 
> it doing this when there is no session open with the token.
> 
> Best regards,
> Bahaa Al-amood
> 
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:openca-devel-
> > [EMAIL PROTECTED] On Behalf Of Chris Covell
> > Sent: Monday, April 11, 2005 9:01 AM
> > To: openca-devel@lists.sourceforge.net
> > Subject: Re: [OpenCA-Devel] Question about LunaCA3
> > 
> > Have you generated a new key pair like I sugested ? And stored the
> > result as "server.key" ? The error looks to me like the file is not in
> > the correct format for the LunaCA3 plug in to recognise it. Which seems
> > strange if you used the cautil utility to generate the key pair.
> > 
> > Chris...
> > 
> > Jakub Musiałek wrote:
> > > Hy
> > >
> > > You got right i've a problem with openssl here is my output of it
> > >
> > >
> > > /usr/luna_ssl/bin/openssl rsa -engine LunaCA3 -in server.key -text
> > > -noout
> > >
> > > engine "LunaCA3" set.
> > > unable to load Private Key
> > > 22277:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
> > > missing:tasn_dec.c:391:Field=iqmp, Type=RSA
> > > 22277:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > > lib:d2i_pr.c:96:
> > > 22277:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > > lib:pem_pkey.c:122:
> > >
> > > Any idea what's wrong. I tryed to used openssl-0.9.6 witch is provided
> > > by Chrysalis and here is output
> > >
> > > /root/luna/luna_orig/usr/local/ssl/bin/openssl  rsa -engine LunaCA3
> > > -in /root/server.key  -text -noout
> > > engine "LunaCA3" set.
> > > read RSA key
> > > unable to load key
> > > 22369:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too
> > > long:asn1_lib.c:139:
> > > 22369:error:0D080065:asn1 encoding routines:d2i_ASN1_INTEGER:bad object
> > > header:a_int.c:204:
> > > 22369:error:0D09D082:asn1 encoding
> > > routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:116:
> > > 22369:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > > lib:d2i_pr.c:89:
> > > 22369:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > > lib:pem_lib.c:290:
> > >
> > > I'm loging to Luna by ca3util before of executing all of this.
> > >
> > > Rastlin
> > >
> > > On Mon, 2005-04-11 at 09:13 +0100, [EMAIL PROTECTED] wrote:
> > >
> > >>Rastlin,
> > >>
> > >>OK, before we start, can you confirm that you have OpenSSL talking to
> > the
> > >>Luna CA3 correctly. As you (probably) know the OpenSSL does not support
> > >>the Luna devices out of the box, you must patch the source code. SafeNet
> > >>(ex Chrysalis) only provide a patch for OpenSSL 0.9.7 (I have got it
> > going
> > >>with OpenSSL 0.9.7e but I had to edit the patch). So have you:
> > >>
> > >>1. Patched the OpenSSL 0.9.7 source code with the SafeNet patch
> > >>2. Installed the SafeNet tools (calogin, cautil etc.)
> > >>3. Used the cautil tools to check that you have got the CA3 working
> > >>(create a new key pair)
> > >>4. Used OpenSSL from the command line to check that it can talk to the
> > CA3
> > >>(something like "openssl rsa -engine LunaCA3 -in /root/test/test.key -
> > text
> > >>-noout")
> > >>
> > >>Only when you can do all of the above can you start thinking about
> > OpenCA.
> > >>
> > >>Now, OpenCA 0.9.1-7 works with the CA3, but the lowest version of the
> > >>OpenCA 0.9.2 series that is Luna compatable is 0.9.2.2. Earlier versions
> > >>of 0.9.2 will _not_ work.
> > >>
> > >>As for your issues with already created keys on the Luna, I think you
> > will
> > >>be OK as long as you have the "cakey.pem" file. This is a PEM file
> > >>containing a pointer to the location of the private key on the HSM
> > device.
> > >>What I would do is use OpenCA to create a normal soft key, and then
> > >>replace the cakey.pem (in ../openca/var/crypto/cakeys) file with your
> > HSM
> > >>generated pem file. This should work fine.
> > >>
> > >>I hope this helps.
> > >>
> > >>Chris...
> > >>
> > >>
> > >>>I've such problem. Installed openca 0.9.2
> > >>>Installed openssl-0.9.7
> > >>>
> > >>>Configured openssl and openca. Right know when
> > >>>i'm starting openca i have to login to Luna so
> > >>>this is fine.
> > >>>
> > >>>Right now i have a problem witch is:
> > >>>Generate new CA secret key (from openca menu) <- schould i create it if
> > >>>my secret key is on LunaCa3 ?
> > >>>Anyway i'm creating it and it is in DER format,but couldn't be
> > >>>read in any way
> > >>>
> > >>>/usr/luna_ssl/bin/openssl rsa -engine LunaCA3 -inform DER
> > >>>-in /usr/local/pki/var/crypto/keys/cakey.pem -text
> > >>>ofcourse i'm login in this session to Luna and have initialized token.
> > >>>
> > >>>engine "LunaCA3" set.
> > >>>unable to load Private Key
> > >>>1679:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> > >>>tag:a_set.c:179:
> > >>>1679:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> > >>>tag:tasn_dec.c:939:
> > >>>1679:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> > >>>error:tasn_dec.c:304:Type=RSA
> > >>>1679:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > >>>lib:d2i_pr.c:96:
> > >>>
> > >>>If i try to read it as a PEM i got inform that there is iqmp missing.
> > >>>And also when trying to do req (from openca Administrative) i also got
> > >>>error.
> > >>>First i'm executing this command from web
> > >>>
> > >>>req -new -config /usr/local/pki/etc/openssl/openssl.cnf -subj
> > >>>"/C=PL/O=BLA/OU=Pixel
> > Technology/CN=BLE/[EMAIL PROTECTED]"
> > >>>-engine LunaCA3 -keyform PEM
> > >>>-key /usr/local/pki/var/crypto/keys/cakey.pem
> > >>>-out /usr/local/pki/var/crypto/reqs/careq.pem
> > >>>
> > >>>and got this error
> > >>>OpenCA::OpenSSL->genReq: Cannot execute command (7777067). engine
> > >>>"LunaCA3" set.
> > >>>unable to load Private Key
> > >>>1928:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
> > >>>missing:tasn_dec.c:391:Field=iqmp, Type=RSA
> > >>>1928:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> > >>>lib:d2i_pr.c:96:
> > >>>1928:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > >>>lib:pem_pkey.c:117:
> > >>>error in req
> > >>>
> > >>>I've try to google something without success. Waiting for help.
> > >>>
> > >>>Rastlin
> > >>>
> > >>>
> > >>
> > >>
> > >>
> > >>-------------------------------------------------------
> > >>SF email is sponsored by - The IT Product Guide
> > >>Read honest & candid reviews on hundreds of IT Products from real users.
> > >>Discover which products truly live up to the hype. Start reading now.
> > >>http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > >>_______________________________________________
> > >>OpenCA-Devel mailing list
> > >>OpenCA-Devel@lists.sourceforge.net
> > >>https://lists.sourceforge.net/lists/listinfo/openca-devel
> > 
> > 
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > OpenCA-Devel mailing list
> > OpenCA-Devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/openca-devel
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
> _______________________________________________
> OpenCA-Devel mailing list
> OpenCA-Devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-devel

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to