Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?

[Mike Tancsa]

On 9/16/2011 2:48 PM, Mike Tancsa wrote:
> 
> Not sure if its related to the fact that I cannot used the openssl
> pkcs11_engine ?
> 
> OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem
> -subj "/C=CA/ST=ON/L=Hespeler/O=Sentex
> Communications/OU=support/CN=mdtancsa-cage64/emailAddress=mdtancsa-cag...@sentex.ca"
> engine "pkcs11" set.
> Invalid slot number: 0
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 80187:error:26096080:engine routines:ENGINE_load_private_key:failed
> loading private
> key:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_pkey.c:126:
> unable to load Private Key
> error in req
> OpenSSL>

A little closer. At least its prompting me for the PIN now.  With the verbose 
flag set in the engine, I get 


0(cage2)# openssl 
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so 
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre 
MODULE_PATH:/usr/local/lib/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/local/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
initializing engine
     [ available ]
OpenSSL> req -engine pkcs11 -new -key slot_1-id_45 -keyform engine -out req.pem 
-subj "/CN=mdtancsa-cage64"                                                     
         
initializing engine
engine "pkcs11" set.
Looking in slot 1 for key: 45
Found 3 slots
[18446744073709551615] Virtual hotplug slot       no tok          
[1] Aladdin eToken PRO 64k     login             (mdtancsa-cage64 
(mdtancsa-cage64)
[5] OpenCT reader (detached)   no tok          
Found slot:  Aladdin eToken PRO 64k
Found token: mdtancsa-cage64 (mdtancsa-cage64
Found 0 certificate:
PKCS#11 token PIN: 
Found 1 key:
   1 P  Private Key
88558:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131:
88558:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP 
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_sign.c:281:
error in req
OpenSSL> 

The key generated with 12.2 looks like

Private RSA Key [Private Key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 16 (0x10)
        Native         : yes
        Path           : 3f005015ffff
        Auth ID        : 01
        ID             : 45

Public RSA Key [Private Key]
        Object Flags   : [0x2], modifiable
        Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
        Access Flags   : [0x0]
        ModLength      : 2048
        Key ref        : 0
        Native         : no
        Path           : 3f0050153003
        ID             : 45

PIN [Security Officer PIN]
        Object Flags   : [0x3], private, modifiable
        ID             : ff
        Flags          : [0xB2], local, initialized, needs-padding, soPin
        Length         : min_len:6, max_len:8, stored_len:8
        Pad char       : 0x00
        Reference      : 1
        Type           : ascii-numeric
        Path           : 3f005015

PIN [mdtancsa-cage64]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0x00
        Reference      : 3
        Type           : ascii-numeric
        Path           : 3f005015


where as generated with 11.8,


Using reader with a card: Aladdin eToken PRO 64k
Private RSA Key [Private Key]
        Com. Flags  : 3
        Usage       : [0x22], decrypt, unwrap
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength   : 2048
        Key ref     : 16
        Native      : yes
        Path        : 3f005015
        Auth ID     : 01
        ID          : 45

Private RSA Key [Private Key]
        Com. Flags  : 3
        Usage       : [0x20C], sign, signRecover, nonRepudiation
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength   : 2048
        Key ref     : 17
        Native      : yes
        Path        : 3f005015
        Auth ID     : 01
        ID          : 45

Public RSA Key [Public Key]
        Com. Flags  : 2
        Usage       : [0x4], sign
        Access Flags: [0x0]
        ModLength   : 2048
        Key ref     : 0
        Native      : no
        Path        : 3f0050153048
        Auth ID     : 
        ID          : 45

PIN [Security Officer PIN]
        Com. Flags: 0x3
        ID        : ff
        Flags     : [0xB2], local, initialized, needs-padding, soPin
        Length    : min_len:6, max_len:8, stored_len:8
        Pad char  : 0x00
        Reference : 1
        Type      : ascii-numeric
        Path      : 3f005015

PIN [mdtancsa-cage64]
        Com. Flags: 0x3
        ID        : 01
        Flags     : [0x32], local, initialized, needs-padding
        Length    : min_len:4, max_len:8, stored_len:8
        Pad char  : 0x00
        Reference : 3
        Type      : ascii-numeric
        Path      : 3f005015


        ---Mike


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel