[guest - Tue Dec 5 20:37:24 2006]: > I have an Aladdin eToken, which differentiates signing and encryption > keys. The signing and encryption operation is different in the PKCS#11 > API. They happen to work the same way with RSA, but they are different ones. > > Look at apps/rsautl.c:272 > case RSA_SIGN: > rsa_outlen = RSA_private_encrypt(rsa_inlen, > rsa_in, rsa_out, rsa, pad); > > At crypto/rsa/rsa.h. there IS an rsa_sign function. It should be used. > > The above also true for verify. > > $openssl rsautl -sign -engine pkcs11 -keyform engine -inkey id_45 -in > file -out file.signed > engine "pkcs11" set. > PKCS#11 token PIN: > RSA operation error > 9632:error:80009404:Vendor defined:PKCS11_rsa_encrypt:Not > supported:p11_ops.c:107:
The sign and verify options of RSA are a kind of "raw sign" operation. The PKCS#11 API does support it but some tokens do not. It is not clear if the problem in your case is the PKCS#11 ENGINE not using the relevant mechanism or the token not supporting it. The rsa_sign, rsa_verify operations assume the token will perform the relevant DigestInfo processing which is all some tokens will handle. That effectively limits the digest which can be used for signing to those the token handles itself. If you need to use those then the dgst signing and verify operations should use them but you pass the data which should be digested and not the digest value itself. In 0.9.7 and 0.9.8 that is the only command level interface to rsa_sign/rsa_verify. In 0.9.9-dev the pkeyutil utility can be used to pass digests directly and for any key type, not just RSA. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
