I want to add that apparently some openssl commands work OK with this token and pkcs11 engine:
$ openssl version OpenSSL 1.0.2e 3 Dec 2015 $ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256 -out t.sig < config.h engine "pkcs11" set. $ ll t.sig -rw-r--r-- 1 ur20980 MITLL\Domain Users 256 Dec 10 11:52 t.sig $ openssl dgst -verify pub.key -keyform PEM -signature t.sig -sha256 < config.h Verified OK $ But I need to also be able to use “encrypt” (well, “decrypt” to be precise :) and “derive” (for ECDH key)… Thanks! -- Regards, Uri Blumenthal On 12/10/15, 10:38 , "openssl-dev on behalf of Blumenthal, Uri - 0553 - MITLL" <openssl-dev-boun...@openssl.org on behalf of u...@ll.mit.edu> wrote: >On 12/10/15, 3:39 , "openssl-dev on behalf of Richard Levitte" ><openssl-dev-boun...@openssl.org on behalf of levi...@openssl.org> wrote: > >>This is an odity with 'openssl pkeyutl'. Try this option order: > >I see! > >>LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign >>-keyform engine -inkey >>"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out >>config.status.sig -in config.status.hash > >Much better now - but at this time I hit “unsupported algorithm”. The key >in question is RSA-2048, with SHA256. > >$ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign >-keyform engine -inkey >"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out >config.status.sig -in config.status.hash >engine "pkcs11" set. >Error initializing context >140735296230224:error:260C0065:engine >routines:ENGINE_get_pkey_meth:unimplemented public key >method:tb_pkmeth.c:128: >140735296230224:error:0609D09C:digital envelope >routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164: >Usage: pkeyutl [options] >-in file input file >-out file output file >-sigfile file signature file (verify operation only) >-inkey file input key >-keyform arg private key format - default PEM >-pubin input is a public key >-certin input is a certificate carrying a public key >-pkeyopt X:Y public key options >-sign sign with private key >-verify verify with public key >-verifyrecover verify with public key, recover original data >-encrypt encrypt with public key >-decrypt decrypt with private key >-derive derive shared secret >-hexdump hex dump output >-engine e use engine e, possibly a hardware device. >-passin arg pass phrase source >$ > > >I observed exactly the same happening with the decryption key. > >In case it helps: > >$ pkcs15-tool -k >Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID >Private RSA Key [PIV AUTH key] > Object Flags : [0x1], private > Usage : [0x2E], decrypt, sign, signRecover, unwrap > Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local > ModLength : 2048 > Key ref : 154 (0x9A) > Native : yes > Auth ID : 01 > ID : 01 > MD:guid : >0x'30316562353835613063343662663535643834323364393639623233646562370000000 >0 >00000000' > > >Private RSA Key [SIGN key] > Object Flags : [0x1], private > Usage : [0x20E], decrypt, sign, signRecover, nonRepudiation > Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local > ModLength : 2048 > Key ref : 156 (0x9C) > Native : yes > Auth ID : 01 > ID : 02 > MD:guid : >0x'30326562353835613063343662663535643834323364393639623233646562370000000 >0 >00000000' > > >Private RSA Key [KEY MAN key] > Object Flags : [0x1], private > Usage : [0x22], decrypt, unwrap > Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local > ModLength : 2048 > Key ref : 157 (0x9D) > Native : yes > Auth ID : 01 > ID : 03 > MD:guid : >0x'30336562353835613063343662663535643834323364393639623233646562370000000 >0 >00000000' > > >Private RSA Key [CARD AUTH key] > Object Flags : [0x0] > Usage : [0xC], sign, signRecover > Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local > ModLength : 2048 > Key ref : 158 (0x9E) > Native : yes > ID : 04 > MD:guid : >0x'30346562353835613063343662663535643834323364393639623233646562370000000 >0 >00000000' > > > >>The reason for this is that pkeyutl (as opposed to most other openssl >>subcommands) tries to load the key while parsing the options, so if >>'-keyform engine' comes after '-inkey ...', it will try to load the >>key before having seen that it should be loaded from engine. >> >>I think a bugfix for this is in order...
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev