Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

Blumenthal, Uri - 0553 - MITLL Thu, 10 Dec 2015 09:00:12 -0800

I want to add that apparently some openssl commands work OK with this
token and pkcs11 engine:


$ openssl version
OpenSSL 1.0.2e 3 Dec 2015
$ openssl dgst -engine pkcs11 -keyform engine -sign
"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256
-out t.sig < config.h
engine "pkcs11" set.
$ ll t.sig
-rw-r--r--  1 ur20980  MITLL\Domain Users  256 Dec 10 11:52 t.sig
$ openssl dgst -verify pub.key -keyform PEM -signature t.sig -sha256 <
config.h
Verified OK
$




But I need to also be able to use “encrypt” (well, “decrypt” to be precise
:) and “derive” (for ECDH key)…

Thanks!
-- 
Regards,
Uri Blumenthal


On 12/10/15, 10:38 , "openssl-dev on behalf of Blumenthal, Uri - 0553 -
MITLL" <openssl-dev-boun...@openssl.org on behalf of u...@ll.mit.edu> wrote:


>On 12/10/15, 3:39 , "openssl-dev on behalf of Richard Levitte"
><openssl-dev-boun...@openssl.org on behalf of levi...@openssl.org> wrote:
>
>>This is an odity with 'openssl pkeyutl'.  Try this option order:
>
>I see!
>
>>LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign
>>-keyform engine -inkey
>>"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out
>>config.status.sig -in config.status.hash
>
>Much better now - but at this time I hit “unsupported algorithm”. The key
>in question is RSA-2048, with SHA256.
>
>$ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign
>-keyform engine -inkey
>"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out
>config.status.sig -in config.status.hash
>engine "pkcs11" set.
>Error initializing context
>140735296230224:error:260C0065:engine
>routines:ENGINE_get_pkey_meth:unimplemented public key
>method:tb_pkmeth.c:128:
>140735296230224:error:0609D09C:digital envelope
>routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164:
>Usage: pkeyutl [options]
>-in file        input file
>-out file       output file
>-sigfile file signature file (verify operation only)
>-inkey file     input key
>-keyform arg    private key format - default PEM
>-pubin          input is a public key
>-certin         input is a certificate carrying a public key
>-pkeyopt X:Y    public key options
>-sign           sign with private key
>-verify         verify with public key
>-verifyrecover  verify with public key, recover original data
>-encrypt        encrypt with public key
>-decrypt        decrypt with private key
>-derive         derive shared secret
>-hexdump        hex dump output
>-engine e       use engine e, possibly a hardware device.
>-passin arg     pass phrase source
>$
>
>
>I observed exactly the same happening with the decryption key.
>
>In case it helps:
>
>$ pkcs15-tool -k
>Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
>Private RSA Key [PIV AUTH key]
>       Object Flags   : [0x1], private
>       Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>       Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
>       ModLength      : 2048
>       Key ref        : 154 (0x9A)
>       Native         : yes
>       Auth ID        : 01
>       ID             : 01
>       MD:guid        : 
>0x'30316562353835613063343662663535643834323364393639623233646562370000000
>0
>00000000'
>
>
>Private RSA Key [SIGN key]
>       Object Flags   : [0x1], private
>       Usage          : [0x20E], decrypt, sign, signRecover, nonRepudiation
>       Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
>       ModLength      : 2048
>       Key ref        : 156 (0x9C)
>       Native         : yes
>       Auth ID        : 01
>       ID             : 02
>       MD:guid        : 
>0x'30326562353835613063343662663535643834323364393639623233646562370000000
>0
>00000000'
>
>
>Private RSA Key [KEY MAN key]
>       Object Flags   : [0x1], private
>       Usage          : [0x22], decrypt, unwrap
>       Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
>       ModLength      : 2048
>       Key ref        : 157 (0x9D)
>       Native         : yes
>       Auth ID        : 01
>       ID             : 03
>       MD:guid        : 
>0x'30336562353835613063343662663535643834323364393639623233646562370000000
>0
>00000000'
>
>
>Private RSA Key [CARD AUTH key]
>       Object Flags   : [0x0]
>       Usage          : [0xC], sign, signRecover
>       Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
>       ModLength      : 2048
>       Key ref        : 158 (0x9E)
>       Native         : yes
>       ID             : 04
>       MD:guid        : 
>0x'30346562353835613063343662663535643834323364393639623233646562370000000
>0
>00000000'
>
>
>
>>The reason for this is that pkeyutl (as opposed to most other openssl
>>subcommands) tries to load the key while parsing the options, so if
>>'-keyform engine' comes after '-inkey ...', it will try to load the
>>key before having seen that it should be loaded from engine.
>>
>>I think a bugfix for this is in order...

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

Reply via email to