> From previous private conversations, can you comments on if this is a PIV or > NEO with a PIV applet?
I certainly can – this is NEO with a PIV applet. But side-stepping – note that openssl dgst appeared to work fine. See my other posting to this list, and duplicated here: $ pkcs15-tool --read-public-key 02 -o pub.key Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID Please enter PIN [PIV Card Holder pin]: $ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256 -out t.sig < config.h engine "pkcs11" set. $ openssl dgst -verify pub.key -keyform PEM -signature t.sig -sha256 < config.h Verified OK > Did you generate a key on the card using the piv-tool or NEO tool? At this moment (test setting) the keys were generated off-card, and loaded on the token using NEO tools. For production, of course they’ll be generated on the card (except for the KEY MAN key) and certified elsewhere. > Did you create a certificate and load it on the card? I assume not. For production this assumption would be correct. But not for this case (testing, "feeling the water", so to say). But in any case, fully-configured certificates with all the necessary attributes (Key Usage, Extended Key Usage, etc.) have been loaded. > There is a chicken and egg problem with the PIV. To determine if a key is on > the card, and its attributes, > the public key that was saved during key generate step is needed. In normal > use the public key is in the certificate, > on the card. But if there is NO certificate on the card, as when you are > trying to generate the certificate, the OpenSC > low level routines will look for the public key from a file off the card. Got it. This will be very useful once I move to “real” from “testing”. > https://github.com/OpenSC/OpenSC/wiki/PivTool#generate-a-certificate-request > > shows setting of the PIV_9A_KEY = environment variable. > In your case because you are using the "SIGN key" you would need to set > PIV_9C_KEY=path.to.pubkey.file.der > This should work with other programs like openssl pkeyutl too. > > Once the certificate is then loaded, the PIV_9X_KEY environment variable will > not be used. Got it. Thanks! On 12/10/2015 9:38 AM, Blumenthal, Uri - 0553 - MITLL wrote: > On 12/10/15, 3:39 , "openssl-dev on behalf of Richard Levitte" > <openssl-dev-boun...@openssl.org on behalf of levi...@openssl.org> > <mailto:openssl-dev-bounces@openssl.orgonbehalfoflevi...@openssl.org> wrote: > >> This is an odity with 'openssl pkeyutl'. Try this option order: > I see! > >> LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign >> -keyform engine -inkey >> "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out >> config.status.sig -in config.status.hash > Much better now - but at this time I hit “unsupported algorithm”. The key > in question is RSA-2048, with SHA256. > > $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign > -keyform engine -inkey > "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out > config.status.sig -in config.status.hash > engine "pkcs11" set. > Error initializing context > 140735296230224:error:260C0065:engine > routines:ENGINE_get_pkey_meth:unimplemented public key > method:tb_pkmeth.c:128: > 140735296230224:error:0609D09C:digital envelope > routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164: > Usage: pkeyutl [options] > -in file input file > -out file output file > -sigfile file signature file (verify operation only) > -inkey file input key > -keyform arg private key format - default PEM > -pubin input is a public key > -certin input is a certificate carrying a public key > -pkeyopt X:Y public key options > -sign sign with private key > -verify verify with public key > -verifyrecover verify with public key, recover original data > -encrypt encrypt with public key > -decrypt decrypt with private key > -derive derive shared secret > -hexdump hex dump output > -engine e use engine e, possibly a hardware device. > -passin arg pass phrase source > $ > > > I observed exactly the same happening with the decryption key.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
