I am using RHEL system which is not officially supported. But from what I see,
there are
only very minor difference. I have these:
inherit: default
PIN = <real pin>
randfile: /var/openxpki/rand
You may want to set PIN to 0001password.
I assume your environment variables YUBIHSM_PKCS11_CONF YUBIHSM_PKCS11_MODULE
are set before you start openxpki.
Good luck.
Lixin.
From: Montajab Saleh <[email protected]>
Reply-To: "[email protected]"
<[email protected]>
Date: Thursday, September 28, 2023 at 2:15 PM
To: "[email protected]"
<[email protected]>
Subject: Re: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module
yubihsm_pkcs11
Hi Lixin,
It's a good sign,
I also tried this way, slot_0-label_rsakey but I don't think this is the issue
her, the OpenXPKI log says it's for some reasons can't load the
yubihsm_pkcs11.so module
but, as you used YubiHSM2 successfully, do you think that I did the
configuration correctly?
Thanks
On Thu, Sep 28, 2023 at 7:31 PM Lixin Liu <[email protected]<mailto:[email protected]>>
wrote:
I have successfully used YubiHSM2 (FIPS version). I used the label name for the
signing key:
key: "slot_0-label_<label name>"
Cheers,
Lixin.
From: Montajab Saleh <[email protected]<mailto:[email protected]>>
Sent: Thursday, September 28, 2023 2:19 AM
To:
[email protected]<mailto:[email protected]>
Subject: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module
yubihsm_pkcs11
Hello,
I'm trying to put the signer key in a secure token/hsm, I succeed using
SmartCard-HSM and Nitrokey, but not YubiHSM2 (Unable to load module
yubihsm_pkcs11.so)
following is the configuration I did, for the one that worked with
SmartCard-HSM and Nitrokey (same config), and the failed ones with YubiHSM2
with the error log I have in OpenXPKI
Any help / idea would be appreciated
Thanks
=====
Debian: 10
openxpki: 3.24.1
openssl: OpenSSL 1.1.1n
### Smartcard-hsm / Nitrokey ### worked perfectly
#################################################
ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL
key: "10"
engine: PKCS11
engine_section: |
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
PIN = __PIN__
init = 0
engine_usage: 'ALWAYS'
key_store: ENGINE
shell: /usr/bin/openssl
randfile: /dev/random
wrapper: ''
secret: signer
secret:
signer:
label: SmartCard Pin
method: literal
value: 12345678
cache: daemon
### YubiHSM2 ###
################
ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL
# key: slot_0-label_rsakey
key: 0:0005
engine: PKCS11
engine_section: |
engine_id = pkcs11
# dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH =
/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
PIN = __PIN__
init = 0
engine_usage: 'ALWAYS'
key_store: ENGINE
shell: /usr/bin/openssl
randfile: /dev/random
wrapper: ''
secret: signer
secret:
signer:
label: YubiHSM2 Pin
method: literal
value: 0001password
cache: daemon
### environment variables ###
#############################
export YUBIHSM_PKCS11_CONF='/etc/yubihsm2/yubihsm_pkcs11.conf'
export
YUBIHSM_PKCS11_MODULE='/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so'
### yubihsm_pkcs11.conf ###
###########################
connector = http://127.0.0.1:12345
### /usr/lib/ssl/openssl.cnf ###
################################
...
openssl_conf = default_conf
[default_conf]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
INIT_ARGS = connector=http://127.0.0.1:12345 debug
init = 0
...
### test dealing with YubiHSM2 ###
##################################
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --login
--pin 0001password --keypairgen --key-type rsa:2048 --label "my_key"
--usage-sign
openssl req -new -x509 -days 365 -subj '/CN=my key/' -sha256 -engine pkcs11
-keyform engine -key slot_0-label_rsakey -out cert.pem
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --login
-O
All executed successfully
### openxpki error log ###
##########################
Unable to load module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
PKCS11_get_private_key returned NULL
cannot load signing key file from engine
139887530206400:error:82065007:PKCS#11 module:pkcs11_check_token:Invalid
arguments:p11_load.c:92:
139887530206400:error:26096080:engine routines:ENGINE_load_private_key:failed
loading private key:../crypto/engine/eng_pkey.c:78:
unable to load signing key file
[pid=783|sid=wnxs]
2023/09/28 11:41:19 openxpki.system.ERROR
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in
/var/tmp/openxpki783zdpPQU49 -inkey 0:0005 -signer /var/tmp/openxpki783Nf839thW
-out /var/tmp/openxpki783DXlzdsaV -passin env:pwd, __EXIT_STATUS__ => 512
[pid=783|sid=wnxs]
2023/09/28 11:41:19 openxpki.system.ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign,
__ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign
-binary -nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in
/var/tmp/openxpki783zdpPQU49 -inkey 0:0005 -signer /var/tmp/openxpki783Nf839thW
-out /var/tmp/openxpki783DXlzdsaV -passin env:pwd, __EXIT_STATUS__ => 512
[pid=783|sid=wnxs]
--
Regards
Montajab Saleh
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Regards
Montajab Saleh
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
