ENGINE issues

2005-01-13 Thread Massimiliano Pala 
Dear list,
I have a problem when integrating my application with 
LunaSA/LunaCA3 by using the ENGINE extension with our
OpenCA-OCSP daemon.

I successfully can execute PRE and POST commands by using
`ENGINE_ctrl_cmd_string()' (e.g. CONF_PATH and login 
commands).

The problem is that, by using default OpenSSL ENGINE 
commands (with OpenSSL 0.9.7) to load the private key 
generated on the LunaSA I get the following error:

---
30436:error:2609607D:engine 
routines:ENGINE_load_private_key:no load 
function:eng_pkey.c:110:
---

The code that generates the problem is the following:
---
ocspd_conf-ocspd_pkey =
ENGINE_load_private_key(ocspd_conf-engine,
   keyfile, UI_OpenSSL(), cb_data);
if ( bio_out = BIO_new_fp( stderr, BIO_NOCLOSE)) {
 ERR_print_errors( bio_out );
 BIO_free(bio_out);
}
---
On the LunaSA device we have the following objects:
---
[EMAIL PROTECTED] root]# cmu list -display=id,label,handle
Please enter password for token in slot 1 : 

id=0001 label=ocspPubKey handle=10
id=0001 label=ocspPrivKey handle=11
---

and in keyfile variable in the example I set the id of the
private key (0001).
Does anyone have experiences on how to load a private
key from the LunaSA (LunaCA3) with OpenSSL 0.9.7 ?
Thanks for any help,
--- Massimiliano Pala
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: ENGINE issues

2005-01-13 Thread David C. Partridge 
IIRC the Luna CA3 is FIPS140-2 LEVEL 3 which means it won't allow you under
nay circumstances to extract the private key from the device
(non-extractable, sensitive in PKCS#11 parlance).

What this means is that you need to send the data to the device to be signed
(don't know how to do this using openssl), rather than extracting the key
and using openssl to do the crypto in software.

Dave


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: ENGINE issues

2005-01-13 Thread Massimiliano Pala 
On Thu, 13 Jan 2005 12:27:57 -
 David C. Partridge [EMAIL PROTECTED] 
wrote:
IIRC the Luna CA3 is FIPS140-2 LEVEL 3 which means it 
won't allow you under
nay circumstances to extract the private key from the 
device
(non-extractable, sensitive in PKCS#11 parlance).

What this means is that you need to send the data to the 
device to be signed
(don't know how to do this using openssl), rather than 
extracting the key
and using openssl to do the crypto in software.
My intention was not to extract the key but to tell 
OpenSSL to use a particular key, thus I need a way to 
generate a reference to the key.

I just taken as an example the code from openssl, but 
there is something I am doing wrong somewhere...
All I want to do is to enable ENGINE so all crypto 
operations are performed on the LunaSA (and probably I am 
missing something important here :-( ) and to use the Key
sored on the device, not a software one.

Does anybody have experiences (also with other hardware)
that may be of some help ???
Thank you, byz.
   --- Massimiliano Pala ([EMAIL PROTECTED])
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Fwd: RE : ENGINE issues

2005-01-13 Thread Massimiliano Pala 

  --- the forwarded message follows ---
---BeginMessage---
On Thu, 13 Jan 2005 16:26:33 +0100
 Frédéric Donnat [EMAIL PROTECTED] 
wrote:
Hi Massimo,
Hi,
 
As far as I know it you must LOAD (pre command I 
think) the ENGINE to correctly set all ENGINE function 
pointers... And thus initialize openssl with your ENGINE. 
Did you do it?
Yes, init of the ENGINE works fine.
You should be able to get a priovate key handle but not 
the private key paramters according to PKCS#11.
I have done such thing with a Bull PKCS 11 module and 
their PKCS#11 patch and it works fine.

You could try to trace Luna ENGINE in 
ENGINE_load_private_key() function in order to find the 
faulty part of code.
This is what I have done... and I found that they simply 
did not implemented the ENGINE_load_private_key()... I am
trying to implement it... but it is quite hard to do it in
less than one day. I hope they will respond to my requests
sending me the missing functions (also the 
ENGINE_load_public_key() is missing, but this is not an 
issue... at the moment!).

It sounds really strange, anyway, that this function is
missing... as this implies that no ENGINE support is there
to use private keys directly on the LunaCA/SA!?!?
Anyway if you have some code you can send me about your
implementation, I would be glad to take a look at it in
order to check my implementation.
Thx, for your help.
   -- Massimiliano Pala
---End Message---

Re: ENGINE issues

2005-01-13 Thread Dr. Stephen Henson 
On Thu, Jan 13, 2005, Massimiliano Pala wrote:

 On Thu, 13 Jan 2005 12:27:57 -
  David C. Partridge [EMAIL PROTECTED] 
 wrote:
 
 I just taken as an example the code from openssl, but 
 there is something I am doing wrong somewhere...
 All I want to do is to enable ENGINE so all crypto 
 operations are performed on the LunaSA (and probably I am 
 missing something important here :-( ) and to use the Key
 sored on the device, not a software one.
 
 Does anybody have experiences (also with other hardware)
 that may be of some help ???
 

The nCipher (nFast/Chil) ENGINE can use hardware keys. There's also a test
operation in the openssl test engine which just loads froma PEM file.

I suggest you put debugging printfs in your code to check it's load private
key function is actually being called.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]