RE: pkcs#11 engine for openssl
Hi Afchine, After along vacation I am back in business. I have tried applying your mod_ssl patch on the pkcs#11 engine to try and work the apache with ssl using my Smart Card. I tried before that a simple mod_ssl instalation (software keys only ) and every thing seems to be working fine. Unfortunately I was not able to run mod_ssl with the pkcs#11 patch. It may be due to some differences on how your hardware behaves compared with a regular Smart Card. Can you pin point me to the source of the problem using the debug log I got from apache mod_ssl engine ? Thanks. P.S. FYI I am working also on engine support to secxml library and I will test it with the pkcs#11 engine. Gilad Create RSA private and public on my PKCS#11 SmartCard --- openssl req -engine pkcs11 -keyform e -new -x509 -keyout cakey.pem -out cacrt.pem -days 365 cp cacrt.pem /usr/local/appache/ssl.crt/server.crt = copy the certifictae created to the apache directory I can verify the creation of the RSA keys was succesfull and they are present on the Smart Card When trying to run /usr/local/apache/bin/apachctl startssl I get pache:mod_ssl:Error: Private key not found. **Stopped ../bin/apachectl startssl: httpd could not be started mod_ssl ssl_engine_log: --- [29/Jul/2003 16:01:56 14867] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.14, Library: OpenSSL/0.9.7b [29/Jul/2003 16:01:56 14867] [info] Init: 1st startup round (still not detached) [29/Jul/2003 16:01:56 14867] [info] Init: Initializing OpenSSL library [29/Jul/2003 16:01:56 14867] [info] Init: Loading certificate private key of SSL-aware server earth.arx.com:443 [29/Jul/2003 16:01:56 14867] [error] Init: Private key not found (OpenSSL library error follows) [29/Jul/2003 16:01:56 14867] [error] OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: PUBLIC KEY: [Hint: Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?] [29/Jul/2003 16:01:56 14867] [error] OpenSSL: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key: : [29/Jul/2003 16:09:18 14885] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.14, Library: OpenSSL/0.9.7b [29/Jul/2003 16:09:18 14885] [info] Init: 1st startup round (still not detached) [29/Jul/2003 16:09:18 14885] [info] Init: Initializing OpenSSL library [29/Jul/2003 16:09:18 14885] [info] Init: Loading certificate private key of SSL-aware server earth.arx.com:443 [29/Jul/2003 16:09:18 14885] [error] Init: Private key not found (OpenSSL library error follows) [29/Jul/2003 16:09:18 14885] [error] OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: PUBLIC KEY: [Hint: Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?] [29/Jul/2003 16:09:18 14885] [error] OpenSSL: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key: : -Original Message- From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 12:36 PM To: Gilad Finkelstein Cc: [EMAIL PROTECTED]; Ren? Martin Subject: Re: pkcs#11 engine for openssl Hi Gilad, You have to made some little changes in mod_ssl (like defining SSL_EXPERIMENTAL_ENGINE , generating temp keys, how to init terminate the engine). In attached you can find my patch to mod_ssl. Once you have initialized the engine in your application, your RSA_method calls are redireted to the engine instead of the software crypto. In the case of the actual pkcs#11 engine, RSA, random load_key are called true the engine, but EVP calls (cipher digest), and DH DSA aren't yet implemented. I am working to complete that and also to map the new store_key (0.9.8) to my RSA generate added in the RSA_method. So we can have a more generic and complete pkcs#11 engine when I'll finished this work! Regards, Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: 'Afchine Madjlessi' [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 7:33 PM Subject: RE: pkcs#11 engine for openssl HI Afchine, I probably do not understand fully the concept of the engine module in openssl maybe you can help. My understanding is that you must call certain ENGINE_ API so that from that point on every regular call to libeay32 function that involves crypto and is supported by the engine will be directed to the engine. The SSLeay32 lib does not know about engines at all.(and for that meter any other library that is based on libeay32 or ssleay32) I read you tested the patch with mod_ssl which is based on openssl. My hope is you did not have to change any code in the mod_ssl to make it work with pkcs#11 engine, in that case how did you manage to tell mod_ssl - ssleay32 -libeay32 to use pkcs#11 engine ? Is their some parameter you can use via mod_ssl or ssleay32 that sets
Re: pkcs#11 engine for openssl
Hi Gilad, You must copy the public key file generated by openssl (cakey.pem) in usr/local/appache/ssl.crt/server.key. The pkcs#11 engine load_private_key function read the public key file to find the private key in the hardware. cheers Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com the Hi Afchine, After along vacation I am back in business. I have tried applying your mod_ssl patch on the pkcs#11 engine to try and work the apache with ssl using my Smart Card. I tried before that a simple mod_ssl instalation (software keys only ) and every thing seems to be working fine. Unfortunately I was not able to run mod_ssl with the pkcs#11 patch. It may be due to some differences on how your hardware behaves compared with a regular Smart Card. Can you pin point me to the source of the problem using the debug log I got from apache mod_ssl engine ? Thanks. P.S. FYI I am working also on engine support to secxml library and I will test it with the pkcs#11 engine. Gilad Create RSA private and public on my PKCS#11 SmartCard --- openssl req -engine pkcs11 -keyform e -new -x509 -keyout cakey.pem -out cacrt.pem -days 365 cp cacrt.pem /usr/local/appache/ssl.crt/server.crt = copy the certifictae created to the apache directory I can verify the creation of the RSA keys was succesfull and they are present on the Smart Card When trying to run /usr/local/apache/bin/apachctl startssl I get pache:mod_ssl:Error: Private key not found. **Stopped ../bin/apachectl startssl: httpd could not be started mod_ssl ssl_engine_log: --- [29/Jul/2003 16:01:56 14867] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.14, Library: OpenSSL/0.9.7b [29/Jul/2003 16:01:56 14867] [info] Init: 1st startup round (still not detached) [29/Jul/2003 16:01:56 14867] [info] Init: Initializing OpenSSL library [29/Jul/2003 16:01:56 14867] [info] Init: Loading certificate private key of SSL-aware server earth.arx.com:443 [29/Jul/2003 16:01:56 14867] [error] Init: Private key not found (OpenSSL library error follows) [29/Jul/2003 16:01:56 14867] [error] OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: PUBLIC KEY: [Hint: Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?] [29/Jul/2003 16:01:56 14867] [error] OpenSSL: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key: : [29/Jul/2003 16:09:18 14885] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.14, Library: OpenSSL/0.9.7b [29/Jul/2003 16:09:18 14885] [info] Init: 1st startup round (still not detached) [29/Jul/2003 16:09:18 14885] [info] Init: Initializing OpenSSL library [29/Jul/2003 16:09:18 14885] [info] Init: Loading certificate private key of SSL-aware server earth.arx.com:443 [29/Jul/2003 16:09:18 14885] [error] Init: Private key not found (OpenSSL library error follows) [29/Jul/2003 16:09:18 14885] [error] OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: PUBLIC KEY: [Hint: Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?] [29/Jul/2003 16:09:18 14885] [error] OpenSSL: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key: : __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: pkcs#11 engine for openssl
Hi Afchine,guys Just as I feared one need to change every layer that uses opnessl in order to support engines (mod_ssl is an example). What about what I said allowing the openssl to recognize it is to be used via the engines internally ? i.e. if a USE_EMGINE environment is set with an engine ID openssl will always use that engine and issue all initialization functions transparently. I will try to make that work with your PKCS#11 engine for an example. the question is given your experience with openssl is there a reason way this approach should be used or could not be successful ? (my target is to enable many other layers relaying on openssl the usage of openssl engine transparently). Gilad -Original Message- From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 12:36 PM To: Gilad Finkelstein Cc: [EMAIL PROTECTED]; Ren? Martin Subject: Re: pkcs#11 engine for openssl Hi Gilad, You have to made some little changes in mod_ssl (like defining SSL_EXPERIMENTAL_ENGINE , generating temp keys, how to init terminate the engine). In attached you can find my patch to mod_ssl. Once you have initialized the engine in your application, your RSA_method calls are redireted to the engine instead of the software crypto. In the case of the actual pkcs#11 engine, RSA, random load_key are called true the engine, but EVP calls (cipher digest), and DH DSA aren't yet implemented. I am working to complete that and also to map the new store_key (0.9.8) to my RSA generate added in the RSA_method. So we can have a more generic and complete pkcs#11 engine when I'll finished this work! Regards, Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: 'Afchine Madjlessi' [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 7:33 PM Subject: RE: pkcs#11 engine for openssl HI Afchine, I probably do not understand fully the concept of the engine module in openssl maybe you can help. My understanding is that you must call certain ENGINE_ API so that from that point on every regular call to libeay32 function that involves crypto and is supported by the engine will be directed to the engine. The SSLeay32 lib does not know about engines at all.(and for that meter any other library that is based on libeay32 or ssleay32) I read you tested the patch with mod_ssl which is based on openssl. My hope is you did not have to change any code in the mod_ssl to make it work with pkcs#11 engine, in that case how did you manage to tell mod_ssl - ssleay32 -libeay32 to use pkcs#11 engine ? Is their some parameter you can use via mod_ssl or ssleay32 that sets specific engine usage on ? If you did change the mod_ssl can you please tell me what functions you need to use to invoke the Engine and where. My idea (if that is not supported already) is to allow automatic initialization of the libeay32 library with a specific engines when a certain environment variable is on (USE_OPENSSL_ENGINES) with the value of the engine id name. This way all relaying libraries will be able to use the engine transparently without the need of calling the Initialization logic of a certain engine. What do you think ? Gilad -Original Message- From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 11:18 AM To: Gilad Finkelstein Cc: [EMAIL PROTECTED]; Ren? Martin Subject: Re: pkcs#11 engine for openssl Hi Gilad, Thanks for your advice. I don't use C_Login in the, because the session is always public, and if it's called, the C_Login returns always CKR_OK. (case of crypto hardware). In case of smartcards , you're right, it is mandatory to add a C_Login to take into the user session. So, I agree with you to add the C_Login to the open session function. I think that each evolution and ability added to the pkcs#11 engine , like creating certificate on the hardware, is welcome. Regards Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 11:20 AM Subject: FW: pkcs#11 engine for openssl newbie question Hi, My apologizes for the first item (pack requirements) I have checked the code and found your remark on setting the CK_Win32 to enable pack of 1 on windows platforms. I had to add a C_Login in your open session function to enable access to the private keys for sign and generate operations. (And I think you would agree this should be the generic case of pkcs#11 implementation) I would also like to add the ability to create the certificate on the hardware token and not as a file. Thanks for your help Gilad -Original Message- From: Gilad Finkelstein Sent: Sunday, June 15, 2003 11:48 AM To: 'Afchine
Re: pkcs#11 engine for openssl
Hi Gilad, You have to made some little changes in mod_ssl (like defining SSL_EXPERIMENTAL_ENGINE , generating temp keys, how to init terminate the engine). In attached you can find my patch to mod_ssl. Once you have initialized the engine in your application, your RSA_method calls are redireted to the engine instead of the software crypto. In the case of the actual pkcs#11 engine, RSA, random load_key are called true the engine, but EVP calls (cipher digest), and DH DSA aren't yet implemented. I am working to complete that and also to map the new store_key (0.9.8) to my RSA generate added in the RSA_method. So we can have a more generic and complete pkcs#11 engine when I'll finished this work! Regards, Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: 'Afchine Madjlessi' [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 7:33 PM Subject: RE: pkcs#11 engine for openssl HI Afchine, I probably do not understand fully the concept of the engine module in openssl maybe you can help. My understanding is that you must call certain ENGINE_ API so that from that point on every regular call to libeay32 function that involves crypto and is supported by the engine will be directed to the engine. The SSLeay32 lib does not know about engines at all.(and for that meter any other library that is based on libeay32 or ssleay32) I read you tested the patch with mod_ssl which is based on openssl. My hope is you did not have to change any code in the mod_ssl to make it work with pkcs#11 engine, in that case how did you manage to tell mod_ssl - ssleay32 -libeay32 to use pkcs#11 engine ? Is their some parameter you can use via mod_ssl or ssleay32 that sets specific engine usage on ? If you did change the mod_ssl can you please tell me what functions you need to use to invoke the Engine and where. My idea (if that is not supported already) is to allow automatic initialization of the libeay32 library with a specific engines when a certain environment variable is on (USE_OPENSSL_ENGINES) with the value of the engine id name. This way all relaying libraries will be able to use the engine transparently without the need of calling the Initialization logic of a certain engine. What do you think ? Gilad -Original Message- From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 11:18 AM To: Gilad Finkelstein Cc: [EMAIL PROTECTED]; Ren? Martin Subject: Re: pkcs#11 engine for openssl Hi Gilad, Thanks for your advice. I don't use C_Login in the, because the session is always public, and if it's called, the C_Login returns always CKR_OK. (case of crypto hardware). In case of smartcards , you're right, it is mandatory to add a C_Login to take into the user session. So, I agree with you to add the C_Login to the open session function. I think that each evolution and ability added to the pkcs#11 engine , like creating certificate on the hardware, is welcome. Regards Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 11:20 AM Subject: FW: pkcs#11 engine for openssl newbie question Hi, My apologizes for the first item (pack requirements) I have checked the code and found your remark on setting the CK_Win32 to enable pack of 1 on windows platforms. I had to add a C_Login in your open session function to enable access to the private keys for sign and generate operations. (And I think you would agree this should be the generic case of pkcs#11 implementation) I would also like to add the ability to create the certificate on the hardware token and not as a file. Thanks for your help Gilad -Original Message- From: Gilad Finkelstein Sent: Sunday, June 15, 2003 11:48 AM To: 'Afchine Madjlessi' Subject: RE: pkcs#11 engine for openssl newbie question Hi, I have progressed allot and can inform you of the following information I found. 1. Your code assumes pkcs11 function structure list pack of 4, my cryptoLibrary uses pack 1 (and so is RSA one) I think it would be safer to use pack 1 when compiling on win32 platform (using the #pragma pack) 2. I do not understand how your code successfully generates a key pair without C_Login first. It seems not to use the pkcs#11 standard of C_Login when ever a private key operation is required. I added in my code a pkcs#11_login for cases like this and now I am able to generate keys on my hardware. If I find more things I will let you know. Gilad -Original Message- From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 4:18 PM To: Gilad Finkelstein Subject: Re: pkcs
Re: pkcs#11 engine for openssl
Hi Gilad, Thanks for your advice. I don't use C_Login in the, because the session is always public, and if it's called, the C_Login returns always CKR_OK. (case of crypto hardware). In case of smartcards , you're right, it is mandatory to add a C_Login to take into the user session. So, I agree with you to add the C_Login to the open session function. I think that each evolution and ability added to the pkcs#11 engine , like creating certificate on the hardware, is welcome. Regards Afchine __ [EMAIL PROTECTED] Bull TrustWay RD http://www.trustway.bull.com - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 11:20 AM Subject: FW: pkcs#11 engine for openssl newbie question Hi, My apologizes for the first item (pack requirements) I have checked the code and found your remark on setting the CK_Win32 to enable pack of 1 on windows platforms. I had to add a C_Login in your open session function to enable access to the private keys for sign and generate operations. (And I think you would agree this should be the generic case of pkcs#11 implementation) I would also like to add the ability to create the certificate on the hardware token and not as a file. Thanks for your help Gilad -Original Message- From: Gilad Finkelstein Sent: Sunday, June 15, 2003 11:48 AM To: 'Afchine Madjlessi' Subject: RE: pkcs#11 engine for openssl newbie question Hi, I have progressed allot and can inform you of the following information I found. 1. Your code assumes pkcs11 function structure list pack of 4, my cryptoLibrary uses pack 1 (and so is RSA one) I think it would be safer to use pack 1 when compiling on win32 platform (using the #pragma pack) 2. I do not understand how your code successfully generates a key pair without C_Login first. It seems not to use the pkcs#11 standard of C_Login when ever a private key operation is required. I added in my code a pkcs#11_login for cases like this and now I am able to generate keys on my hardware. If I find more things I will let you know. Gilad -Original Message- From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 4:18 PM To: Gilad Finkelstein Subject: Re: pkcs#11 engine for openssl newbie question By default the pkcs#11 engine looks for the bull hardware crypto. For your purpose you have to undef BULL_CC2000 and in the hw_pkcs11.c (in crypto/engine directory) and recompile. Then your pkcs#11 api library must be called libpkcs11.so on linux or pkcs11.dll on win32. Good luck Afchine - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: 'Afchine Madjlessi' [EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 4:57 PM Subject: RE: pkcs#11 engine for openssl newbie question Thanks for your reply, I tried the script and got signal 11 on every attempt. Is the engine looking for a certain pkcs#11 library name (e.g pkcs11.so || pkcs11.dll ) ? I use cygwin on windows2000 with a .dll for pkcs#11 interface to my smart card. Gilad -Original Message- From: Afchine Madjlessi [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 3:37 PM To: Gilad Finkelstein Cc: [EMAIL PROTECTED] Subject: Re: pkcs#11 engine for openssl newbie question Hi, I used the joined shell to generate key pair on my crypto hardware, a CSR, and make a self-signed certificate. Regards Afchine Madjlessi - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 4:21 PM Subject: pkcs#11 engine for openssl newbie question HI, I address you as a last resort since I can not find any answers in openssl groups/web on how to use engines in general and pkcs#11 interface in particular. Can you please direct me to a descent place where I can see how to use your generic pkcs#11 openssl engine. Can a simple test be run via openssl util ? how ? any other test that for example generates RSA key on my smart card ? I was able to compile openssl 0.97 with your patch but I am not sure what should I do next (I compiled both on Linux and on Windows using cygwin) If I am able to use openssl over my hardware PKCS#11 token I intend to write a FAQ on how to achive that (if that was not written already somewhere ) Thanks Gilad Finkelstein __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pkcs#11 engine for openssl newbie question
Hi, I used the joined shell to generate key pair on my crypto hardware, a CSR, and make a self-signed certificate. Regards Afchine Madjlessi - Original Message - From: Gilad Finkelstein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 4:21 PM Subject: pkcs#11 engine for openssl newbie question HI, I address you as a last resort since I can not find any answers in openssl groups/web on how to use engines in general and pkcs#11 interface in particular. Can you please direct me to a descent place where I can see how to use your generic pkcs#11 openssl engine. Can a simple test be run via openssl util ? how ? any other test that for example generates RSA key on my smart card ? I was able to compile openssl 0.97 with your patch but I am not sure what should I do next (I compiled both on Linux and on Windows using cygwin) If I am able to use openssl over my hardware PKCS#11 token I intend to write a FAQ on how to achive that (if that was not written already somewhere ) Thanks Gilad Finkelstein CA-pkcs11.sh Description: Binary data