Openssl Pkcs11 Engine Slot
2004-10-21 15:03:30 UTC
Openssl-pkcs11
Openssl Pkcs11 Engine
Hello,
First: I am a brand new user of opensc, and English is not my native language .
I have been trying to use etoken PRO with openssl on Linux and Windows.
The Linux implementation using the openssl+engine_opensc.so seems to work for me, knowing that I initialize the token using opensc.
But we are shipping these token to clients that use it in windows. These token have been initialized using Official PKCS11 from Alladin (eTpkcs11.dll), wich does not seems to play well with opensc.
I did try to use the etpkcs11.dll of Alladin with the statically linked version of opensc on windows (win32bin_stat_18_10_2004.zip), but get several errors, both with pkcs11-tool or with engine_pkcs11.dll.
The same eToken seems to work correctly in Firefox after registering eTpkcs11.dll and using a the token initialized with opensc and opensc-pkcs11.dll it work too.
Is this a known problem (I guess yes ;-/) and is someone able to provide a fast solution? (free or not ;-)
C:toolsopensc>pkcs11-tool.exe --module etpkcs11.dll --pin 123456 -O -v
Certificate Object, type = X.509 cert
label: Unlabeled
ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Public Key Object; RSA 1024 bits
label: eTCAPI public key
ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Usage: encrypterror: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Aborting.
C:toolsopensc>openssl
OpenSSL> engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:etpkcs11.dl
l
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:engine_pkcs11
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:etpkcs11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> engine pkcs11 -pre PIN:123456 -pre VERBOSE
(pkcs11) pkcs11 engine
[Success]: PIN:123456
[Success]: VERBOSE
OpenSSL> req -engine pkcs11 -new -key id_39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -k
eyform engine -text -config openssl.cnf
initializing engine
engine 'pkcs11' set.
Found 2 slots
[0] AKS ifdh 0 uninitialized, login (eToken)
[1] AKS ifdh 1 no tok
Found uninitialized token;
PKCS11_get_private_key returned NULL
unable to load Private Key
2676:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:.cryptoengineeng_pkey.c:117:
error in req
With an other token initialized using opensc, on windows and using the default pkcs11 (engine+dll) everything seems to work:
C:toolsopensc>pkcs11-tool.exe --pin 123456 -O -v
Private Key Object; RSA 1024 bits
label: Private Key
ID: 45
Usage: sign
Certificate Object, type = X.509 cert
label: Certificate
ID: 45
Public Key Object; RSA 1024 bits
label: Certificate
ID: 45
Usage: encrypt, verify
C:toolsopensc>openssl
OpenSSL> engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:engine_pkcs11
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> engine pkcs11 -pre PIN:123456 -pre VERBOSE
(pkcs11) pkcs11 engine
[Success]: PIN:123456
[Success]: VERBOSE
OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -text -config openssl.cnf
initializing engine
engine 'pkcs11' set.
Found 8 slots
[0] AKS ifdh 0 login (OpenSC Card (Marc Jadoul (signin)
[1] AKS ifdh 0 (OpenSC Card)
[2] AKS ifdh 0 no pin (OpenSC Card)
[3] AKS ifdh 0 no pin (OpenSC Card)
[4] AKS ifdh 1 no tok
[5] AKS ifdh 1 no tok
[6] AKS ifdh 1 no tok
[7] AKS ifdh 1 no tok
Found slot: AKS ifdh 0
Found token: OpenSC Card (Marc Jadoul (signin
Found 1 certificate:
1 Certificate (/C=BE/L=Bruxelles/O=Certipost/OU=E-Trust/OU=NA/OU=NA/CN=Marc Jadoul (Signing))
Found 1 key:
1 P Private Key
ID = 45
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=GB, L=Test Locality, O=Organization Name, OU=Organizational Unit Name, CN=Common Name/emailAddress=te
***@email.address
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ba:b3:b1:fb:c0:77:23:0e:62:28:6c:b9:ad:f6:
23:08:ac:7e:f6:83:3c:65:b1:a7:86:f1:74:92:51:
ba:ff:29:91:c4:3d:45:e8:a1:45:c6:a3:ec:d0:86:
79:6f:26:8a:6d:58:41:d5:56:6b:fa:5d:cf:ab:bf:
bb:8c:5b:6d:42:39:4a:40:3f:61:d2:7b:4f:63:2e:
56:b7:be:29:b0:a7:df:e7:3c:4c:3e:ee:3a:de:bb:
bd:0c:60:d8:41:fd:37:b3:f7:1e:0d:85:2f:57:bc:
22:bd:38:db:f2:1c:e9:97:b5:9f:7c:ac:f7:20:f1:
aa:8b:06:79:f9:5f:b0:72:1b
Exponent: 2593935281 (0x9a9c4fb1)
Attributes:
challengePassword :A challenge password
Signature Algorithm: md5WithRSAEncryption
ba:14:5b:d0:8e:90:af:68:cc:e3:36:98:16:ae:d9:75:df:95:
7a:f8:e4:c1:d2:f8:96:ec:15:64:2c:55:0b:c3:c2:0c:40:d5:
d6:f3:21:f7:dc:72:6e:41:9e:ae:f8:5d:17:c9:6b:92:af:bd:
ba:7e:bb:f5:42:9b:35:7a:49:f4:2b:87:92:fb:55:c8:ec:35:
2a:5f:97:91:82:c7:43:d5:0e:09:da:dc:ce:b8:d6:1c:07:e1:
54:90:71:4a:ff:e8:bb:e9:65:c5:fd:ff:62:b6:05:fb:91:64:
4a:e5:2c:28:c7:d0:49:b6:91:15:ac:0e:d3:0a:b0:27:b4:1a:
be:1a
-----BEGIN CERTIFICATE REQUEST-----
MIICBTCCAW4CAQAwgZ0xCzAJBgNVBAYTAkdCMRYwFAYDVQQHEw1UZXN0IExvY2Fs
aXR5MRowGAYDVQQKExFPcmdhbml6YXRpb24gTmFtZTEhMB8GA1UECxMYT3JnYW5p
emF0aW9uYWwgVW5pdCBOYW1lMRQwEgYDVQQDEwtDb21tb24gTmFtZTEhMB8GCSqG
SIb3DQEJARYSdGVzdEBlbWFpbC5hZGRyZXNzMIGhMA0GCSqGSIb3DQEBAQUAA4GP
ADCBiwKBgQC6s7H7wHcjDmIobLmt9iMIrH72gzxlsaeG8XSSUbr/KZHEPUXooUXG
o+zQhnlvJoptWEHVVmv6Xc+rv7uMW21COUpAP2HSe09jLla3vimwp9/nPEw+7jre
u70MYNhB/Tez9x4NhS9XvCK9ONvyHOmXtZ98rPcg8aqLBnn5X7ByGwIFAJqcT7Gg
JTAjBgkqhkiG9w0BCQcxFhMUQSBjaGFsbGVuZ2UgcGFzc3dvcmQwDQYJKoZIhvcN
AQEEBQADgYEAuhRb0I6Qr2jM4zaYFq7Zdd+VevjkwdL4luwVZCxVC8PCDEDV1vMh
99xybkGervhdF8lrkq+9un679UKbNXpJ9CuHkvtVyOw1Kl+XkYLHQ9UOCdrczrjW
HAfhVJBxSv/ou+llxf3/YrYF+5FkSuUsKMfQSbaRFawO0wqwJ7Qavho=
-----END CERTIFICATE REQUEST-----
First: I am a brand new user of opensc, and English is not my native language .
I have been trying to use etoken PRO with openssl on Linux and Windows.
The Linux implementation using the openssl+engine_opensc.so seems to work for me, knowing that I initialize the token using opensc.
But we are shipping these token to clients that use it in windows. These token have been initialized using Official PKCS11 from Alladin (eTpkcs11.dll), wich does not seems to play well with opensc.
I did try to use the etpkcs11.dll of Alladin with the statically linked version of opensc on windows (win32bin_stat_18_10_2004.zip), but get several errors, both with pkcs11-tool or with engine_pkcs11.dll.
The same eToken seems to work correctly in Firefox after registering eTpkcs11.dll and using a the token initialized with opensc and opensc-pkcs11.dll it work too.
Is this a known problem (I guess yes ;-/) and is someone able to provide a fast solution? (free or not ;-)
C:toolsopensc>pkcs11-tool.exe --module etpkcs11.dll --pin 123456 -O -v
Certificate Object, type = X.509 cert
label: Unlabeled
ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Public Key Object; RSA 1024 bits
label: eTCAPI public key
ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Usage: encrypterror: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Aborting.
C:toolsopensc>openssl
OpenSSL> engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:etpkcs11.dl
l
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:engine_pkcs11
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:etpkcs11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> engine pkcs11 -pre PIN:123456 -pre VERBOSE
(pkcs11) pkcs11 engine
[Success]: PIN:123456
[Success]: VERBOSE
OpenSSL> req -engine pkcs11 -new -key id_39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -k
eyform engine -text -config openssl.cnf
initializing engine
engine 'pkcs11' set.
Found 2 slots
[0] AKS ifdh 0 uninitialized, login (eToken)
[1] AKS ifdh 1 no tok
Found uninitialized token;
PKCS11_get_private_key returned NULL
unable to load Private Key
2676:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:.cryptoengineeng_pkey.c:117:
error in req
With an other token initialized using opensc, on windows and using the default pkcs11 (engine+dll) everything seems to work:
C:toolsopensc>pkcs11-tool.exe --pin 123456 -O -v
Private Key Object; RSA 1024 bits
label: Private Key
ID: 45
Usage: sign
Certificate Object, type = X.509 cert
label: Certificate
ID: 45
Public Key Object; RSA 1024 bits
label: Certificate
ID: 45
Usage: encrypt, verify
C:toolsopensc>openssl
OpenSSL> engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:engine_pkcs11
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> engine pkcs11 -pre PIN:123456 -pre VERBOSE
(pkcs11) pkcs11 engine
[Success]: PIN:123456
[Success]: VERBOSE
OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -text -config openssl.cnf
initializing engine
engine 'pkcs11' set.
Found 8 slots
[0] AKS ifdh 0 login (OpenSC Card (Marc Jadoul (signin)
[1] AKS ifdh 0 (OpenSC Card)
[2] AKS ifdh 0 no pin (OpenSC Card)
[3] AKS ifdh 0 no pin (OpenSC Card)
[4] AKS ifdh 1 no tok
[5] AKS ifdh 1 no tok
[6] AKS ifdh 1 no tok
[7] AKS ifdh 1 no tok
Found slot: AKS ifdh 0
Found token: OpenSC Card (Marc Jadoul (signin
Found 1 certificate:
1 Certificate (/C=BE/L=Bruxelles/O=Certipost/OU=E-Trust/OU=NA/OU=NA/CN=Marc Jadoul (Signing))
Found 1 key:
1 P Private Key
ID = 45
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=GB, L=Test Locality, O=Organization Name, OU=Organizational Unit Name, CN=Common Name/emailAddress=te
***@email.address
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ba:b3:b1:fb:c0:77:23:0e:62:28:6c:b9:ad:f6:
23:08:ac:7e:f6:83:3c:65:b1:a7:86:f1:74:92:51:
ba:ff:29:91:c4:3d:45:e8:a1:45:c6:a3:ec:d0:86:
79:6f:26:8a:6d:58:41:d5:56:6b:fa:5d:cf:ab:bf:
bb:8c:5b:6d:42:39:4a:40:3f:61:d2:7b:4f:63:2e:
56:b7:be:29:b0:a7:df:e7:3c:4c:3e:ee:3a:de:bb:
bd:0c:60:d8:41:fd:37:b3:f7:1e:0d:85:2f:57:bc:
22:bd:38:db:f2:1c:e9:97:b5:9f:7c:ac:f7:20:f1:
aa:8b:06:79:f9:5f:b0:72:1b
Exponent: 2593935281 (0x9a9c4fb1)
Attributes:
challengePassword :A challenge password
Signature Algorithm: md5WithRSAEncryption
ba:14:5b:d0:8e:90:af:68:cc:e3:36:98:16:ae:d9:75:df:95:
7a:f8:e4:c1:d2:f8:96:ec:15:64:2c:55:0b:c3:c2:0c:40:d5:
d6:f3:21:f7:dc:72:6e:41:9e:ae:f8:5d:17:c9:6b:92:af:bd:
ba:7e:bb:f5:42:9b:35:7a:49:f4:2b:87:92:fb:55:c8:ec:35:
2a:5f:97:91:82:c7:43:d5:0e:09:da:dc:ce:b8:d6:1c:07:e1:
54:90:71:4a:ff:e8:bb:e9:65:c5:fd:ff:62:b6:05:fb:91:64:
4a:e5:2c:28:c7:d0:49:b6:91:15:ac:0e:d3:0a:b0:27:b4:1a:
be:1a
-----BEGIN CERTIFICATE REQUEST-----
MIICBTCCAW4CAQAwgZ0xCzAJBgNVBAYTAkdCMRYwFAYDVQQHEw1UZXN0IExvY2Fs
aXR5MRowGAYDVQQKExFPcmdhbml6YXRpb24gTmFtZTEhMB8GA1UECxMYT3JnYW5p
emF0aW9uYWwgVW5pdCBOYW1lMRQwEgYDVQQDEwtDb21tb24gTmFtZTEhMB8GCSqG
SIb3DQEJARYSdGVzdEBlbWFpbC5hZGRyZXNzMIGhMA0GCSqGSIb3DQEBAQUAA4GP
ADCBiwKBgQC6s7H7wHcjDmIobLmt9iMIrH72gzxlsaeG8XSSUbr/KZHEPUXooUXG
o+zQhnlvJoptWEHVVmv6Xc+rv7uMW21COUpAP2HSe09jLla3vimwp9/nPEw+7jre
u70MYNhB/Tez9x4NhS9XvCK9ONvyHOmXtZ98rPcg8aqLBnn5X7ByGwIFAJqcT7Gg
JTAjBgkqhkiG9w0BCQcxFhMUQSBjaGFsbGVuZ2UgcGFzc3dvcmQwDQYJKoZIhvcN
AQEEBQADgYEAuhRb0I6Qr2jM4zaYFq7Zdd+VevjkwdL4luwVZCxVC8PCDEDV1vMh
99xybkGervhdF8lrkq+9un679UKbNXpJ9CuHkvtVyOw1Kl+XkYLHQ9UOCdrczrjW
HAfhVJBxSv/ou+llxf3/YrYF+5FkSuUsKMfQSbaRFawO0wqwJ7Qavho=
-----END CERTIFICATE REQUEST-----
Openssl Pkcs11 Example
Pkcs11 Windows 10
The PKCS#11 engine uses the keystore for the slot chosen for public key operations, which is metaslot on a standard configured machine. Currently, the PKCS#11 engine ignores the objecttype keyword. The only mandatory keyword is object which is the key object label. OpenSSL does not support PKCS #11 natively. To utilize HSMs, you have to install the openssl-pkcs11 package, which provides access to PKCS #11 modules through the engine interface. You can use a PKCS #11 URI instead of a regular file name to specify a server key and a certificate in the /etc/httpd/conf.d/ssl.conf configuration file, for example.