Hi,
I can’t use HSM module ECC based keys in the openssl pkcs11 engine.
First, I successfully generated RSA and ECC keypairs using pkcs11-tool (RSA with id 1001, ECC with id 1002):
root@test1:~# pkcs11-tool --module opensc-pkcs11.so --keypairgen --key-type rsa:2048 --label rsakey --id 1001 --login
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: rsakey
ID: 1001
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: rsakey
ID: 1001
Usage: encrypt, verify, wrap
root@test1:~# pkcs11-tool --module opensc-pkcs11.so --keypairgen --key-type EC:prime256v1 --label ecckey --id 1002 --login
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
Key pair generated:
Private Key Object; EC
label: ecckey
ID: 1002
Usage: decrypt, sign, unwrap
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 04410412f5f6a440a7611071ef351a75dd9da64c2d97c72f298f8b15e4aef99f2e22722da9b591508b941736a796663ead033f78511c9a5290581b55579cb729f27cd3
EC_PARAMS: 06082a8648ce3d030107
label: ecckey
ID: 1002
Usage: encrypt, verify, wrap
I can generate x509 certificate using RSA key (id 1001):
root@test1:~# openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
available ]
OpenSSL>
OpenSSL> req -new -x509 -days 365 -keyform engine -engine pkcs11 -key 1:1001 -out rsacert.pem
engine "pkcs11" set.
PKCS#11 token PIN:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
(...)
But I can’t generate x509 certificate using ECC key (id 1002). Openssl pkcs11 engine can’t see ecc keys:
root@test1:~# openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
available ]
OpenSSL>
OpenSSL> req -new -x509 -days 365 -keyform engine -engine pkcs11 -key 1:1002 -out ecccert.pem
engine "pkcs11" set.
PKCS#11 token PIN:
key not found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140628540683920:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
unable to load Private Key
error in req
OpenSSL>
System: debian 8.2.
Package vers:
openssl: 1.0.1k-3+deb8u1
opensc: 0.14.0-2
libengine-pkcs11-openssl: 0.1.8-4
Please help.
Thanks,
Pawel