Engine issue with LUNA CA3 HSM

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Engine issue with LUNA CA3 HSM

testpgp@aql.fr
Hi,

I'm trying to sign a CSR with a private key stored on a Luna CA3 token.
I use for this 2 versions of OpenSSL :

- The first one is provided by SafeNet : openssl-lunaca3-0.9.6-5.i386.rpm
- The second one is constructed from OpenSSL 0.9.7b with the patch  
openssl-lunaca3-patch-0.9.7.tar

The token is placed on slot 1, then
- initialized with a 1024bit RSA private key ; command = ca3util -g 1024
-f server.key -s 1 -i 4:2
- activated with the enabler command :

As you can see, the RSA key is present :

# pkcs11-tool --module /usr/luna/lib/libcrystoki2.so -O
Public Key Object; RSA 1024 bits
  label:      RSA 1024-bit Public Key
  Usage:      encrypt, verify
Private Key Object; RSA
  label:      RSA 1024-bit Private Key
  ID:         6964
  Usage:      decrypt, sign

The token is activated :

# enabler
==============================================================================
Slot  1: token present.                                  Application
ACTIVATED
       token type : Luna CA3      
            label : test                
    serial number : 35085          
    open sessions : 4
------------------------------------------------------------------------------

The HSM is configured as below :

#more /etc/Chrystoki.conf
Chrystoki2 = {
   LibUNIX=/usr/lib/libcrystoki2.so;
}
CardReader = {
  RemoteCommand=1;
}
Luna = {
  DefaultTimeOut=500000;
  PEDTimeout1=100000;
  PEDTimeout2=100000;
}
Misc = {
AppIdMajor=4;
AppIdMinor=2;
LogFile = /var/log/lunaca3.log;
}
EngineLunaCA3= {
  EngineInit = 1:4:2;
  LibPath = /usr/luna/lib/libcrystoki2.so;
}

Each time I try to load a key from the token, an error occurs whatever
the version of OpenSSL :

/usr/local/ssl/bin/openssl req -engine LunaCA3 -keyform engine -text
-key "RSA 1024-bit Private Key:1" -out cr.pem
Using configuration from /usr/local/ssl/openssl.cnf
engine "LunaCA3" set.
unable to load Private key
9510:error:2609607D:engine routines:ENGINE_load_private_key:no load
function:engine_lib.c:239:

I notice the same issue when I change the content of the -key option
with : 6964, 6964:1... I tried all sorts of strings without success.

Has anyone been able to sign, decrypt files with OpenSSL and an HSM
SafeNet Luna CA3 ??? Is there another way to perform those operations
without OpenSSL ?  It seems possible wth the command pkcs11-tool (from
OpenSC project) but I can't make it work

Thanks in advance for your help,
Regards,
Yo.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Engine issue with LUNA CA3 HSM

Dr. Stephen Henson
On Fri, Jan 20, 2006, [hidden email] wrote:

>
> Each time I try to load a key from the token, an error occurs whatever
> the version of OpenSSL :
>
> /usr/local/ssl/bin/openssl req -engine LunaCA3 -keyform engine -text
> -key "RSA 1024-bit Private Key:1" -out cr.pem
> Using configuration from /usr/local/ssl/openssl.cnf
> engine "LunaCA3" set.
> unable to load Private key
> 9510:error:2609607D:engine routines:ENGINE_load_private_key:no load
> function:engine_lib.c:239:
>
> I notice the same issue when I change the content of the -key option
> with : 6964, 6964:1... I tried all sorts of strings without success.
>
> Has anyone been able to sign, decrypt files with OpenSSL and an HSM
> SafeNet Luna CA3 ??? Is there another way to perform those operations
> without OpenSSL ?  It seems possible wth the command pkcs11-tool (from
> OpenSC project) but I can't make it work
>

The cause of that is that the ENGINE doesn't implement the necessary
functionality to load a private key from the HSM. No matter what string you
try you'll still get that error.

So the cause is an issue with the third party ENGINE and not OpenSSL.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Engine issue with LUNA CA3 HSM

David C. Partridge
Why would you want the private key to leave the token in clear anyway?

If you need to performs RSA private keyops, then ask the device to
sign/decrypt for you.

The CA3 FWIW will not even let you wrap a private key off under another key
as this HSM is intended for use as a CA's HSM.

If you need to backup the keys - there are other ways to do that using their
utilities (AFAIK).

Dave


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Engine issue with LUNA CA3 HSM

Dr. Stephen Henson
On Fri, Jan 20, 2006, David C. Partridge wrote:

> If you need to performs RSA private keyops, then ask the device to
> sign/decrypt for you.
>

That's what the commands he's been trying should do and which have been
failing...

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Engine issue with LUNA CA3 HSM

Adam Tresch
In reply to this post by testpgp@aql.fr
[hidden email] wrote:

> Hi,
>
> I'm trying to sign a CSR with a private key stored on a Luna CA3
> token. I use for this 2 versions of OpenSSL :
>
> - The first one is provided by SafeNet : openssl-lunaca3-0.9.6-5.i386.rpm
> - The second one is constructed from OpenSSL 0.9.7b with the patch  
> openssl-lunaca3-patch-0.9.7.tar
>
> The token is placed on slot 1, then
> - initialized with a 1024bit RSA private key ; command = ca3util -g
> 1024 -f server.key -s 1 -i 4:2
> - activated with the enabler command :
>
Hi Yo,

here is the sample from Chrysalis, how to create a cert:

# open application id 10:11 on slot 1, PED entry will be required (The
app id, must fit with your settings in chrystoki.conf)
ca3util -o -s 1 -i 10:11
# generate a 1024 bit RSA key on slot 1 logged in on app id 10:11
and write the key handles to server.key
ca3util -s 1 -i 10:11 -g 1024 -f server.key
# generate a certificate signing request using token in slot 1
logged in as app id 10:11
openssl req -engine LunaCA3 -enginearg 1:10:11 -new -key
server.key -out user.csr
# close an app id logged in to token in slot 1 with id 10:11
ca3util -c -s 1 -i 10:11


After this, you can sign certs with the following command:

openssl ca -engine LunaCA3 -config openssl.cnf -cert CA.crt -keyfile
CA.key -in user.csr -out out -batch


Hope, this helps

Adam



> As you can see, the RSA key is present :
>
> # pkcs11-tool --module /usr/luna/lib/libcrystoki2.so -O
> Public Key Object; RSA 1024 bits
>  label:      RSA 1024-bit Public Key
>  Usage:      encrypt, verify
> Private Key Object; RSA
>  label:      RSA 1024-bit Private Key
>  ID:         6964
>  Usage:      decrypt, sign
>
> The token is activated :
>
> # enabler
> ==============================================================================
>
> Slot  1: token present.                                  Application
> ACTIVATED
>       token type : Luna CA3                  label :
> test                    serial number : 35085             open
> sessions : 4
> ------------------------------------------------------------------------------
>
>
> The HSM is configured as below :
>
> #more /etc/Chrystoki.conf
> Chrystoki2 = {
>   LibUNIX=/usr/lib/libcrystoki2.so;
> }
> CardReader = {
>  RemoteCommand=1;
> }
> Luna = {
>  DefaultTimeOut=500000;
>  PEDTimeout1=100000;
>  PEDTimeout2=100000;
> }
> Misc = {
> AppIdMajor=4;
> AppIdMinor=2;
> LogFile = /var/log/lunaca3.log;
> }
> EngineLunaCA3= {
>  EngineInit = 1:4:2;
>  LibPath = /usr/luna/lib/libcrystoki2.so;
> }
>
> Each time I try to load a key from the token, an error occurs whatever
> the version of OpenSSL :
>
> /usr/local/ssl/bin/openssl req -engine LunaCA3 -keyform engine -text
> -key "RSA 1024-bit Private Key:1" -out cr.pem
> Using configuration from /usr/local/ssl/openssl.cnf
> engine "LunaCA3" set.
> unable to load Private key
> 9510:error:2609607D:engine routines:ENGINE_load_private_key:no load
> function:engine_lib.c:239:
>
> I notice the same issue when I change the content of the -key option
> with : 6964, 6964:1... I tried all sorts of strings without success.
>
> Has anyone been able to sign, decrypt files with OpenSSL and an HSM
> SafeNet Luna CA3 ??? Is there another way to perform those operations
> without OpenSSL ?  It seems possible wth the command pkcs11-tool (from
> OpenSC project) but I can't make it work
>
> Thanks in advance for your help,
> Regards,
> Yo.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Engine issue with LUNA CA3 HSM

Adam Tresch
Yo,

[hidden email] wrote:

> Hi Adam,
>
> Thanks for your answer on the OpenSSL mailing list. Firstly, I'm sorry
> for contacting you with your personal email address. Currently I can't
> join the OpenSSL mailing list (my company has problems with its
> reverse DNS zone).
>
> > openssl req -engine LunaCA3 -enginearg 1:10:11 -new -key server.key
> -out user.csr
> The option "enginearg" is not recognized with OpenSSL 0.9.7b. Which
> version are you using ?

The enginearg is a typo, forget it, it is set in the Chrystoki.conf, you
remember the engine stuff from there ...

> The following command works, but you are passing the CA private key on
> argument . It would also have succeeded without the engine option.
> #openssl req -engine LunaCA3 -new -key server.key -out user.csr
>
The Chrysalis stuff creates a private key file, which is not a true
private key file, instead pointing to  the internal key, so if you would
sign some stuff, then the private key file must be the key file stated
before.

To be able to sign a cert the following command is useful:

openssl ca LunaCA3 -config openssl.cnf -cert CA.crt -keyfile CA.key -in
user.csr -out out -batch



> What I'd like to do is :
> 1) generating user private key
> #openssl genrsa -out user.key
> 3) generating user CSR signed with his private key
> #openssl req -engine LunaCA3 -new -key user.key -out user.csr

The above statement does not using the Luna, because the generated key
is on the filesystem.

> 4) sign the user CSR with the CA private key
> #openssl ca -engine LunaCA3 -keyform engine -in user.csr

the keyform is not necessary, instead use the -key parameter and point
the special keyfile.

so, if you previously created the root key and cert in the LunaCA3 with
the  file named CA.key and CA.crt, then the following would be good:

openssl ca LunaCA3 -config openssl.cnf -cert CA.crt -keyfile CA.key -in
user.csr -out out -batch

>
> The last command produces the messages :
> engine "LunaCA3" set.
> Using configuration from /usr/local/ssl/openssl.cnf
> unable to load CA private key
> 13224:error:2609607D:engine routines:ENGINE_load_private_key:no load
> function:eng_pkey.c:109:
>
> Always the same issue. Any ideas ?
> Thanks,
> Yo
>

Adam


> Adam Tresch wrote:
>
>> [hidden email] wrote:
>>
>> Hi Yo,
>>
>> here is the sample from Chrysalis, how to create a cert:
>>
>> # open application id 10:11 on slot 1, PED entry will be required
>> (The app id, must fit with your settings in chrystoki.conf)
>> ca3util -o -s 1 -i 10:11
>> # generate a 1024 bit RSA key on slot 1 logged in on app id 10:11
>> and write the key handles to server.key
>> ca3util -s 1 -i 10:11 -g 1024 -f server.key
>> # generate a certificate signing request using token in slot 1
>> logged in as app id 10:11
>> openssl req -engine LunaCA3 -enginearg 1:10:11 -new -key
>> server.key -out user.csr
>> # close an app id logged in to token in slot 1 with id 10:11
>> ca3util -c -s 1 -i 10:11
>>
>>
>> After this, you can sign certs with the following command:
>>
>> openssl ca -engine LunaCA3 -config openssl.cnf -cert CA.crt -keyfile
>> CA.key -in user.csr -out out -batch
>>
>>
>> Hope, this helps
>>
>> Adam
>>
>>
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    [hidden email]
>> Automated List Manager                           [hidden email]
>>
>
>>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]