Error in X509_check_private_key when using pkcs11 engine (OpenSSL 1.0.2j)
I'm trying to make OpenSSL (v. 1.0.2j) get client certificate/private
key from a virtual PKCS#11 device, namely SoftHSM. I've imported a
certificate and private key into SoftHSM, configured openssl as
following and run
After some more debugging I've learned that X509_check_private_key()
fails because EVP_PKEY_cmp() fails which in turn fails because
eckey_pub_cmp() fails (yes, I use an EC key) which fails because "pb",
return value of EC_KEY_get0_public_key() on the second parameter is
NULL. It also looks like both compared keys have 'engine' set to NULL.
I don't quite confident with what's going on here, so I would be
grateful for any help from someone who is closer familiar with OpenSSL
Re: Error in X509_check_private_key when using pkcs11 engine (OpenSSL 1.0.2j)
On 09/16/2017 12:18 AM, Dr. Stephen Henson wrote:
> On Fri, Sep 15, 2017, Anton Gerasimov wrote:
>> So it turns out load_privkey() function of engine_pkcs11.so sets pub_key
>> in the returned 'struct ec_key_st' to NULL. Is it a failure inside
> Well sort of. OpenSSL requires that public key components are set for private
> keys (except for a legacy RSA case).
OK, thank you. It turns out I've just used the wrong command to import a
key into SoftHSM, namely 'pkcs11-tool -w' instead of 'softhsm2-tool
--import', so libp11 could only find the private key.