Softhsm + engine_pkcs11 + openssl with EC keys fail.

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Softhsm + engine_pkcs11 + openssl with EC keys fail.

OpenSSL - User mailing list

I have softhsm-v2.5.0-rc1 which has ec keys imported in it. Now, when I try to use these keys from openssl CLI using the pkcs11 engine, it fails.

 

1. SoftHSM version

 

[]:~$ softhsm2-util --version

2.5.0rc1

 

2. SoftHSM token init

 

[]:~$ softhsm2-util --init-token --slot 0 --label "token 2.5.0-rc1"

=== SO PIN (4-255 characters) ===

Please enter SO PIN: ****

Please reenter SO PIN: ****

=== User PIN (4-255 characters) ===

Please enter user PIN: ****

Please reenter user PIN: ****

The token has been initialized and is reassigned to slot 928024111

 

3. ECC key in pkcs8 format

 

[]:~$ openssl pkey -in ~/tmp/secp256k1-key.pem.pkcs8 -text

-----BEGIN PRIVATE KEY-----

MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgYCXpIJyEAexhkvrCMGlF

A4sQItcIp6wm83WVoeOFzEyhRANCAATMfAkLtsynHRmRyYLn+uRpJUm6bOZJBQhK

N81nJv06fN6MY0nEzWG9jJsvSNlf5jW7yecbje2wWQL/JYqviFwr

-----END PRIVATE KEY-----

Private-Key: (256 bit)

priv:

    60:25:e9:20:9c:84:01:ec:61:92:fa:c2:30:69:45:

    03:8b:10:22:d7:08:a7:ac:26:f3:75:95:a1:e3:85:

    cc:4c

pub:

    04:cc:7c:09:0b:b6:cc:a7:1d:19:91:c9:82:e7:fa:

    e4:69:25:49:ba:6c:e6:49:05:08:4a:37:cd:67:26:

    fd:3a:7c:de:8c:63:49:c4:cd:61:bd:8c:9b:2f:48:

    d9:5f:e6:35:bb:c9:e7:1b:8d:ed:b0:59:02:ff:25:

    8a:af:88:5c:2b

ASN1 OID: secp256k1

 

4. Import the key into softhsm

 

[]:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token "token 2.5.0-rc1"

Found slot 928024111 with matching token label.

=== User PIN (4-255 characters) ===

Please enter user PIN: ****

Please reenter user PIN: ****

The key pair has been imported.

 

5. Get the pkcs11 url for the private key

 

[]:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all

Object 0:

                URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private

                Type: Private key

                Label: ec key

                Flags: CKA_PRIVATE; CKA_SENSITIVE; 

                ID: 11:11

 

Object 1:

                URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=public

                Type: Public key

                Label: ec key

                ID: 11:11

 

6. Try to access key with openssl engine. 

 

[]:~$ openssl version

OpenSSL 1.1.1  11 Sep 2018

 

[]:~$ more ~/tmp/openssl.cnf 

openssl_conf = openssl_init

 

[openssl_init]

engines=engine_section

 

[engine_section]

pkcs11 = pkcs11_section

 

[pkcs11_section]

engine_id = pkcs11

dynamic_path = /Users/parashah/Downloads/libp11-0.4.9/src/.libs/pkcs11.dylib

MODULE_PATH = /usr/local/lib/softhsm/libsofthsm2.so 

init = 0

 

[]:~$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private" -inform ENGINE -engine pkcs11 -text

engine "pkcs11" set.

Enter PKCS#11 token PIN for token 2.5.0-rc1:

140736065815424:error:100C0010:elliptic curve routines:i2d_ECPrivateKey:EC lib:crypto/ec/ec_asn1.c:995:

140736065815424:error:100D6010:elliptic curve routines:eckey_priv_encode:EC lib:crypto/ec/ec_ameth.c:242:

140736065815424:error:06071092:digital envelope routines:EVP_PKEY2PKCS8:private key encode error:crypto/evp/evp_pkey.c:72:

140736065815424:error:0907E073:PEM routines:do_pk8pkey:error converting private key:crypto/pem/pem_pk8.c:73:

====

 

Please let me know if I am missing anything. Note that the same operations work fine on a RSA key.

 

 

-- 

Paras


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Softhsm + engine_pkcs11 + openssl with EC keys fail.

Richard Levitte - VMS Whacker-2
In message <[hidden email]> on Mon, 17 Sep 2018 20:59:59 +0000, "Paras Shah (parashah)" <[hidden email]> said:

> 4. Import the key into softhsm
>
> []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token
> "token 2.5.0-rc1"

Ok, so here, the ID is "1111"

> 5. Get the pkcs11 url for the private key
>
> []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all
>
> Object 0:
>
> URL:
> pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private

But here, the ID is "%11%11", and since those get percent decoded,
that's actually two vertical tabs, or with C vector syntax,
{ 0x0b, 0x0b }

I'm not sure what engine-pkcs11 asks of you otherwise, but one guess
could be to change 'id=%11%11' to 'id=1111' in that URL and try again.

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Softhsm + engine_pkcs11 + openssl with EC keys fail.

OpenSSL - User mailing list

That is not it. It results in the same error for the EC key.

 

It is not the URL or the ID. Because for a RSA key in the softhsm with id = 3333, it works fine with url containing id=%33%33

 

$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%33%33;object=rsa%20key;type=private" -engine pkcs11 -inform ENGINE

engine "pkcs11" set.

Enter PKCS#11 token PIN for token 2.5.0-rc1:

-----BEGIN PRIVATE KEY-----

MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDD3378F1XbXJvP

WP2GtZry0u6sL3eNYktQwJfhDMz5evDG+PahVjCMszV5CZvG+Kvap40xPBJoonqi

oMAQsoLu7/fTx82aEL3TbdjXNLFnQ2KKYmfG9ymx80sLHMmdmDXpNNE+bEKJz1dp

t1Q0cVduwmqSfB8JyIE6Udz7JX7HCXaVmxoK7z4Njh3dyHsqhdqKIx0dBuK0hCaq

4zPzGP/sORA3G9ZPxxpEvF3gvE/zsXj7ifihqbqr2eIFOpB/lQqAehsgQT5/6Iq+

9pAX2LCxNkaUHYYZpMkM8Oi37jzg8PX/FnHdm9HQU2IBqYhoqo7/VsNdUDln2QHN

dGAUprcbAgMBAAE=

-----END PRIVATE KEY-----

 

Coming back to EC key, looking at the error logs emitted, it does seem to recognize it to be EC (the logs contain EC_routines) somehow but then fails.

 

On 9/17/18, 2:22 PM, "openssl-users on behalf of Richard Levitte" <[hidden email] on behalf of [hidden email]> wrote:

 

    In message <[hidden email]> on Mon, 17 Sep 2018 20:59:59 +0000, "Paras Shah (parashah)" <[hidden email]> said:

   

    > 4. Import the key into softhsm

    >

    > []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token

    > "token 2.5.0-rc1"

   

    Ok, so here, the ID is "1111"

   

    > 5. Get the pkcs11 url for the private key

    >

    > []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all

    >

    > Object 0:

    >

    > URL:

    > pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private

   

    But here, the ID is "%11%11", and since those get percent decoded,

    that's actually two vertical tabs, or with C vector syntax,

    { 0x0b, 0x0b }

   

    I'm not sure what engine-pkcs11 asks of you otherwise, but one guess

    could be to change 'id=%11%11' to 'id=1111' in that URL and try again.

   

    Cheers,

    Richard

   

    --

    Richard Levitte         [hidden email]

    OpenSSL Project         http://www.openssl.org/~levitte/

    --

    openssl-users mailing list

    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

   


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Softhsm + engine_pkcs11 + openssl with EC keys fail.

Nicola
Would it be possible for you to open this as an issue on Github and include there your first email and the full logs?

Thanks,

Nicola Tuveri

On Tue, 18 Sep 2018 at 01:15, Paras Shah (parashah) via openssl-users <[hidden email]> wrote:

That is not it. It results in the same error for the EC key.

 

It is not the URL or the ID. Because for a RSA key in the softhsm with id = 3333, it works fine with url containing id=%33%33

 

$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%33%33;object=rsa%20key;type=private" -engine pkcs11 -inform ENGINE

engine "pkcs11" set.

Enter PKCS#11 token PIN for token 2.5.0-rc1:

-----BEGIN PRIVATE KEY-----

MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDD3378F1XbXJvP

WP2GtZry0u6sL3eNYktQwJfhDMz5evDG+PahVjCMszV5CZvG+Kvap40xPBJoonqi

oMAQsoLu7/fTx82aEL3TbdjXNLFnQ2KKYmfG9ymx80sLHMmdmDXpNNE+bEKJz1dp

t1Q0cVduwmqSfB8JyIE6Udz7JX7HCXaVmxoK7z4Njh3dyHsqhdqKIx0dBuK0hCaq

4zPzGP/sORA3G9ZPxxpEvF3gvE/zsXj7ifihqbqr2eIFOpB/lQqAehsgQT5/6Iq+

9pAX2LCxNkaUHYYZpMkM8Oi37jzg8PX/FnHdm9HQU2IBqYhoqo7/VsNdUDln2QHN

dGAUprcbAgMBAAE=

-----END PRIVATE KEY-----

 

Coming back to EC key, looking at the error logs emitted, it does seem to recognize it to be EC (the logs contain EC_routines) somehow but then fails.

 

On 9/17/18, 2:22 PM, "openssl-users on behalf of Richard Levitte" <[hidden email] on behalf of [hidden email]> wrote:

 

    In message <[hidden email]> on Mon, 17 Sep 2018 20:59:59 +0000, "Paras Shah (parashah)" <[hidden email]> said:

   

    > 4. Import the key into softhsm

    >

    > []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token

    > "token 2.5.0-rc1"

   

    Ok, so here, the ID is "1111"

   

    > 5. Get the pkcs11 url for the private key

    >

    > []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all

    >

    > Object 0:

    >

    > URL:

    > pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private

   

    But here, the ID is "%11%11", and since those get percent decoded,

    that's actually two vertical tabs, or with C vector syntax,

    { 0x0b, 0x0b }

   

    I'm not sure what engine-pkcs11 asks of you otherwise, but one guess

    could be to change 'id=%11%11' to 'id=1111' in that URL and try again.

   

    Cheers,

    Richard

   

    --

    Richard Levitte         [hidden email]

    OpenSSL Project         http://www.openssl.org/~levitte/

    --

    openssl-users mailing list

    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Softhsm + engine_pkcs11 + openssl with EC keys fail.

OpenSSL - User mailing list

Sure. I will open the issue.

 

From: Nicola <[hidden email]>
Date: Monday, September 17, 2018 at 10:05 PM
To: "Paras Shah (parashah)" <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

 

Would it be possible for you to open this as an issue on Github and include there your first email and the full logs?

 

Thanks,

 

Nicola Tuveri

 

On Tue, 18 Sep 2018 at 01:15, Paras Shah (parashah) via openssl-users <[hidden email]> wrote:

That is not it. It results in the same error for the EC key.

 

It is not the URL or the ID. Because for a RSA key in the softhsm with id = 3333, it works fine with url containing id=%33%33

 

$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%33%33;object=rsa%20key;type=private" -engine pkcs11 -inform ENGINE

engine "pkcs11" set.

Enter PKCS#11 token PIN for token 2.5.0-rc1:

-----BEGIN PRIVATE KEY-----

MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDD3378F1XbXJvP

WP2GtZry0u6sL3eNYktQwJfhDMz5evDG+PahVjCMszV5CZvG+Kvap40xPBJoonqi

oMAQsoLu7/fTx82aEL3TbdjXNLFnQ2KKYmfG9ymx80sLHMmdmDXpNNE+bEKJz1dp

t1Q0cVduwmqSfB8JyIE6Udz7JX7HCXaVmxoK7z4Njh3dyHsqhdqKIx0dBuK0hCaq

4zPzGP/sORA3G9ZPxxpEvF3gvE/zsXj7ifihqbqr2eIFOpB/lQqAehsgQT5/6Iq+

9pAX2LCxNkaUHYYZpMkM8Oi37jzg8PX/FnHdm9HQU2IBqYhoqo7/VsNdUDln2QHN

dGAUprcbAgMBAAE=

-----END PRIVATE KEY-----

 

Coming back to EC key, looking at the error logs emitted, it does seem to recognize it to be EC (the logs contain EC_routines) somehow but then fails.

 

On 9/17/18, 2:22 PM, "openssl-users on behalf of Richard Levitte" <[hidden email] on behalf of [hidden email]> wrote:

 

    In message <[hidden email]> on Mon, 17 Sep 2018 20:59:59 +0000, "Paras Shah (parashah)" <[hidden email]> said:

   

    > 4. Import the key into softhsm

    >

    > []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token

    > "token 2.5.0-rc1"

   

    Ok, so here, the ID is "1111"

   

    > 5. Get the pkcs11 url for the private key

    >

    > []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all

    >

    > Object 0:

    >

    > URL:

    > pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private

   

    But here, the ID is "%11%11", and since those get percent decoded,

    that's actually two vertical tabs, or with C vector syntax,

    { 0x0b, 0x0b }

   

    I'm not sure what engine-pkcs11 asks of you otherwise, but one guess

    could be to change 'id=%11%11' to 'id=1111' in that URL and try again.

   

    Cheers,

    Richard

   

    --

    Richard Levitte         [hidden email]

    OpenSSL Project         http://www.openssl.org/~levitte/

    --

    openssl-users mailing list

    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Softhsm + engine_pkcs11 + openssl with EC keys fail.

OpenSSL - User mailing list

I opened the issue https://github.com/openssl/openssl/issues/7258

Also, opened issue https://github.com/OpenSC/libp11/issues/249

and https://github.com/opendnssec/SoftHSMv2/issues/417

 

Found the root cause to be the openssl version 1.1.1 that was used to compile the engine_pkcs11 and SoftHSM.

When I recompiled with openssl-1.0.2p, it worked fine. See https://github.com/OpenSC/libp11/issues/249 for details.

 

From: "Paras Shah (parashah)" <[hidden email]>
Date: Tuesday, September 18, 2018 at 10:06 AM
To: Nicola <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

 

Sure. I will open the issue.

 

From: Nicola <[hidden email]>
Date: Monday, September 17, 2018 at 10:05 PM
To: "Paras Shah (parashah)" <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

 

Would it be possible for you to open this as an issue on Github and include there your first email and the full logs?

 

Thanks,

 

Nicola Tuveri

 

On Tue, 18 Sep 2018 at 01:15, Paras Shah (parashah) via openssl-users <[hidden email]> wrote:

That is not it. It results in the same error for the EC key.

 

It is not the URL or the ID. Because for a RSA key in the softhsm with id = 3333, it works fine with url containing id=%33%33

 

$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%33%33;object=rsa%20key;type=private" -engine pkcs11 -inform ENGINE

engine "pkcs11" set.

Enter PKCS#11 token PIN for token 2.5.0-rc1:

-----BEGIN PRIVATE KEY-----

MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDD3378F1XbXJvP

WP2GtZry0u6sL3eNYktQwJfhDMz5evDG+PahVjCMszV5CZvG+Kvap40xPBJoonqi

oMAQsoLu7/fTx82aEL3TbdjXNLFnQ2KKYmfG9ymx80sLHMmdmDXpNNE+bEKJz1dp

t1Q0cVduwmqSfB8JyIE6Udz7JX7HCXaVmxoK7z4Njh3dyHsqhdqKIx0dBuK0hCaq

4zPzGP/sORA3G9ZPxxpEvF3gvE/zsXj7ifihqbqr2eIFOpB/lQqAehsgQT5/6Iq+

9pAX2LCxNkaUHYYZpMkM8Oi37jzg8PX/FnHdm9HQU2IBqYhoqo7/VsNdUDln2QHN

dGAUprcbAgMBAAE=

-----END PRIVATE KEY-----

 

Coming back to EC key, looking at the error logs emitted, it does seem to recognize it to be EC (the logs contain EC_routines) somehow but then fails.

 

On 9/17/18, 2:22 PM, "openssl-users on behalf of Richard Levitte" <[hidden email] on behalf of [hidden email]> wrote:

 

    In message <[hidden email]> on Mon, 17 Sep 2018 20:59:59 +0000, "Paras Shah (parashah)" <[hidden email]> said:

   

    > 4. Import the key into softhsm

    >

    > []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token

    > "token 2.5.0-rc1"

   

    Ok, so here, the ID is "1111"

   

    > 5. Get the pkcs11 url for the private key

    >

    > []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all

    >

    > Object 0:

    >

    > URL:

    > pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private

   

    But here, the ID is "%11%11", and since those get percent decoded,

    that's actually two vertical tabs, or with C vector syntax,

    { 0x0b, 0x0b }

   

    I'm not sure what engine-pkcs11 asks of you otherwise, but one guess

    could be to change 'id=%11%11' to 'id=1111' in that URL and try again.

   

    Cheers,

    Richard

   

    --

    Richard Levitte         [hidden email]

    OpenSSL Project         http://www.openssl.org/~levitte/

    --

    openssl-users mailing list

    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Softhsm + engine_pkcs11 + openssl with EC keys fail.

Blumenthal, Uri - 0553 - MITLL
Note that the key to reproducing this issue is compiling SoftHSMv2 with 1.1.1.  When compiled with 1.0.2p, everything else can be compiled against 1.1.1 and it works ok.

Regards,
Uri

Sent from my iPhone

On Sep 21, 2018, at 02:09, Paras Shah (parashah) via openssl-users <[hidden email]> wrote:

I opened the issue https://github.com/openssl/openssl/issues/7258

Also, opened issue https://github.com/OpenSC/libp11/issues/249

and https://github.com/opendnssec/SoftHSMv2/issues/417

 

Found the root cause to be the openssl version 1.1.1 that was used to compile the engine_pkcs11 and SoftHSM.

When I recompiled with openssl-1.0.2p, it worked fine. See https://github.com/OpenSC/libp11/issues/249 for details.

 

From: "Paras Shah (parashah)" <[hidden email]>
Date: Tuesday, September 18, 2018 at 10:06 AM
To: Nicola <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

 

Sure. I will open the issue.

 

From: Nicola <[hidden email]>
Date: Monday, September 17, 2018 at 10:05 PM
To: "Paras Shah (parashah)" <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

 

Would it be possible for you to open this as an issue on Github and include there your first email and the full logs?

 

Thanks,

 

Nicola Tuveri

 

On Tue, 18 Sep 2018 at 01:15, Paras Shah (parashah) via openssl-users <[hidden email]> wrote:

That is not it. It results in the same error for the EC key.

 

It is not the URL or the ID. Because for a RSA key in the softhsm with id = 3333, it works fine with url containing id=%33%33

 

$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%33%33;object=rsa%20key;type=private" -engine pkcs11 -inform ENGINE

engine "pkcs11" set.

Enter PKCS#11 token PIN for token 2.5.0-rc1:

-----BEGIN PRIVATE KEY-----

MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDD3378F1XbXJvP

WP2GtZry0u6sL3eNYktQwJfhDMz5evDG+PahVjCMszV5CZvG+Kvap40xPBJoonqi

oMAQsoLu7/fTx82aEL3TbdjXNLFnQ2KKYmfG9ymx80sLHMmdmDXpNNE+bEKJz1dp

t1Q0cVduwmqSfB8JyIE6Udz7JX7HCXaVmxoK7z4Njh3dyHsqhdqKIx0dBuK0hCaq

4zPzGP/sORA3G9ZPxxpEvF3gvE/zsXj7ifihqbqr2eIFOpB/lQqAehsgQT5/6Iq+

9pAX2LCxNkaUHYYZpMkM8Oi37jzg8PX/FnHdm9HQU2IBqYhoqo7/VsNdUDln2QHN

dGAUprcbAgMBAAE=

-----END PRIVATE KEY-----

 

Coming back to EC key, looking at the error logs emitted, it does seem to recognize it to be EC (the logs contain EC_routines) somehow but then fails.

 

On 9/17/18, 2:22 PM, "openssl-users on behalf of Richard Levitte" <[hidden email] on behalf of [hidden email]> wrote:

 

    In message <[hidden email]> on Mon, 17 Sep 2018 20:59:59 +0000, "Paras Shah (parashah)" <[hidden email]> said:

   

    > 4. Import the key into softhsm

    >

    > []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token

    > "token 2.5.0-rc1"

   

    Ok, so here, the ID is "1111"

   

    > 5. Get the pkcs11 url for the private key

    >

    > []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all

    >

    > Object 0:

    >

    > URL:

    > pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private

   

    But here, the ID is "%11%11", and since those get percent decoded,

    that's actually two vertical tabs, or with C vector syntax,

    { 0x0b, 0x0b }

   

    I'm not sure what engine-pkcs11 asks of you otherwise, but one guess

    could be to change 'id=%11%11' to 'id=1111' in that URL and try again.

   

    Cheers,

    Richard

   

    --

    Richard Levitte         [hidden email]

    OpenSSL Project         http://www.openssl.org/~levitte/

    --

    openssl-users mailing list

    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Softhsm + engine_pkcs11 + openssl with EC keys fail.

OpenSSL - User mailing list

To update this thread. Please follow the commentary on the https://github.com/OpenSC/libp11/issues/249

 

From: "Blumenthal, Uri - 0553 - MITLL" <[hidden email]>
Date: Friday, September 21, 2018 at 5:07 AM
To: "Paras Shah (parashah)" <[hidden email]>, "[hidden email]" <[hidden email]>
Cc: Nicola <[hidden email]>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

 

Note that the key to reproducing this issue is compiling SoftHSMv2 with 1.1.1.  When compiled with 1.0.2p, everything else can be compiled against 1.1.1 and it works ok.

Regards,

Uri

 

Sent from my iPhone


On Sep 21, 2018, at 02:09, Paras Shah (parashah) via openssl-users <[hidden email]> wrote:

I opened the issue https://github.com/openssl/openssl/issues/7258

Also, opened issue https://github.com/OpenSC/libp11/issues/249

and https://github.com/opendnssec/SoftHSMv2/issues/417

 

Found the root cause to be the openssl version 1.1.1 that was used to compile the engine_pkcs11 and SoftHSM.

When I recompiled with openssl-1.0.2p, it worked fine. See https://github.com/OpenSC/libp11/issues/249 for details.

 

From: "Paras Shah (parashah)" <[hidden email]>
Date: Tuesday, September 18, 2018 at 10:06 AM
To: Nicola <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

 

Sure. I will open the issue.

 

From: Nicola <[hidden email]>
Date: Monday, September 17, 2018 at 10:05 PM
To: "Paras Shah (parashah)" <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

 

Would it be possible for you to open this as an issue on Github and include there your first email and the full logs?

 

Thanks,

 

Nicola Tuveri

 

On Tue, 18 Sep 2018 at 01:15, Paras Shah (parashah) via openssl-users <[hidden email]> wrote:

That is not it. It results in the same error for the EC key.

 

It is not the URL or the ID. Because for a RSA key in the softhsm with id = 3333, it works fine with url containing id=%33%33

 

$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%33%33;object=rsa%20key;type=private" -engine pkcs11 -inform ENGINE

engine "pkcs11" set.

Enter PKCS#11 token PIN for token 2.5.0-rc1:

-----BEGIN PRIVATE KEY-----

MIIBJwIBADANBgkqhkiG9w0BAQEFAASCAREwggENAgEAAoIBAQDD3378F1XbXJvP

WP2GtZry0u6sL3eNYktQwJfhDMz5evDG+PahVjCMszV5CZvG+Kvap40xPBJoonqi

oMAQsoLu7/fTx82aEL3TbdjXNLFnQ2KKYmfG9ymx80sLHMmdmDXpNNE+bEKJz1dp

t1Q0cVduwmqSfB8JyIE6Udz7JX7HCXaVmxoK7z4Njh3dyHsqhdqKIx0dBuK0hCaq

4zPzGP/sORA3G9ZPxxpEvF3gvE/zsXj7ifihqbqr2eIFOpB/lQqAehsgQT5/6Iq+

9pAX2LCxNkaUHYYZpMkM8Oi37jzg8PX/FnHdm9HQU2IBqYhoqo7/VsNdUDln2QHN

dGAUprcbAgMBAAE=

-----END PRIVATE KEY-----

 

Coming back to EC key, looking at the error logs emitted, it does seem to recognize it to be EC (the logs contain EC_routines) somehow but then fails.

 

On 9/17/18, 2:22 PM, "openssl-users on behalf of Richard Levitte" <[hidden email] on behalf of [hidden email]> wrote:

 

    In message <[hidden email]> on Mon, 17 Sep 2018 20:59:59 +0000, "Paras Shah (parashah)" <[hidden email]> said:

   

    > 4. Import the key into softhsm

    >

    > []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token

    > "token 2.5.0-rc1"

   

    Ok, so here, the ID is "1111"

   

    > 5. Get the pkcs11 url for the private key

    >

    > []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all

    >

    > Object 0:

    >

    > URL:

    > pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private

   

    But here, the ID is "%11%11", and since those get percent decoded,

    that's actually two vertical tabs, or with C vector syntax,

    { 0x0b, 0x0b }

   

    I'm not sure what engine-pkcs11 asks of you otherwise, but one guess

    could be to change 'id=%11%11' to 'id=1111' in that URL and try again.

   

    Cheers,

    Richard

   

    --

    Richard Levitte         [hidden email]

    OpenSSL Project         http://www.openssl.org/~levitte/

    --

    openssl-users mailing list

    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users