[openssl CMP with pkcs11 engine]

Hello all,


I'm trying to do a CMP request using openssl with a private key inside a pkcs11 device (on linux).
So i'm using opsenssl 3.0.0 alpha 13.

I did compile fine (./config --prefix=/opt/openssl enable-deprecated --openssldir=/usr/local/ssl -Wl,-rpath=/opt/openssl/lib),
but i ran into trouble when compiling libp11 to get my pkcs11 engine.
(i had a similar issue while trying to use tpm2-tss-engine)
I can't find a way to build openssl with ERR_put_error() symbol.
I know it's deprecated so i changed the code in libp11 to use ERR_raise() instead, but again the symbol is also missing.
I ended up removing the function call in the engine as a dirty fix, but i'd like to have a better solution.


So, with everything compiled, I tried to use the engine only and create a CSR first.

# /opt/openssl/bin/openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000" -subj "<my subject>" -out testpkcs11.csr

and, everything works so far !
Hello all,


I'm trying to do a CMP request using openssl with a private key inside a pkcs11 device (on linux).
So i'm using opsenssl 3.0.0 alpha 13.

I did compile fine (./config --prefix=/opt/openssl enable-deprecated --openssldir=/usr/local/ssl -Wl,-rpath=/opt/openssl/lib),
but i ran into trouble when compiling libp11 to get my pkcs11 engine.
(i had a similar issue while trying to use tpm2-tss-engine)
I can't find a way to build openssl with ERR_put_error() symbol.
I know it's deprecated so i changed the code in libp11 to use ERR_raise() instead, but again the symbol is also missing.
I ended up removing the function call in the engine as a dirty fix, but i'd like to have a better solution.


So, with everything compiled, I tried to use the engine only and create a CSR first.

# /opt/openssl/bin/openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000" -subj "<my subject>" -out testpkcs11.csr

and, everything works so far !

but i get errors when trying to do a CMP request with the engine, thing is, i'm not so sure of the command.

# /opt/openssl/bin/openssl cmp -cmd ir -engine pkcs11 -server <my server>:8080 -path ejbca/publicweb/cmp/WKS-RA-Bootstrap_auth -cert <path to my cert> -key file:<path to key file> -keypass file:<password for the file> -keyform engine -newkey "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000" -subject '<my subject>' -certout testcmppkcs11.pem -trusted <> my root CA> -reqexts san -config /opt/conf/openssl_reqext.cnf

i get the following error :

cmp_main:apps/cmp.c:2728:CMP info: using section(s) 'cmp' of OpenSSL configuration file '/opt/conf/openssl_reqext.cnf'
cmp_main:apps/cmp.c:2737:CMP info: no [cmp] section found in config file '/opt/conf/openssl_reqext.cnf'; will thus use just
[default] and unnamed section if present                                                                                             
Engine "pkcs11" set.                                                                                                                
Format not recognized!                                                                                                               
The key ID is not a valid PKCS#11 URI                                                                                               
The PKCS#11 URI format is defined by RFC7512                                                                                       
The legacy ENGINE_pkcs11 ID format is also still accepted for now                                                                 
Format not recognized!                                                                                                           
The key ID is not a valid PKCS#11 URI                                                                                 
The PKCS#11 URI format is defined by RFC7512                                                                           
The legacy ENGINE_pkcs11 ID format is also still accepted for now                                           
PKCS11_get_private_key returned NULL                                                                                                
Could not read private key for CMP client certificate from org.openssl.engine:pkcs11:file:/foo/usine.boot.key.pem   
00E01783A47F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:     
cmp_main:apps/cmp.c:2879:CMP error: cannot set up CMP context 

I'm quite confuse about the PKCS11 error since i know from the req command that openssl rsa show that the passphrase for the CMP client certificate is good.
my URI is good and openssl rsa show that the passphrase for the CMP client certificate is good.

I've tried various modification of the command, mostly removing the "keyform engine" and using just 'newkey "pkcs11:(...)" ' with no succes.

Maybe openssl is mixing engine format for everything and not just for the newkey ?



Thanks,
Marc

but i get errors when trying to do a CMP request with the engine, thing is, i'm not so sure of the command.

# /opt/openssl/bin/openssl cmp -cmd ir -engine pkcs11 -server <my server>:8080 -path ejbca/publicweb/cmp/WKS-RA-Bootstrap_auth -cert <path to my cert> -key file:<path to key file> -keypass file:<password for the file> -keyform engine -newkey "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000" -subject '<my subject>' -certout testcmppkcs11.pem -trusted <> my root CA> -reqexts san -config /opt/conf/openssl_reqext.cnf

i get the following error :

cmp_main:apps/cmp.c:2728:CMP info: using section(s) 'cmp' of OpenSSL configuration file '/opt/conf/openssl_reqext.cnf'
cmp_main:apps/cmp.c:2737:CMP info: no [cmp] section found in config file '/opt/conf/openssl_reqext.cnf'; will thus use just
[default] and unnamed section if present                                                                                             
Engine "pkcs11" set.                                                                                                                
Format not recognized!                                                                                                               
The key ID is not a valid PKCS#11 URI                                                                                               
The PKCS#11 URI format is defined by RFC7512                                                                                       
The legacy ENGINE_pkcs11 ID format is also still accepted for now                                                                 
Format not recognized!                                                                                                           
The key ID is not a valid PKCS#11 URI                                                                                 
The PKCS#11 URI format is defined by RFC7512                                                                           
The legacy ENGINE_pkcs11 ID format is also still accepted for now                                           
PKCS11_get_private_key returned NULL                                                                                                
Could not read private key for CMP client certificate from org.openssl.engine:pkcs11:file:/foo/usine.boot.key.pem   
00E01783A47F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:     
cmp_main:apps/cmp.c:2879:CMP error: cannot set up CMP context 

I'm quite confuse about the PKCS11 error since i know from the req command that openssl rsa show that the passphrase for the CMP client certificate is good.
my URI is good and openssl rsa show that the passphrase for the CMP client certificate is good.

I've tried various modification of the command, mostly removing the "keyform engine" and using just 'newkey "pkcs11:(...)" ' with no succes.

Maybe openssl is mixing engine format for everything and not just for the newkey ?



Thanks,
Marc