openssl ca pkcs11 UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl ca pkcs11 UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

Peter Magnusson
Hi,

I'm trying to understand how to make "openssl ca" prompt for a PKCS#11
login pin. Version is openssl-1.1.1.

openssl req works as I would expect, prompting for PIN:

YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
local-build/bin/openssl \
 req -config yubihsm2-openssl.conf -new \
 -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out
certs.dir/ca.csr.pem
engine "pkcs11" set.
Enter PKCS#11 token PIN for YubiHSM:

openssl ca I fail to get working, no prompt presented, tried adding
-passin stdin but that has no effect.

YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
 local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform
engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \
 -config yubihsm2-openssl.conf \
 -days 3650 -extensions vpn_server_cert \
 -out server.cert.pem \
 -infiles ../server/certs.dir/server.csr.pem
engine "pkcs11" set.
Using configuration from yubihsm2-openssl.conf
Login failed
Login to token failed, returning NULL...
PKCS11_get_private_key returned NULL
cannot load CA private key from engine
140735853761408:error:28078064:UI routines:UI_set_result_ex:result too
large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters
140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid
arguments:p11_slot.c:240:
140735853761408:error:26096080:engine
routines:ENGINE_load_private_key:failed loading private
key:crypto/engine/eng_pkey.c:78:
unable to load CA private key

Best Regards
//P
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl ca pkcs11 UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

Peter Magnusson
The error can be workaround by entering PIN = "..." into [pkcs11_section].
pkcs11 engine version is libp11-0.4.9.
Anyone know if this a 1) libp11 issue or 2) openssl issue or 3) me
doing something wrong?
On Mon, Oct 15, 2018 at 5:40 PM Peter Magnusson
<[hidden email]> wrote:

>
> Hi,
>
> I'm trying to understand how to make "openssl ca" prompt for a PKCS#11
> login pin. Version is openssl-1.1.1.
>
> openssl req works as I would expect, prompting for PIN:
>
> YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
> local-build/bin/openssl \
>  req -config yubihsm2-openssl.conf -new \
>  -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out
> certs.dir/ca.csr.pem
> engine "pkcs11" set.
> Enter PKCS#11 token PIN for YubiHSM:
>
> openssl ca I fail to get working, no prompt presented, tried adding
> -passin stdin but that has no effect.
>
> YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
>  local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform
> engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \
>  -config yubihsm2-openssl.conf \
>  -days 3650 -extensions vpn_server_cert \
>  -out server.cert.pem \
>  -infiles ../server/certs.dir/server.csr.pem
> engine "pkcs11" set.
> Using configuration from yubihsm2-openssl.conf
> Login failed
> Login to token failed, returning NULL...
> PKCS11_get_private_key returned NULL
> cannot load CA private key from engine
> 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too
> large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters
> 140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid
> arguments:p11_slot.c:240:
> 140735853761408:error:26096080:engine
> routines:ENGINE_load_private_key:failed loading private
> key:crypto/engine/eng_pkey.c:78:
> unable to load CA private key
>
> Best Regards
> //P
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl ca pkcs11 UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

Richard Levitte - VMS Whacker-2
I'm curious about this error line from the 'openssl ca' output:

> 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

It should be interesting to try and figure out what pass phrased was
passed and where it came from.  I'm afraid that's a debugging session.

Cheers,
Richard

In message <CANtcRX50e0bEwbG=[hidden email]> on Tue, 16 Oct 2018 09:54:08 +0200, Peter Magnusson <[hidden email]> said:

> The error can be workaround by entering PIN = "..." into [pkcs11_section].
> pkcs11 engine version is libp11-0.4.9.
> Anyone know if this a 1) libp11 issue or 2) openssl issue or 3) me
> doing something wrong?
> On Mon, Oct 15, 2018 at 5:40 PM Peter Magnusson
> <[hidden email]> wrote:
> >
> > Hi,
> >
> > I'm trying to understand how to make "openssl ca" prompt for a PKCS#11
> > login pin. Version is openssl-1.1.1.
> >
> > openssl req works as I would expect, prompting for PIN:
> >
> > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
> > local-build/bin/openssl \
> >  req -config yubihsm2-openssl.conf -new \
> >  -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out
> > certs.dir/ca.csr.pem
> > engine "pkcs11" set.
> > Enter PKCS#11 token PIN for YubiHSM:
> >
> > openssl ca I fail to get working, no prompt presented, tried adding
> > -passin stdin but that has no effect.
> >
> > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
> >  local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform
> > engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \
> >  -config yubihsm2-openssl.conf \
> >  -days 3650 -extensions vpn_server_cert \
> >  -out server.cert.pem \
> >  -infiles ../server/certs.dir/server.csr.pem
> > engine "pkcs11" set.
> > Using configuration from yubihsm2-openssl.conf
> > Login failed
> > Login to token failed, returning NULL...
> > PKCS11_get_private_key returned NULL
> > cannot load CA private key from engine
> > 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too
> > large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters
> > 140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid
> > arguments:p11_slot.c:240:
> > 140735853761408:error:26096080:engine
> > routines:ENGINE_load_private_key:failed loading private
> > key:crypto/engine/eng_pkey.c:78:
> > unable to load CA private key
> >
> > Best Regards
> > //P
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl ca pkcs11 UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

Peter Magnusson
Sorry, I am an idiot =)

Problem resolved, user error.  -key was the problem and should not be
used as I showed.

-key has a different meaning for openssl ca than for openssl req, so
my PIN was my -key argument. It got my keyfile from the openssl conf
file.
On Tue, Oct 16, 2018 at 10:23 AM Richard Levitte <[hidden email]> wrote:

>
> I'm curious about this error line from the 'openssl ca' output:
>
> > 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters
>
> It should be interesting to try and figure out what pass phrased was
> passed and where it came from.  I'm afraid that's a debugging session.
>
> Cheers,
> Richard
>
> In message <CANtcRX50e0bEwbG=[hidden email]> on Tue, 16 Oct 2018 09:54:08 +0200, Peter Magnusson <[hidden email]> said:
>
> > The error can be workaround by entering PIN = "..." into [pkcs11_section].
> > pkcs11 engine version is libp11-0.4.9.
> > Anyone know if this a 1) libp11 issue or 2) openssl issue or 3) me
> > doing something wrong?
> > On Mon, Oct 15, 2018 at 5:40 PM Peter Magnusson
> > <[hidden email]> wrote:
> > >
> > > Hi,
> > >
> > > I'm trying to understand how to make "openssl ca" prompt for a PKCS#11
> > > login pin. Version is openssl-1.1.1.
> > >
> > > openssl req works as I would expect, prompting for PIN:
> > >
> > > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
> > > local-build/bin/openssl \
> > >  req -config yubihsm2-openssl.conf -new \
> > >  -engine pkcs11 -keyform engine -key slot_0-label_ca_key -out
> > > certs.dir/ca.csr.pem
> > > engine "pkcs11" set.
> > > Enter PKCS#11 token PIN for YubiHSM:
> > >
> > > openssl ca I fail to get working, no prompt presented, tried adding
> > > -passin stdin but that has no effect.
> > >
> > > YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
> > >  local-build/bin/openssl ca -passin stdin -engine pkcs11 -keyform
> > > engine -key "pkcs11:token=YubiHSM;object=ca_key;type=private" \
> > >  -config yubihsm2-openssl.conf \
> > >  -days 3650 -extensions vpn_server_cert \
> > >  -out server.cert.pem \
> > >  -infiles ../server/certs.dir/server.csr.pem
> > > engine "pkcs11" set.
> > > Using configuration from yubihsm2-openssl.conf
> > > Login failed
> > > Login to token failed, returning NULL...
> > > PKCS11_get_private_key returned NULL
> > > cannot load CA private key from engine
> > > 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too
> > > large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters
> > > 140735853761408:error:82074007:PKCS#11 module:pkcs11_login:Invalid
> > > arguments:p11_slot.c:240:
> > > 140735853761408:error:26096080:engine
> > > routines:ENGINE_load_private_key:failed loading private
> > > key:crypto/engine/eng_pkey.c:78:
> > > unable to load CA private key
> > >
> > > Best Regards
> > > //P
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl ca pkcs11 UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

Richard Levitte - VMS Whacker-2
In message <CANtcRX4xLxcOVa0iszyo4RLBuFxa7BenA2OZw9QA-KP-=[hidden email]> on Tue, 16 Oct 2018 10:34:31 +0200, Peter Magnusson <[hidden email]> said:

> Sorry, I am an idiot =)

No you're not.

> Problem resolved, user error.  -key was the problem and should not be
> used as I showed.
>
> -key has a different meaning for openssl ca than for openssl req, so
> my PIN was my -key argument. It got my keyfile from the openssl conf
> file.

And this is precisely why you're not an idiot.  We're not consistent
between openssl sub-commands, so no wonder you get confused.  It's a
pattern thing, we catch on to similar patterns (such as option names).

We really should look over those options...  (but with all the other
stuff we have going on, I'm afraid this isn't the highest on our
priority list)

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl ca pkcs11 UI_set_result_ex:result too large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters

Peter Magnusson
Thanks =)

This is similar to other commands, e.g. ssh, tpm2-tools, etc
inconsistencies between different flags between different
sub-commands.

Getting it right the first time is easier said than done and changing
command line behaviour later on breaks user scripts etc.

//P
On Wed, Oct 17, 2018 at 10:13 AM Richard Levitte <[hidden email]> wrote:

>
> In message <CANtcRX4xLxcOVa0iszyo4RLBuFxa7BenA2OZw9QA-KP-=[hidden email]> on Tue, 16 Oct 2018 10:34:31 +0200, Peter Magnusson <[hidden email]> said:
>
> > Sorry, I am an idiot =)
>
> No you're not.
>
> > Problem resolved, user error.  -key was the problem and should not be
> > used as I showed.
> >
> > -key has a different meaning for openssl ca than for openssl req, so
> > my PIN was my -key argument. It got my keyfile from the openssl conf
> > file.
>
> And this is precisely why you're not an idiot.  We're not consistent
> between openssl sub-commands, so no wonder you get confused.  It's a
> pattern thing, we catch on to similar patterns (such as option names).
>
> We really should look over those options...  (but with all the other
> stuff we have going on, I'm afraid this isn't the highest on our
> priority list)
>
> Cheers,
> Richard
>
> --
> Richard Levitte         [hidden email]
> OpenSSL Project         http://www.openssl.org/~levitte/
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users