openssl req -engine pkcs11 fails with PKCS11_get_private_key returned NULL #206
Comments
|
Rather than git bisect delight, the opensc logs would be more appropriate here. |
|
There is a possibility that this is caused by writing out the SPKI rather then then the RAW pubkey The changes in the pkcs15init/pkcs15-lib.c will always write out the SPKI. To verify if this is the problem, Astrand, can you try to replace the If that fixes your problem, we can look at what it will take to satisfy the The default for this option could depend on the type of key, and type of card. For RSA no additional benefit is gained by using SPKI vs RAW. I am not sure about GOST. Viktor??? On 1/14/2014 2:18 AM, astrand wrote:
Douglas E. Engert [email protected] [email protected] |
|
Well, I tried reverting 3d3592a, but that didn't help. Log file here: |
|
On 1/15/2014 2:47 AM, astrand wrote: That change was in how a public key was printed, and should not have any effect. What I wanted you to try was in pkcs15init/pkcs15-lib.c, Change above line to: So it does not try and use the SPKI version. but that didn't help. Log file here:
Looking at the log, it shows C_FindObjectsInit(): CKA_CLASS = CKO_PUBLIC_KEY Object 1/34897424 matches But then it reads from the private key: This looks like the libp11 is having problems matching up the private key and public key. What version of the opensc-engine and libp11 are you using?
Douglas E. Engert [email protected] [email protected] |
|
Since you have been testing with a build of OpenSC, I assume you built the OpenSC I looked at the pkcs15-selfsigned.sh script that you sent with #202. The script calls openssl with the engine parameters: The MODULE_PATH is not a full path, This means that the opensc-pkcs11.so (The default engine and the libp11.so should be OK.) But the pubkey was stores as an SPKI, the old code can not handle it. Can you give a full path to the opensc-pkcs11.so that you built? And can you run the ldd command on opensc-pkcs11.so to make sure it is Setting LD_LIBRARY_PATH might also be needed. On 1/15/2014 2:47 AM, astrand wrote:
Douglas E. Engert [email protected] [email protected] |
|
Looking closer at the issue206-1.log, something like: But lines 1827 look like the old code, Then in the new code in pkcs15-pubkey.c line 856 would have So I think the issue is using the old that can not read the SPKI. So can you try pointing openssl at the new opensc, to see if it This points out some some comparability issues with new cards using The use of the SPKI should be an option, and not done by default, If we add an option in tghe next release to the pkcs15 profile, On 1/15/2014 2:47 AM, astrand wrote:
Douglas E. Engert [email protected] [email protected] |
|
Thanks, you were right. After pointing to the correct/built version of opensc-pkcs11.so, it works fine. Thanks for your help. |
Forked off Issue #202. With the latest master, openssl req fails with out Aventra cards:
initializing engine
engine "pkcs11" set.
Looking in slot 1 for key:
Found 2 slots
[18446744073709551615] Virtual hotplug slot no tok
[1] OmniKey CardMan 3121 00 0 login (MyEID (Basic PIN))
Found slot: OmniKey CardMan 3121 00 00
Found token: MyEID (Basic PIN)
Found 0 certificate:
Found 1 key:
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
139781956970312:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
139781956970312:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
unable to load Private Key
Due to issue #202, and since the fix 5437f87 contain a lot of unrelated stuff, it's difficult to use "git bisect" to find the problem.
The text was updated successfully, but these errors were encountered: