Pkcs11 Get Private Key Returned Null
π£ ππ»ππ»ππ» ALL INFORMATION CLICK HERE ππ»ππ»ππ»
OlafRadicke opened this issue on 15 Nov 2020 Β· 15 comments
OlafRadicke opened this issue on 15 Nov 2020 Β· 15 comments
I get the error "PKCS11_get_private_key returned NULL" when I try to create a self signed certificate.
With this script I can provoke the behavior reproducibly:
yubihsm-connector writes in journal:
I have no idea what else I could try.
I haven't had a chance to verify yet, but I have a guess for you (also you can enable debug for the pkcs11 module by setting the YUBIHSM_PKCS11_DBG environment variable, might be helpful).
The openssl engine has a number of rules for how it parses slot/id/label of the key to use: https://github.com/OpenSC/libp11/blob/master/src/eng_parse.c#L97 I think 0:0x0004 will be parsed wrong, 0:0004 would probably be the thing to use in this case, without the 0x, or the more verbose "slot_0-id_0004" (note that label can also be used for specifying key).
I think Klas is spot on, I tried your script and get:
I haven't had a chance to verify yet, but I have a guess for you (also you can enable debug for the pkcs11 module by setting the YUBIHSM_PKCS11_DBG environment variable, might be helpful).
Where can I find the documentation for the environment variable YUBIHSM_PKCS11_DBG? What values can it have?
The openssl engine has a number of rules for how it parses slot/id/label of the key to use: https://github.com/OpenSC/libp11/blob/master/src/eng_parse.c#L97 I think 0:0x0004 will be parsed wrong, 0:0004 would probably be the thing to use in this case, without the 0x, or the more verbose "slot_0-id_0004" (note that label can also be used for specifying key).
The result is always the same error message.
Ok, then it'd be very helpful with a debug log to try to understand what happens.
Where can I find the documentation for the environment variable YUBIHSM_PKCS11_DBG? What values can it have?
it's just going to check if it's set, the value doesn't matter. You could add the parameter debug to the config file instead, it will have the same effect (documentation of configuration at https://developers.yubico.com/YubiHSM2/Component_Reference/PKCS_11/).
Okay, this is what my script looks like now:
It looks like the debug flag has no effect but the content of the file yubihsm_pkcs11.conf is this:
The ./debug_out remains empty and Journald I find only:
It seems your openssl engine does not know how to load the yubihsm_pkcs11.so so it can talk to the HSM? What does your openssl.cnf look like?
When I run one of your commands I works just fine:
What does your pkcs11_section look like in your openssl.cnf?
Try this (but remember to adjust the path to the yubihsm_pkcs11.so:
Could also mention that as it is documented here you need to enter the password as 0001password when using the pkcs11 interface.
Excerpt from the link above for your convenience:
One peculiarity of the YubiHSM PKCS#11 module is that the user PIN MUST be prefixed with the ID (16 bits, in hexadecimal, zero padded if required) of the Authentication Key that should be used to perform the login operation.
For example, to use the default Authentication Key with ID 1 and password password, the user PIN would then be 0001password.
Thank you @nevun for you example!
Okay now I got it. There were still errors in my openssl config. The following variants work for me:
The debugging output is working too now. My openssl config looks like this now
I find it confusing that "0001" or "1" is the same as "slot_0". But thanks a lot!
Sorry but I need one more help. Meanwhile I wrote a simple bash script that produces my problem (see: OlafRadicke/play_with_yubihsm2. The problems described above in the ticket are solved, but now I'm trying to sign a CSR with the YubiHSM2. I'm using the same key format as when I create the CSR and when I create the self signed root certificate. But still it throws an error:
The command to be executed here is:
The configuration (./configs/root_ca/openssl.cnf) that is used here is the same one that did not cause any problems with the other commands before.
I added some variation and this is the output:
Please include your openssl.cnf so we can try and reproduce. See below for when I generated a new key on the YubiHSM, a csr for it and then signed it with a CA key on the YubiHSM:
Thanks a lot for the quick answer. Now it's look a bit better:
But something is change the postfix of ./tmp/root_ca.crt.pem to ./tmp/root_ca.crt.srl. But I can't find the reason in my code:
The .srl file is OpenSSL trying to find a serial number for the certificate.
You have a couple of options, either
This is all OpenSSL stuff though so googling these error messages would be a good idea but I think you could just add -CAcreateserial and it will create the .srl file for you for now.
I will be closing this ticket as you seem to have the YubiHSM part working and just need to dig deeper into OpenSSL :)
I'm sorry to answer so late. Thank you very much for the fantastic help! All my
questions are answered! My runnable example is working now. Feel free to
takeover in your documentation. The Code is under the Apache-2.0 License. Maybe
it will help others to get quicker into the matter.
I have published an article in the german Linux-Magazin. In it I report about my experiences with YubiHSM2 and OpenSSL :
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Successfully merging a pull request may close this issue.
astrand opened this issue on 14 Jan 2014 Β· 7 comments
astrand opened this issue on 14 Jan 2014 Β· 7 comments
Forked off Issue #202. With the latest master, openssl req fails with out Aventra cards:
Due to issue #202, and since the fix 5437f87 contain a lot of unrelated stuff, it's difficult to use "git bisect" to find the problem.
Rather than git bisect delight, the opensc logs would be more appropriate here.
There is a possibility that this is caused by writing out the SPKI rather then then the RAW pubkey
to a card that can not handle it even though PKCS#15 allows it.
The changes in the pkcs15init/pkcs15-lib.c will always write out the SPKI.
The choice of which to write should be an option.
To verify if this is the problem, Astrand, can you try to replace the
call to sc_pkcs15_encode_pubkey_as_spki with the original call to
sc_pkcs15_encode_pubkey?
If that fixes your problem, we can look at what it will take to satisfy the
CardCcontact people. By adding an option to the pkcs15init code to specify
how to store the pubkey.
The default for this option could depend on the type of key, and type of card.
For RSA no additional benefit is gained by using SPKI vs RAW.
With ECC, the curve parameter is saved with the SPKI, but not with the RAW,
so SPKI is preferred if the card does not have a problem. This is what the
CardContact people needed.
I am not sure about GOST. Viktor???
On 1/14/2014 2:18 AM, astrand wrote:
Forked off Issue #202 #202. With the latest master, openssl req fails with out Aventra cards:
Due to issue #202 #202, and since the fix 5437f87 5437f87 contain a lot of unrelated
stuff, it's difficult to use "git bisect" to find the problem.
β
Reply to this email directly or view it on GitHub #206.
Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Well, I tried reverting 3d3592a, but that didn't help. Log file here:
http://www.cendio.com/~astrand/opensc/issue206-1.log
On 1/15/2014 2:47 AM, astrand wrote:
Well, I tried reverting 3d3592a 3d3592a,
That change was in how a public key was printed, and should not have any effect.
What I wanted you to try was in pkcs15init/pkcs15-lib.c,
1566 /* DER encode public key components /
1567 / EC key are encoded as SPKI to preserve domain parameter */
1568 r = sc_pkcs15_encode_pubkey_as_spki(p15card->card->ctx, &key, &object->content.value, &object->content.len);
Change above line to:
r = sc_pkcs15_encode_pubkey(p15card->card->ctx, &key, &object->content.value, &object->content.len);
So it does not try and use the SPKI version.
but that didn't help. Log file here:
C_FindObjectsInit(): CKA_CLASS = CKO_PUBLIC_KEY
Object 1/34897424 matches
Object 34897424: CKA_LABEL = Private Key
But then it reads from the private key:
Object 34896960: CKA_SENSITIVE = TRUE
Object 34896960: CKA_EXTRACTABLE = FALSE
Object 34896960: CKA_MODULUS =
This looks like the libp11 is having problems matching up the private key and public key.
What version of the opensc-engine and libp11 are you using?
β
Reply to this email directly or view it on GitHub #206 (comment).
Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Since you have been testing with a build of OpenSC, I assume you built the OpenSC
from git and did not install it over the default locations.
I looked at the pkcs15-selfsigned.sh script that you sent with #202.
The script calls openssl with the engine parameters:
The MODULE_PATH is not a full path, This means that the opensc-pkcs11.so
and other opensc libs will be from the default locations and not from your build.
(The default engine and the libp11.so should be OK.)
But the pubkey was stores as an SPKI, the old code can not handle it.
Can you give a full path to the opensc-pkcs11.so that you built?
And can you run the ldd command on opensc-pkcs11.so to make sure it is
using the git version of the libs you built?
Setting LD_LIBRARY_PATH might also be needed.
On 1/15/2014 2:47 AM, astrand wrote:
β
Reply to this email directly or view it on GitHub #206 (comment).
Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Looking closer at the issue206-1.log,
Lines 1807-1818 show the pubkey being read, it is SPKI.
something like:
0:d=0 hl=3 l= 159 cons: SEQUENCE
X:d=1 hl=2 l= 13 cons: SEQUENCE
X:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
XX:d=2 hl=2 l= 0 prim: NULL
XX:d=1 hl=3 l= 141 prim: BIT STRING
But lines 1827 look like the old code,
pkcs15.c:2277:sc_pkcs15_read_file: returning with: 0 (Success)
That message should have been from line 2380.
Then in the new code in pkcs15-pubkey.c line 856 would have
called sc_pkcs15_decode_pubkey_with_param which would have found the
data read was the SPKI, and parsed it.
So I think the issue is using the old that can not read the SPKI.
So can you try pointing openssl at the new opensc, to see if it
actually works?
This points out some some comparability issues with new cards using
older opensc code on other machines.
The use of the SPKI should be an option, and not done by default,
and since there is no benefit with RSA to use the SPKI vs just the
publicKeyCoefficients (i.e. there are no parameters for RSA)
I will propose a change to the pkcs15init/pubkey-lib.c code
to not use the SPKI for RSA. ECC benefits from using SPKI,
and GOST might too.Viktor?
If we add an option in tghe next release to the pkcs15 profile,
its up to the card issurer and by that time the SPKI will then be
in the "older" code.
On 1/15/2014 2:47 AM, astrand wrote:
β
Reply to this email directly or view it on GitHub #206 (comment).
Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Thanks, you were right. After pointing to the correct/built version of opensc-pkcs11.so, it works fine. Thanks for your help.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Successfully merging a pull request may close this issue.
Pig Sex Zoosex
Blowjob In Clothing
Sims 4 Sex Mod Woohoo Mod
Sexy Solo Com
Porno Hd Aziatka Anal
PKCS11_get_private_key returned NULL Β· Issue #262 Β· OpenSC ...
PKCS11_get_private_key returned NULL Β· Issue #114 Β· Yubico ...
openssl req -engine pkcs11 fails with PKCS11_get_private ...
engine_pkcs11-0.4.0-2.fc24 can't read private key from ...
iaik.pkcs.pkcs11.objects.PrivateKey java code examples ...
Self signed certificate authority: pkcs11 engine and ...
PrivateKey (IAIK PKCS#11 Wrapper API Documentation)
Using openssl with an HSM keystore, and opensc pkcs11 ...
Pkcs11 Get Private Key Returned Null
