Fatal编程技术网
  • openssl/
  • Openssl 带ECC钥匙的发动机pkcs11和软HSM

Openssl 带ECC钥匙的发动机pkcs11和软HSM

openssl

Openssl 带ECC钥匙的发动机pkcs11和软HSM,openssl,pkcs#11,opensc,softhsm,Openssl,Pkcs#11,Opensc,Softhsm,我有软HSM-v2.5.0-rc1,其中导入了ec密钥。现在,当我尝试使用pkcs11引擎从openssl CLI使用这些密钥时,失败了 软HSM版本 []:~$ softhsm2-util --version 2.5.0rc1 软HSM令牌初始化 []:~$ softhsm2-util --init-token --slot 0 --label "token 2.5.0-rc1" === SO PIN (4-255 characters) === Please enter SO PIN:

我有软HSM-v2.5.0-rc1,其中导入了ec密钥。现在,当我尝试使用pkcs11引擎从openssl CLI使用这些密钥时,失败了

  • 软HSM版本

    []:~$ softhsm2-util --version
2.5.0rc1
  • 软HSM令牌初始化

    []:~$ softhsm2-util --init-token --slot 0 --label "token 2.5.0-rc1"
=== SO PIN (4-255 characters) ===
Please enter SO PIN: ****
Please reenter SO PIN: ****
=== User PIN (4-255 characters) ===
Please enter user PIN: ****
Please reenter user PIN: ****
The token has been initialized and is reassigned to slot 928024111
  • pkcs8格式的ECC密钥

    []:~$ openssl pkey -in ~/tmp/secp256k1-key.pem.pkcs8 -text
-----BEGIN PRIVATE KEY-----
MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgYCXpIJyEAexhkvrCMGlF
A4sQItcIp6wm83WVoeOFzEyhRANCAATMfAkLtsynHRmRyYLn+uRpJUm6bOZJBQhK
N81nJv06fN6MY0nEzWG9jJsvSNlf5jW7yecbje2wWQL/JYqviFwr
-----END PRIVATE KEY-----
Private-Key: (256 bit)
priv:
    60:25:e9:20:9c:84:01:ec:61:92:fa:c2:30:69:45:
    03:8b:10:22:d7:08:a7:ac:26:f3:75:95:a1:e3:85:
    cc:4c
pub:
    04:cc:7c:09:0b:b6:cc:a7:1d:19:91:c9:82:e7:fa:
    e4:69:25:49:ba:6c:e6:49:05:08:4a:37:cd:67:26:
    fd:3a:7c:de:8c:63:49:c4:cd:61:bd:8c:9b:2f:48:
    d9:5f:e6:35:bb:c9:e7:1b:8d:ed:b0:59:02:ff:25:
    8a:af:88:5c:2b
ASN1 OID: secp256k1
  • 将密钥导入softhsm

    []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token "token 2.5.0-rc1"
Found slot 928024111 with matching token label.
=== User PIN (4-255 characters) ===
Please enter user PIN: ****
Please reenter user PIN: ****
The key pair has been imported.
  • 获取私钥的pkcs11 url

    []:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all
Object 0:
                URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private
                Type: Private key
                Label: ec key
                Flags: CKA_PRIVATE; CKA_SENSITIVE;
                ID: 11:11

Object 1:
                URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=public
                Type: Public key
                Label: ec key
                ID: 11:11
  • 尝试使用openssl引擎访问密钥

    []:~$ openssl version
OpenSSL 1.1.1  11 Sep 2018

[]:~$ more ~/tmp/openssl.cnf
openssl_conf = openssl_init

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /Users/parashah/Downloads/libp11-0.4.9/src/.libs/pkcs11.dylib
MODULE_PATH = /usr/local/lib/softhsm/libsofthsm2.so
init = 0

[]:~$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private" -inform ENGINE -engine pkcs11 -text
engine "pkcs11" set.
Enter PKCS#11 token PIN for token 2.5.0-rc1:
140736065815424:error:100C0010:elliptic curve routines:i2d_ECPrivateKey:EC lib:crypto/ec/ec_asn1.c:995:
140736065815424:error:100D6010:elliptic curve routines:eckey_priv_encode:EC lib:crypto/ec/ec_ameth.c:242:
140736065815424:error:06071092:digital envelope routines:EVP_PKEY2PKCS8:private key encode error:crypto/evp/evp_pkey.c:72:
140736065815424:error:0907E073:PEM routines:do_pk8pkey:error converting private key:crypto/pem/pem_pk8.c:73:
    • ====

    为了完整性,执行完全相同的步骤但使用RSA密钥效果很好

    为了完整性,执行完全相同的步骤但使用RSA密钥效果很好。请随意添加这些信息。这似乎与@BrianJMurray有关,是的,我打开了那个bug。我们可以在这里结束讨论,因为我在OpenSC giuthub讨论中得到了答案。