Clarifying PIV CSR

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Clarifying PIV CSR

William Roberts
I am working through the PIV admin flow. And I am on this step:

 export PIV_9A_KEY
 openssl << EOT
 engine dynamic -vvvv -pre SO_PATH:/usr/lib/engines/ \
      -pre ID:pkcs11 -pre NO_VCHECK:1 \
      -pre LIST_ADD:1 -pre LOAD  \
      -pre MODULE_PATH:/usr/lib/
 req $SSLEAY_CONFIG -engine pkcs11 -md5 -new  \
     -key slot_0-id_1 -keyform engine -out card/newreq.1.$CARD.pem -text

Which yeilds:
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
routines:ENGINE_load_private_key:failed loading private
unable to load Private Key
error in req

My question is, what private key? Shouldn't that key remain on the card?

Looking at the card edge I see a lot of CB (GET DATA) requests, but I
was under the impression that the GENERAL AUTH command was used to
encrypt the data, per the PIV spec:

The GENERAL AUTHENTICATE command shall be used with the PIV Digital
Signature Key ('9C') to realize the signing functionality on the PIV
client application programming interface. Data to be signed is
expected to be hashed off card. Appendix A, Section A.3 illustrates
the use of the GENERAL AUTHENTICATE command for signature generation.

Yet I don't see the GEN AUTH command coming accross, any ideas?


William C Roberts

Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
Opensc-devel mailing list
[hidden email]