Error decrypting CMS structure

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Error decrypting CMS structure

sigbj
This post has NOT been accepted by the mailing list yet.
Aventra Card
I succeed in decrypting with key ID 45 which key and cert is imported as a file .p12 from a high quality production firm.
Generating key directly onto card with pkcs15-init -G seems to be OK and generating cert.pem from card corresponding to this genkey (bottom line) also seem to be OK
BUT decryption from card gives the error as displayed here. The output seems to give the correct number of bytes, however as readable garbage.
I am not able to have the cert.pem display "KeyUsage NonRep"; I do not know any switch in openssl to do this and it does not seem to work changing the openssl.cnf for it either.
I think I am doing something wrong but do not know what

        OpenSSl> engine dynamic \
                        -t \
                        -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \
                        -pre ID:pkcs11 \
                        -pre LIST_ADD:1 \
                        -pre LOAD \
                        -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so



        OpenSSL> cms \
                        -decrypt \
                        -inform der \
                        -in /home/sigbj/sigbj.txt.kry.bin \
                        -out /home/sigbj/sigbj.txt.kry.bin.dek \
                        -recip /home/sigbj/cert.pem \
                        -engine pkcs11 \
                        -inkey slot_1-id_ab33c47bc3987846eb6afeb0a85cc8ba3ff3267f \
                        -keyform engine
>>>>>>>>engine "pkcs11" set.
Error decrypting CMS structure
3073767048:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:467:
error in cms
OpenSSL>


linux-2hm9:~> pkcs15-tool -k
Using reader with a card: Generic CCID Reader 00 00
Private RSA Key [Private Key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0x0]
        ModLength      : 2048
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : 3f0050154b01
        Auth ID        : 01
        ID             : 45

Private RSA Key [Private Key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x200], nonRepudiation
        Access Flags   : [0x0]
        ModLength      : 2048
        Key ref        : 2 (0x2)
        Native         : yes
        Path           : 3f0050154b02
        Auth ID        : 01
        ID             : 46

Private RSA Key [Private Key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x200], nonRepudiation
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 4 (0x4)
        Native         : yes
        Path           : 3f0050154b04
        Auth ID        : 01
        ID             : ab33c47bc3987846eb6afeb0a85cc8ba3ff3267f
        GUID           : {ab33c47b-c398-7846-eb6a-feb0a85cc8ba}


        OpenSSl> req -x509 -engine pkcs11 -new -key slot_1-id_ab33c47bc3987846eb6afeb0a85cc8ba3ff3267f -keyform engine -out cert.pem