SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Ronny Schütz
Hi,

I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04.

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 24.13
  firmware version   : 1.1
  serial num         : DECC0100157

When creating the EC keypair, I get an error concerning the public key:

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca
Using slot 1 with a present token (0x1)
Key pair generated:
Private Key Object; EC
  label:      ca
  ID:         60
  Usage:      decrypt, sign, unwrap
Public Key Object; EC EC_POINT 264 bits
 EC_POINT:  0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c
warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

  label:      ca
  ID:         60
  Usage:      encrypt, verify, wrap

And the public key isn't listed either

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
Private Key Object; EC
  label:      ca
  ID:         60
  Usage:      decrypt, sign, unwrap

Now OpenSSL / req cannot find the private key for whatever reason.

$ openssl
OpenSSL> version
OpenSSL 1.0.1 14 Mar 2012
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
[Success]: VERBOSE
Loaded: (pkcs11) pkcs11 engine
initializing engine
     [ available ]
OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
initializing engine
engine "pkcs11" set.
Looking in slot 1 for key: 60
Found 2 slots
[18446744073709551615] Virtual hotplug slot       no tok          
[1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
Found slot:  SCM SCR 355 [CCID Interface] 00 00
Found token: SmartCard-HSM (UserPIN)
Found 0 certificate:
PKCS#11 token PIN:
No keys found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
unable to load Private Key
error in req
OpenSSL>

The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well.

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa
Using slot 1 with a present token (0x1)
Key pair generated:
Private Key Object; RSA
  label:      ca-rsa
  ID:         70
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      ca-rsa
  ID:         70
  Usage:      encrypt, verify, wrap
$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
Private Key Object; RSA
  label:      ca-rsa
  ID:         70
  Usage:      decrypt, sign, unwrap
$ openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
[Success]: VERBOSE
Loaded: (pkcs11) pkcs11 engine
initializing engine
     [ available ]
OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
initializing engine
engine "pkcs11" set.
Looking in slot 1 for key: 70
Found 2 slots
[18446744073709551615] Virtual hotplug slot       no tok          
[1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
Found slot:  SCM SCR 355 [CCID Interface] 00 00
Found token: SmartCard-HSM (UserPIN)
Found 0 certificate:
PKCS#11 token PIN:
Found 1 key:
   1 P  ca-rsa
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
unable to load Private Key
error in req
OpenSSL>

I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token?

Thanks & Best regards,
Ronny




------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Andreas Schwier (ML)
Dear Ronny,

issuing ECDSA keys and certificates via openssl does currently not work
with OpenSC, as the EC_PARAMS attribute is only defined if a certificate
for the key exists on the device. For newly generated keys, this is
obviously not the case. We are working on a fix, but that requires quite
some rework in the OpenSC code (see [1]).

The issue with RSA 2048 keys has been been fixed in [2]. Are you using
the official 0.13 release from November ?

Kind regards,

Andreas


[1] https://devnet.cardcontact.de/issues/3
[2]
https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc230541072c60afb

On 06/11/2013 03:02 PM, Ronny Schütz wrote:

> Hi,
>
> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04.
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
> Available slots:
> Slot 0 (0xffffffffffffffff): Virtual hotplug slot
>   (empty)
> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00
>   token label        : SmartCard-HSM (UserPIN)
>   token manufacturer : www.CardContact.de
>   token model        : PKCS#15 emulated
>   token flags        : rng, login required, PIN initialized, token initialized
>   hardware version   : 24.13
>   firmware version   : 1.1
>   serial num         : DECC0100157
>
> When creating the EC keypair, I get an error concerning the public key:
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca
> Using slot 1 with a present token (0x1)
> Key pair generated:
> Private Key Object; EC
>   label:      ca
>   ID:         60
>   Usage:      decrypt, sign, unwrap
> Public Key Object; EC EC_POINT 264 bits
>  EC_POINT:  0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c
> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>   label:      ca
>   ID:         60
>   Usage:      encrypt, verify, wrap
>
> And the public key isn't listed either
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
> Private Key Object; EC
>   label:      ca
>   ID:         60
>   Usage:      decrypt, sign, unwrap
>
> Now OpenSSL / req cannot find the private key for whatever reason.
>
> $ openssl
> OpenSSL> version
> OpenSSL 1.0.1 14 Mar 2012
> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> [Success]: VERBOSE
> Loaded: (pkcs11) pkcs11 engine
> initializing engine
>      [ available ]
> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: 60
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok          
> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
> Found slot:  SCM SCR 355 [CCID Interface] 00 00
> Found token: SmartCard-HSM (UserPIN)
> Found 0 certificate:
> PKCS#11 token PIN:
> No keys found.
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
> unable to load Private Key
> error in req
> OpenSSL>
>
> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well.
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa
> Using slot 1 with a present token (0x1)
> Key pair generated:
> Private Key Object; RSA
>   label:      ca-rsa
>   ID:         70
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      ca-rsa
>   ID:         70
>   Usage:      encrypt, verify, wrap
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
> Private Key Object; RSA
>   label:      ca-rsa
>   ID:         70
>   Usage:      decrypt, sign, unwrap
> $ openssl
> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> [Success]: VERBOSE
> Loaded: (pkcs11) pkcs11 engine
> initializing engine
>      [ available ]
> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: 70
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok          
> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
> Found slot:  SCM SCR 355 [CCID Interface] 00 00
> Found token: SmartCard-HSM (UserPIN)
> Found 0 certificate:
> PKCS#11 token PIN:
> Found 1 key:
>    1 P  ca-rsa
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
> unable to load Private Key
> error in req
> OpenSSL>
>
> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token?
>
> Thanks & Best regards,
> Ronny
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Douglas E. Engert
In reply to this post by Ronny Schütz
The problem is most likely related to what was reported 9/20/2012 and
an outlined of how to fix it:

http://www.mail-archive.com/opensc-devel@.../msg10067.html



On 6/11/2013 8:02 AM, Ronny Schütz wrote:

> Hi,
>
> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04.
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
> Available slots:
> Slot 0 (0xffffffffffffffff): Virtual hotplug slot
>    (empty)
> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00
>    token label        : SmartCard-HSM (UserPIN)
>    token manufacturer : www.CardContact.de
>    token model        : PKCS#15 emulated
>    token flags        : rng, login required, PIN initialized, token initialized
>    hardware version   : 24.13
>    firmware version   : 1.1
>    serial num         : DECC0100157
>
> When creating the EC keypair, I get an error concerning the public key:
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca
> Using slot 1 with a present token (0x1)
> Key pair generated:
> Private Key Object; EC
>    label:      ca
>    ID:         60
>    Usage:      decrypt, sign, unwrap
> Public Key Object; EC EC_POINT 264 bits
>   EC_POINT:  0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c
> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>    label:      ca
>    ID:         60
>    Usage:      encrypt, verify, wrap
>
> And the public key isn't listed either
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
> Private Key Object; EC
>    label:      ca
>    ID:         60
>    Usage:      decrypt, sign, unwrap
>
> Now OpenSSL / req cannot find the private key for whatever reason.
>
> $ openssl
> OpenSSL> version
> OpenSSL 1.0.1 14 Mar 2012
> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> [Success]: VERBOSE
> Loaded: (pkcs11) pkcs11 engine
> initializing engine
>       [ available ]
> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: 60
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok
> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
> Found slot:  SCM SCR 355 [CCID Interface] 00 00
> Found token: SmartCard-HSM (UserPIN)
> Found 0 certificate:
> PKCS#11 token PIN:
> No keys found.
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
> unable to load Private Key
> error in req
> OpenSSL>
>
> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well.
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa
> Using slot 1 with a present token (0x1)
> Key pair generated:
> Private Key Object; RSA
>    label:      ca-rsa
>    ID:         70
>    Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>    label:      ca-rsa
>    ID:         70
>    Usage:      encrypt, verify, wrap
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
> Private Key Object; RSA
>    label:      ca-rsa
>    ID:         70
>    Usage:      decrypt, sign, unwrap
> $ openssl
> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> [Success]: VERBOSE
> Loaded: (pkcs11) pkcs11 engine
> initializing engine
>       [ available ]
> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: 70
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok
> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
> Found slot:  SCM SCR 355 [CCID Interface] 00 00
> Found token: SmartCard-HSM (UserPIN)
> Found 0 certificate:
> PKCS#11 token PIN:
> Found 1 key:
>     1 P  ca-rsa
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
> unable to load Private Key
> error in req
> OpenSSL>
>
> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token?
>
> Thanks & Best regards,
> Ronny
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> .
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Martin Paljak-4
In reply to this post by Ronny Schütz
Hello,

You did not specify a card (which must also support ECC), but keep in
mind that at least engine_pkcs11 only speaks RSA.

--
Martin
+372 515 6495


On Tue, Jun 11, 2013 at 4:02 PM, Ronny Schütz <[hidden email]> wrote:

> Hi,
>
> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04.
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
> Available slots:
> Slot 0 (0xffffffffffffffff): Virtual hotplug slot
>   (empty)
> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00
>   token label        : SmartCard-HSM (UserPIN)
>   token manufacturer : www.CardContact.de
>   token model        : PKCS#15 emulated
>   token flags        : rng, login required, PIN initialized, token initialized
>   hardware version   : 24.13
>   firmware version   : 1.1
>   serial num         : DECC0100157
>
> When creating the EC keypair, I get an error concerning the public key:
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca
> Using slot 1 with a present token (0x1)
> Key pair generated:
> Private Key Object; EC
>   label:      ca
>   ID:         60
>   Usage:      decrypt, sign, unwrap
> Public Key Object; EC EC_POINT 264 bits
>  EC_POINT:  0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c
> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>   label:      ca
>   ID:         60
>   Usage:      encrypt, verify, wrap
>
> And the public key isn't listed either
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
> Private Key Object; EC
>   label:      ca
>   ID:         60
>   Usage:      decrypt, sign, unwrap
>
> Now OpenSSL / req cannot find the private key for whatever reason.
>
> $ openssl
> OpenSSL> version
> OpenSSL 1.0.1 14 Mar 2012
> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> [Success]: VERBOSE
> Loaded: (pkcs11) pkcs11 engine
> initializing engine
>      [ available ]
> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: 60
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok
> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
> Found slot:  SCM SCR 355 [CCID Interface] 00 00
> Found token: SmartCard-HSM (UserPIN)
> Found 0 certificate:
> PKCS#11 token PIN:
> No keys found.
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
> unable to load Private Key
> error in req
> OpenSSL>
>
> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well.
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa
> Using slot 1 with a present token (0x1)
> Key pair generated:
> Private Key Object; RSA
>   label:      ca-rsa
>   ID:         70
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      ca-rsa
>   ID:         70
>   Usage:      encrypt, verify, wrap
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
> Private Key Object; RSA
>   label:      ca-rsa
>   ID:         70
>   Usage:      decrypt, sign, unwrap
> $ openssl
> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> [Success]: VERBOSE
> Loaded: (pkcs11) pkcs11 engine
> initializing engine
>      [ available ]
> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: 70
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok
> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
> Found slot:  SCM SCR 355 [CCID Interface] 00 00
> Found token: SmartCard-HSM (UserPIN)
> Found 0 certificate:
> PKCS#11 token PIN:
> Found 1 key:
>    1 P  ca-rsa
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
> unable to load Private Key
> error in req
> OpenSSL>
>
> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token?
>
> Thanks & Best regards,
> Ronny
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Douglas E. Engert


On 6/11/2013 9:40 AM, Martin Paljak wrote:
> Hello,
>
> You did not specify a card (which must also support ECC), but keep in
> mind that at least engine_pkcs11 only speaks RSA.


See Re: [openssl.org #2568] enhancement request: remove ECC engine support's limitation
from 2011.

I have some code for the engine and p11 form 2011 for ECC.

>
> --
> Martin
> +372 515 6495
>
>
> On Tue, Jun 11, 2013 at 4:02 PM, Ronny Schütz <[hidden email]> wrote:
>> Hi,
>>
>> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04.
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
>> Available slots:
>> Slot 0 (0xffffffffffffffff): Virtual hotplug slot
>>    (empty)
>> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00
>>    token label        : SmartCard-HSM (UserPIN)
>>    token manufacturer : www.CardContact.de
>>    token model        : PKCS#15 emulated
>>    token flags        : rng, login required, PIN initialized, token initialized
>>    hardware version   : 24.13
>>    firmware version   : 1.1
>>    serial num         : DECC0100157
>>
>> When creating the EC keypair, I get an error concerning the public key:
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca
>> Using slot 1 with a present token (0x1)
>> Key pair generated:
>> Private Key Object; EC
>>    label:      ca
>>    ID:         60
>>    Usage:      decrypt, sign, unwrap
>> Public Key Object; EC EC_POINT 264 bits
>>   EC_POINT:  0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c
>> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>>
>>    label:      ca
>>    ID:         60
>>    Usage:      encrypt, verify, wrap
>>
>> And the public key isn't listed either
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
>> Private Key Object; EC
>>    label:      ca
>>    ID:         60
>>    Usage:      decrypt, sign, unwrap
>>
>> Now OpenSSL / req cannot find the private key for whatever reason.
>>
>> $ openssl
>> OpenSSL> version
>> OpenSSL 1.0.1 14 Mar 2012
>> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
>> (dynamic) Dynamic engine loading support
>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>> [Success]: ID:pkcs11
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
>> [Success]: VERBOSE
>> Loaded: (pkcs11) pkcs11 engine
>> initializing engine
>>       [ available ]
>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
>> initializing engine
>> engine "pkcs11" set.
>> Looking in slot 1 for key: 60
>> Found 2 slots
>> [18446744073709551615] Virtual hotplug slot       no tok
>> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
>> Found slot:  SCM SCR 355 [CCID Interface] 00 00
>> Found token: SmartCard-HSM (UserPIN)
>> Found 0 certificate:
>> PKCS#11 token PIN:
>> No keys found.
>> PKCS11_get_private_key returned NULL
>> cannot load Private Key from engine
>> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
>> unable to load Private Key
>> error in req
>> OpenSSL>
>>
>> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well.
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa
>> Using slot 1 with a present token (0x1)
>> Key pair generated:
>> Private Key Object; RSA
>>    label:      ca-rsa
>>    ID:         70
>>    Usage:      decrypt, sign, unwrap
>> Public Key Object; RSA 2048 bits
>>    label:      ca-rsa
>>    ID:         70
>>    Usage:      encrypt, verify, wrap
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects
>> Private Key Object; RSA
>>    label:      ca-rsa
>>    ID:         70
>>    Usage:      decrypt, sign, unwrap
>> $ openssl
>> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
>> (dynamic) Dynamic engine loading support
>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>> [Success]: ID:pkcs11
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
>> [Success]: VERBOSE
>> Loaded: (pkcs11) pkcs11 engine
>> initializing engine
>>       [ available ]
>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
>> initializing engine
>> engine "pkcs11" set.
>> Looking in slot 1 for key: 70
>> Found 2 slots
>> [18446744073709551615] Virtual hotplug slot       no tok
>> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
>> Found slot:  SCM SCR 355 [CCID Interface] 00 00
>> Found token: SmartCard-HSM (UserPIN)
>> Found 0 certificate:
>> PKCS#11 token PIN:
>> Found 1 key:
>>     1 P  ca-rsa
>> PKCS11_get_private_key returned NULL
>> cannot load Private Key from engine
>> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
>> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
>> unable to load Private Key
>> error in req
>> OpenSSL>
>>
>> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token?
>>
>> Thanks & Best regards,
>> Ronny
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Ronny Schütz
In reply to this post by Andreas Schwier (ML)
Hi all,

thanks a lot for all your replies.

> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ?

Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue.

> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device.

Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either.

> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA.

Ok, then we most likely need to drop ECC anyway and use RSA instead.
 
Best regards,
Ronny

-----Original Message-----
From: Andreas Schwier [mailto:[hidden email]]
Sent: Dienstag, 11. Juni 2013 16:25
To: [hidden email]
Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Dear Ronny,

issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]).

The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ?

Kind regards,

Andreas


[1] https://devnet.cardcontact.de/issues/3
[2]
https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc230541072c60afb

On 06/11/2013 03:02 PM, Ronny Schütz wrote:

> Hi,
>
> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04.
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
> Available slots:
> Slot 0 (0xffffffffffffffff): Virtual hotplug slot
>   (empty)
> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00
>   token label        : SmartCard-HSM (UserPIN)
>   token manufacturer : www.CardContact.de
>   token model        : PKCS#15 emulated
>   token flags        : rng, login required, PIN initialized, token initialized
>   hardware version   : 24.13
>   firmware version   : 1.1
>   serial num         : DECC0100157
>
> When creating the EC keypair, I get an error concerning the public key:
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570
> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1
> with a present token (0x1) Key pair generated:
> Private Key Object; EC
>   label:      ca
>   ID:         60
>   Usage:      decrypt, sign, unwrap
> Public Key Object; EC EC_POINT 264 bits
>  EC_POINT:  
> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987
> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c
> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv =
> CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
>   label:      ca
>   ID:         60
>   Usage:      encrypt, verify, wrap
>
> And the public key isn't listed either
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login
> --pin 725570 --list-objects Private Key Object; EC
>   label:      ca
>   ID:         60
>   Usage:      decrypt, sign, unwrap
>
> Now OpenSSL / req cannot find the private key for whatever reason.
>
> $ openssl
> OpenSSL> version
> OpenSSL 1.0.1 14 Mar 2012
> OpenSSL> engine -t dynamic -pre
> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
> OpenSSL> LIST_ADD:1 -pre LOAD -pre
> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> [Success]: VERBOSE
> Loaded: (pkcs11) pkcs11 engine
> initializing engine
>      [ available ]
> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: 60
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok          
> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
> Found slot:  SCM SCR 355 [CCID Interface] 00 00 Found token:
> SmartCard-HSM (UserPIN) Found 0 certificate:
> PKCS#11 token PIN:
> No keys found.
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
> unable to load Private Key
> error in req
> OpenSSL>
>
> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well.
>
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570
> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1
> with a present token (0x1) Key pair generated:
> Private Key Object; RSA
>   label:      ca-rsa
>   ID:         70
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      ca-rsa
>   ID:         70
>   Usage:      encrypt, verify, wrap
> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login
> --pin 725570 --list-objects Private Key Object; RSA
>   label:      ca-rsa
>   ID:         70
>   Usage:      decrypt, sign, unwrap
> $ openssl
> OpenSSL> engine -t dynamic -pre
> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
> OpenSSL> LIST_ADD:1 -pre LOAD -pre
> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> [Success]: VERBOSE
> Loaded: (pkcs11) pkcs11 engine
> initializing engine
>      [ available ]
> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: 70
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok          
> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
> Found slot:  SCM SCR 355 [CCID Interface] 00 00 Found token:
> SmartCard-HSM (UserPIN) Found 0 certificate:
> PKCS#11 token PIN:
> Found 1 key:
>    1 P  ca-rsa
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
> unable to load Private Key
> error in req
> OpenSSL>
>
> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token?
>
> Thanks & Best regards,
> Ronny
>
>
>
>
> ----------------------------------------------------------------------
> -------- This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Andreas Schwier (ML)
Hi Ronny,

On 06/12/2013 06:27 PM, Ronny Schütz wrote:

> Hi all,
>
> thanks a lot for all your replies.
>
>> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ?
>
> Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue.
>
>> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device.
>
> Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either.
The SmartCard-HSM does not support key import in plain. Only keys
previously exported under the Device Key Encryption Key (DKEK) can be
imported
>
>> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA.
>
> Ok, then we most likely need to drop ECC anyway and use RSA instead.
I can provide you with a Smart Card Shell script that generates ECC keys
and certificates on a SmartCard-HSM.

>  
> Best regards,
> Ronny
>
> -----Original Message-----
> From: Andreas Schwier [mailto:[hidden email]]
> Sent: Dienstag, 11. Juni 2013 16:25
> To: [hidden email]
> Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues
>
> Dear Ronny,
>
> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]).
>
> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ?
>
> Kind regards,
>
> Andreas
>
>
> [1] https://devnet.cardcontact.de/issues/3
> [2]
> https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc230541072c60afb
>
> On 06/11/2013 03:02 PM, Ronny Schütz wrote:
>> Hi,
>>
>> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04.
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
>> Available slots:
>> Slot 0 (0xffffffffffffffff): Virtual hotplug slot
>>   (empty)
>> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00
>>   token label        : SmartCard-HSM (UserPIN)
>>   token manufacturer : www.CardContact.de
>>   token model        : PKCS#15 emulated
>>   token flags        : rng, login required, PIN initialized, token initialized
>>   hardware version   : 24.13
>>   firmware version   : 1.1
>>   serial num         : DECC0100157
>>
>> When creating the EC keypair, I get an error concerning the public key:
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570
>> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1
>> with a present token (0x1) Key pair generated:
>> Private Key Object; EC
>>   label:      ca
>>   ID:         60
>>   Usage:      decrypt, sign, unwrap
>> Public Key Object; EC EC_POINT 264 bits
>>  EC_POINT:  
>> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987
>> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c
>> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv =
>> CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>>
>>   label:      ca
>>   ID:         60
>>   Usage:      encrypt, verify, wrap
>>
>> And the public key isn't listed either
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login
>> --pin 725570 --list-objects Private Key Object; EC
>>   label:      ca
>>   ID:         60
>>   Usage:      decrypt, sign, unwrap
>>
>> Now OpenSSL / req cannot find the private key for whatever reason.
>>
>> $ openssl
>> OpenSSL> version
>> OpenSSL 1.0.1 14 Mar 2012
>> OpenSSL> engine -t dynamic -pre
>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
>> OpenSSL> LIST_ADD:1 -pre LOAD -pre
>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
>> (dynamic) Dynamic engine loading support
>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>> [Success]: ID:pkcs11
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
>> [Success]: VERBOSE
>> Loaded: (pkcs11) pkcs11 engine
>> initializing engine
>>      [ available ]
>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
>> initializing engine
>> engine "pkcs11" set.
>> Looking in slot 1 for key: 60
>> Found 2 slots
>> [18446744073709551615] Virtual hotplug slot       no tok          
>> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
>> Found slot:  SCM SCR 355 [CCID Interface] 00 00 Found token:
>> SmartCard-HSM (UserPIN) Found 0 certificate:
>> PKCS#11 token PIN:
>> No keys found.
>> PKCS11_get_private_key returned NULL
>> cannot load Private Key from engine
>> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
>> unable to load Private Key
>> error in req
>> OpenSSL>
>>
>> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well.
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570
>> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1
>> with a present token (0x1) Key pair generated:
>> Private Key Object; RSA
>>   label:      ca-rsa
>>   ID:         70
>>   Usage:      decrypt, sign, unwrap
>> Public Key Object; RSA 2048 bits
>>   label:      ca-rsa
>>   ID:         70
>>   Usage:      encrypt, verify, wrap
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login
>> --pin 725570 --list-objects Private Key Object; RSA
>>   label:      ca-rsa
>>   ID:         70
>>   Usage:      decrypt, sign, unwrap
>> $ openssl
>> OpenSSL> engine -t dynamic -pre
>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
>> OpenSSL> LIST_ADD:1 -pre LOAD -pre
>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
>> (dynamic) Dynamic engine loading support
>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>> [Success]: ID:pkcs11
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
>> [Success]: VERBOSE
>> Loaded: (pkcs11) pkcs11 engine
>> initializing engine
>>      [ available ]
>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
>> initializing engine
>> engine "pkcs11" set.
>> Looking in slot 1 for key: 70
>> Found 2 slots
>> [18446744073709551615] Virtual hotplug slot       no tok          
>> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
>> Found slot:  SCM SCR 355 [CCID Interface] 00 00 Found token:
>> SmartCard-HSM (UserPIN) Found 0 certificate:
>> PKCS#11 token PIN:
>> Found 1 key:
>>    1 P  ca-rsa
>> PKCS11_get_private_key returned NULL
>> cannot load Private Key from engine
>> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
>> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
>> unable to load Private Key
>> error in req
>> OpenSSL>
>>
>> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token?
>>
>> Thanks & Best regards,
>> Ronny
>>
>>
>>
>>
>> ----------------------------------------------------------------------
>> -------- This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Ronny Schütz
Hi Andreas,

> I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM.

That would be helpful, thanks! What I actually want to achieve is to use the SmartCard-HSM to carry a custom CA keypair + certificate (RSA:2048 or better EC:secp256r1) and use the token to either process CSRs and generate X.509 certificates or to at least generate the signature to issue client certificates using OpenSSL. Would this work considering that: "at least engine_pkcs11 only speaks RSA" (Martin)?

Best regards,
Ronny

-----Original Message-----
From: Andreas Schwier [mailto:[hidden email]]
Sent: Mittwoch, 12. Juni 2013 21:53
To: [hidden email]
Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Hi Ronny,

On 06/12/2013 06:27 PM, Ronny Schütz wrote:

> Hi all,
>
> thanks a lot for all your replies.
>
>> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ?
>
> Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue.
>
>> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device.
>
> Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either.
The SmartCard-HSM does not support key import in plain. Only keys previously exported under the Device Key Encryption Key (DKEK) can be imported
>
>> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA.
>
> Ok, then we most likely need to drop ECC anyway and use RSA instead.
I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM.

>  
> Best regards,
> Ronny
>
> -----Original Message-----
> From: Andreas Schwier [mailto:[hidden email]]
> Sent: Dienstag, 11. Juni 2013 16:25
> To: [hidden email]
> Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048
> keypair creation issues
>
> Dear Ronny,
>
> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]).
>
> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ?
>
> Kind regards,
>
> Andreas
>
>
> [1] https://devnet.cardcontact.de/issues/3
> [2]
> https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc
> 230541072c60afb
>
> On 06/11/2013 03:02 PM, Ronny Schütz wrote:
>> Hi,
>>
>> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04.
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
>> Available slots:
>> Slot 0 (0xffffffffffffffff): Virtual hotplug slot
>>   (empty)
>> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00
>>   token label        : SmartCard-HSM (UserPIN)
>>   token manufacturer : www.CardContact.de
>>   token model        : PKCS#15 emulated
>>   token flags        : rng, login required, PIN initialized, token initialized
>>   hardware version   : 24.13
>>   firmware version   : 1.1
>>   serial num         : DECC0100157
>>
>> When creating the EC keypair, I get an error concerning the public key:
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570
>> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1
>> with a present token (0x1) Key pair generated:
>> Private Key Object; EC
>>   label:      ca
>>   ID:         60
>>   Usage:      decrypt, sign, unwrap
>> Public Key Object; EC EC_POINT 264 bits
>>  EC_POINT:  
>> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da98
>> 7
>> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c
>> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv =
>> CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>>
>>   label:      ca
>>   ID:         60
>>   Usage:      encrypt, verify, wrap
>>
>> And the public key isn't listed either
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login
>> --pin 725570 --list-objects Private Key Object; EC
>>   label:      ca
>>   ID:         60
>>   Usage:      decrypt, sign, unwrap
>>
>> Now OpenSSL / req cannot find the private key for whatever reason.
>>
>> $ openssl
>> OpenSSL> version
>> OpenSSL 1.0.1 14 Mar 2012
>> OpenSSL> engine -t dynamic -pre
>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11
>> OpenSSL> -pre
>> OpenSSL> LIST_ADD:1 -pre LOAD -pre
>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
>> (dynamic) Dynamic engine loading support
>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>> [Success]: ID:pkcs11
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
>> [Success]: VERBOSE
>> Loaded: (pkcs11) pkcs11 engine
>> initializing engine
>>      [ available ]
>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
>> initializing engine
>> engine "pkcs11" set.
>> Looking in slot 1 for key: 60
>> Found 2 slots
>> [18446744073709551615] Virtual hotplug slot       no tok          
>> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
>> Found slot:  SCM SCR 355 [CCID Interface] 00 00 Found token:
>> SmartCard-HSM (UserPIN) Found 0 certificate:
>> PKCS#11 token PIN:
>> No keys found.
>> PKCS11_get_private_key returned NULL
>> cannot load Private Key from engine
>> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
>> unable to load Private Key
>> error in req
>> OpenSSL>
>>
>> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well.
>>
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570
>> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1
>> with a present token (0x1) Key pair generated:
>> Private Key Object; RSA
>>   label:      ca-rsa
>>   ID:         70
>>   Usage:      decrypt, sign, unwrap
>> Public Key Object; RSA 2048 bits
>>   label:      ca-rsa
>>   ID:         70
>>   Usage:      encrypt, verify, wrap
>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login
>> --pin 725570 --list-objects Private Key Object; RSA
>>   label:      ca-rsa
>>   ID:         70
>>   Usage:      decrypt, sign, unwrap
>> $ openssl
>> OpenSSL> engine -t dynamic -pre
>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11
>> OpenSSL> -pre
>> OpenSSL> LIST_ADD:1 -pre LOAD -pre
>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
>> (dynamic) Dynamic engine loading support
>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>> [Success]: ID:pkcs11
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
>> [Success]: VERBOSE
>> Loaded: (pkcs11) pkcs11 engine
>> initializing engine
>>      [ available ]
>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
>> initializing engine
>> engine "pkcs11" set.
>> Looking in slot 1 for key: 70
>> Found 2 slots
>> [18446744073709551615] Virtual hotplug slot       no tok          
>> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
>> Found slot:  SCM SCR 355 [CCID Interface] 00 00 Found token:
>> SmartCard-HSM (UserPIN) Found 0 certificate:
>> PKCS#11 token PIN:
>> Found 1 key:
>>    1 P  ca-rsa
>> PKCS11_get_private_key returned NULL
>> cannot load Private Key from engine
>> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
>> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
>> unable to load Private Key
>> error in req
>> OpenSSL>
>>
>> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token?
>>
>> Thanks & Best regards,
>> Ronny
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> -
>> -------- This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
> ----------------------------------------------------------------------
> -------- This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> ----------------------------------------------------------------------
> -------- This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Douglas E. Engert
If you are willing to do some development, back in 2011
I had mods to openssl, engine-pkcs11 and libp11 to support
ECDSA signatures. See this last message in the thread:

http://www.mail-archive.com/opensc-devel@.../msg08848.html

(Felipe Blauth got the mods working)

I have attached the updated mods, but I have not used them in some time.
As noted in the mods there is an outstanding OpenSSL bug.

+#if defined(BUILD_WITH_EC) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDSA)
+/* OpenSSL has ECDSA_METHOD  defined in internal header file ecs_locl.h
+ * For now:
+ * CPPFLAGS="-DBUILD_WITH_EC -I/path.to.openssl-1.0.0a/crypto/ecdh"
+ * See OpenSSL bug report #2459 02/23/2011
+ * When this is fixed, the BUILD_WITH_EC test can be removed
+ *
+ * TODO ECDH_METHOD is in ech_locl.h too!
+ */


On 6/13/2013 5:25 AM, Ronny Schütz wrote:

> Hi Andreas,
>
>> I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM.
>
> That would be helpful, thanks! What I actually want to achieve is to use the SmartCard-HSM to carry a custom CA keypair + certificate (RSA:2048 or better EC:secp256r1) and use the token to either process CSRs and generate X.509 certificates or to at least generate the signature to issue client certificates using OpenSSL. Would this work considering that: "at least engine_pkcs11 only speaks RSA" (Martin)?
>
> Best regards,
> Ronny
>
> -----Original Message-----
> From: Andreas Schwier [mailto:[hidden email]]
> Sent: Mittwoch, 12. Juni 2013 21:53
> To: [hidden email]
> Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues
>
> Hi Ronny,
>
> On 06/12/2013 06:27 PM, Ronny Schütz wrote:
>> Hi all,
>>
>> thanks a lot for all your replies.
>>
>>> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ?
>>
>> Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue.
>>
>>> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device.
>>
>> Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either.
> The SmartCard-HSM does not support key import in plain. Only keys previously exported under the Device Key Encryption Key (DKEK) can be imported
>>
>>> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA.
>>
>> Ok, then we most likely need to drop ECC anyway and use RSA instead.
> I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM.
>>
>> Best regards,
>> Ronny
>>
>> -----Original Message-----
>> From: Andreas Schwier [mailto:[hidden email]]
>> Sent: Dienstag, 11. Juni 2013 16:25
>> To: [hidden email]
>> Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048
>> keypair creation issues
>>
>> Dear Ronny,
>>
>> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]).
>>
>> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ?
>>
>> Kind regards,
>>
>> Andreas
>>
>>
>> [1] https://devnet.cardcontact.de/issues/3
>> [2]
>> https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc
>> 230541072c60afb
>>
>> On 06/11/2013 03:02 PM, Ronny Schütz wrote:
>>> Hi,
>>>
>>> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04.
>>>
>>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
>>> Available slots:
>>> Slot 0 (0xffffffffffffffff): Virtual hotplug slot
>>>    (empty)
>>> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00
>>>    token label        : SmartCard-HSM (UserPIN)
>>>    token manufacturer : www.CardContact.de
>>>    token model        : PKCS#15 emulated
>>>    token flags        : rng, login required, PIN initialized, token initialized
>>>    hardware version   : 24.13
>>>    firmware version   : 1.1
>>>    serial num         : DECC0100157
>>>
>>> When creating the EC keypair, I get an error concerning the public key:
>>>
>>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570
>>> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1
>>> with a present token (0x1) Key pair generated:
>>> Private Key Object; EC
>>>    label:      ca
>>>    ID:         60
>>>    Usage:      decrypt, sign, unwrap
>>> Public Key Object; EC EC_POINT 264 bits
>>>   EC_POINT:
>>> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da98
>>> 7
>>> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c
>>> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv =
>>> CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>>>
>>>    label:      ca
>>>    ID:         60
>>>    Usage:      encrypt, verify, wrap
>>>
>>> And the public key isn't listed either
>>>
>>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login
>>> --pin 725570 --list-objects Private Key Object; EC
>>>    label:      ca
>>>    ID:         60
>>>    Usage:      decrypt, sign, unwrap
>>>
>>> Now OpenSSL / req cannot find the private key for whatever reason.
>>>
>>> $ openssl
>>> OpenSSL> version
>>> OpenSSL 1.0.1 14 Mar 2012
>>> OpenSSL> engine -t dynamic -pre
>>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11
>>> OpenSSL> -pre
>>> OpenSSL> LIST_ADD:1 -pre LOAD -pre
>>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
>>> (dynamic) Dynamic engine loading support
>>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>>> [Success]: ID:pkcs11
>>> [Success]: LIST_ADD:1
>>> [Success]: LOAD
>>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
>>> [Success]: VERBOSE
>>> Loaded: (pkcs11) pkcs11 engine
>>> initializing engine
>>>       [ available ]
>>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
>>> initializing engine
>>> engine "pkcs11" set.
>>> Looking in slot 1 for key: 60
>>> Found 2 slots
>>> [18446744073709551615] Virtual hotplug slot       no tok
>>> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
>>> Found slot:  SCM SCR 355 [CCID Interface] 00 00 Found token:
>>> SmartCard-HSM (UserPIN) Found 0 certificate:
>>> PKCS#11 token PIN:
>>> No keys found.
>>> PKCS11_get_private_key returned NULL
>>> cannot load Private Key from engine
>>> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
>>> unable to load Private Key
>>> error in req
>>> OpenSSL>
>>>
>>> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well.
>>>
>>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570
>>> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1
>>> with a present token (0x1) Key pair generated:
>>> Private Key Object; RSA
>>>    label:      ca-rsa
>>>    ID:         70
>>>    Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>    label:      ca-rsa
>>>    ID:         70
>>>    Usage:      encrypt, verify, wrap
>>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login
>>> --pin 725570 --list-objects Private Key Object; RSA
>>>    label:      ca-rsa
>>>    ID:         70
>>>    Usage:      decrypt, sign, unwrap
>>> $ openssl
>>> OpenSSL> engine -t dynamic -pre
>>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11
>>> OpenSSL> -pre
>>> OpenSSL> LIST_ADD:1 -pre LOAD -pre
>>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
>>> (dynamic) Dynamic engine loading support
>>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>>> [Success]: ID:pkcs11
>>> [Success]: LIST_ADD:1
>>> [Success]: LOAD
>>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
>>> [Success]: VERBOSE
>>> Loaded: (pkcs11) pkcs11 engine
>>> initializing engine
>>>       [ available ]
>>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
>>> initializing engine
>>> engine "pkcs11" set.
>>> Looking in slot 1 for key: 70
>>> Found 2 slots
>>> [18446744073709551615] Virtual hotplug slot       no tok
>>> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
>>> Found slot:  SCM SCR 355 [CCID Interface] 00 00 Found token:
>>> SmartCard-HSM (UserPIN) Found 0 certificate:
>>> PKCS#11 token PIN:
>>> Found 1 key:
>>>     1 P  ca-rsa
>>> PKCS11_get_private_key returned NULL
>>> cannot load Private Key from engine
>>> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
>>> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
>>> unable to load Private Key
>>> error in req
>>> OpenSSL>
>>>
>>> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token?
>>>
>>> Thanks & Best regards,
>>> Ronny
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> -------- This SF.net email is sponsored by Windows:
>>>
>>> Build for Windows Store.
>>>
>>> http://p.sf.net/sfu/windows-dev2dev
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>>
>> ----------------------------------------------------------------------
>> -------- This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>> ----------------------------------------------------------------------
>> -------- This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> .
>
--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

openssl-1.0.1-ecdsa.diff-20130613 (1K) Download Attachment
engine_pkcs11-diff-20130613 (741 bytes) Download Attachment
libp11.diff-20130613 (15K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

Lars Dietzel
This post has NOT been accepted by the mailing list yet.
In reply to this post by Andreas Schwier (ML)
Dear Andreas,

I think I stumbled over the same issue with opensc 0.15.0. Unfortunately the link [1] from your post seems not to work, therefore I don't know where to check if this has been implemented meanwhile. Could you give an update if this should work now?

Kind regards,

Lars