pkcs11_engine on windows

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

pkcs11_engine on windows

mike tancsa-2
Hi,
        I am having some challenges successfully compiling/using the
pkcs11_engine on Windows and was hoping someone could point me in the
right direction.....

I setup a cygwin environment on Windows 7 64bit. I have the latest
OpenSC installed, and built and installed libP11 from the github repo. I
then built the dll
  export set LIBS='-lp11'
  export set LDFLAGS='-L/usr/local/lib/'
  ./bootstrap
  ./configure
  make
  make install

$ ls -l  ~/work/engine_pkcs11/src/.libs
total 215
-rw-r--r-- 1 mdtancsa None     20 Apr 24 11:07 engine_pkcs11.def
-rwxr-xr-x 1 mdtancsa None 128513 Apr 24 11:07 engine_pkcs11.dll
-rw-r--r-- 1 mdtancsa None   2036 Apr 24 11:07 engine_pkcs11.dll.a
-rw-r--r-- 1 mdtancsa None     28 Apr 24 11:07 engine_pkcs11.dll.def
lrwxrwxrwx 1 mdtancsa None     19 Apr 24 11:07 engine_pkcs11.la ->
../engine_pkcs11.la
-rw-r--r-- 1 mdtancsa None   1003 Apr 24 11:07 engine_pkcs11.lai
-rw-r--r-- 1 mdtancsa None  52803 Apr 24 11:07
engine_pkcs11_la-engine_pkcs11.o
-rw-r--r-- 1 mdtancsa None  21561 Apr 24 11:07 engine_pkcs11_la-hw_pkcs11.o

$ file engine_pkcs11.dll
engine_pkcs11.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows




Then I try and generate a key (both with the old non java etokens using
the opensc-pkcs11.dll and the java etokens using the safenet dll) which
seems to work.  But I am not able to get the openssl portion working so
I can then generate a request.


$ ./pkcs15-init.exe -E
Using reader with a card: AKS ifdh 0

$ ./pkcs15-init.exe -C -P --pin 12345 --puk 12345 -a 01 --label "mike"
--so-pin 123456 --so-puk 123456 -T
2015-04-24 11:49:06.573 cannot lock memory, sensitive data may be paged
to disk
2015-04-24 11:49:08.124 cannot lock memory, sensitive data may be paged
to disk
2015-04-24 11:49:09.031 cannot lock memory, sensitive data may be paged
to disk
Using reader with a card: AKS ifdh 0


$ ./pkcs15-init.exe -G rsa/2048 -a 01 --pin 12345 --so-pin 123456 -u
sign,decrypt --id 45
2015-04-24 11:49:48.705 cannot lock memory, sensitive data may be paged
to disk
2015-04-24 11:49:58.254 cannot lock memory, sensitive data may be paged
to disk
2015-04-24 11:49:59.082 cannot lock memory, sensitive data may be paged
to disk
2015-04-24 11:49:59.696 cannot lock memory, sensitive data may be paged
to disk
Using reader with a card: AKS ifdh 0


$ ./pkcs15-tool.exe --list-keys -k -c -C
Private RSA Key [Private Key]
         Object Flags   : [0x3], private, modifiable
         Usage          : [0x2E], decrypt, sign, signRecover, unwrap
         Access Flags   : [0x1D], sensitive, alwaysSensitive,
neverExtract, local
         ModLength      : 2048
         Key ref        : 16 (0x10)
         Native         : yes
         Path           : 3f005015
         Auth ID        : 01
         ID             : 45
         MD:guid        : {ce92c7be-ec89-8a73-acae-68759a047368}
           :cmap flags  : 0x0
           :sign        : 0
           :key-exchange: 0

Using reader with a card: AKS ifdh 0

$ ./pkcs11-tool.exe --pin 12345 -O --module ./opensc-pkcs11.dll
Public Key Object; RSA 2048 bits
   label:      Private Key
   ID:         45
   Usage:      encrypt, verify, wrap
Using slot 1 with a present token (0x1)


$ ./openssl.exe
OpenSSL> engine dynamic -pre
SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key 1:45 -keyform engine -out req.pem
-text -x509 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req
OpenSSL>


Trying with the SafeNet DLL gives the same / similar problem


$ ./pkcs11-tool.exe --module ./eTPKCS11.dll -l --pin 12345 --keypairgen
--key-type rsa:2048 --id 45
Key pair generated:
Private Key Object; RSA
   label:
   ID:         45
   Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
   label:
   ID:         45
   Usage:      encrypt, verify, wrap
Using slot 2 with a present token (0x2)

Trying with slot 2
OpenSSL> req -engine pkcs11 -new -key 2:45 -keyform engine -out cert.pem
-text -x509 -days 3640 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req
OpenSSL> q

And just specifying the key also fails

OpenSSL> engine dynamic -pre
SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key 45 -keyform engine -out cert.pem
-text -x509 -days 3640 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
loading private key:eng_pkey.c:124:
unable to load Private Key
error in req


        ---Mike






------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11_engine on windows

Douglas E Engert


On 4/24/2015 11:20 AM, mike tancsa wrote:

> Hi,
> I am having some challenges successfully compiling/using the
> pkcs11_engine on Windows and was hoping someone could point me in the
> right direction.....
>
> I setup a cygwin environment on Windows 7 64bit. I have the latest
> OpenSC installed, and built and installed libP11 from the github repo. I
> then built the dll
>    export set LIBS='-lp11'
>    export set LDFLAGS='-L/usr/local/lib/'
>    ./bootstrap
>    ./configure
>    make
>    make install
>
> $ ls -l  ~/work/engine_pkcs11/src/.libs
> total 215
> -rw-r--r-- 1 mdtancsa None     20 Apr 24 11:07 engine_pkcs11.def
> -rwxr-xr-x 1 mdtancsa None 128513 Apr 24 11:07 engine_pkcs11.dll
> -rw-r--r-- 1 mdtancsa None   2036 Apr 24 11:07 engine_pkcs11.dll.a
> -rw-r--r-- 1 mdtancsa None     28 Apr 24 11:07 engine_pkcs11.dll.def
> lrwxrwxrwx 1 mdtancsa None     19 Apr 24 11:07 engine_pkcs11.la ->
> ../engine_pkcs11.la
> -rw-r--r-- 1 mdtancsa None   1003 Apr 24 11:07 engine_pkcs11.lai
> -rw-r--r-- 1 mdtancsa None  52803 Apr 24 11:07
> engine_pkcs11_la-engine_pkcs11.o
> -rw-r--r-- 1 mdtancsa None  21561 Apr 24 11:07 engine_pkcs11_la-hw_pkcs11.o
>
> $ file engine_pkcs11.dll
> engine_pkcs11.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows
>
>
>
>
> Then I try and generate a key (both with the old non java etokens using
> the opensc-pkcs11.dll and the java etokens using the safenet dll) which
> seems to work.  But I am not able to get the openssl portion working so
> I can then generate a request.
>
>
> $ ./pkcs15-init.exe -E
> Using reader with a card: AKS ifdh 0
>
> $ ./pkcs15-init.exe -C -P --pin 12345 --puk 12345 -a 01 --label "mike"
> --so-pin 123456 --so-puk 123456 -T
> 2015-04-24 11:49:06.573 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:08.124 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:09.031 cannot lock memory, sensitive data may be paged
> to disk
> Using reader with a card: AKS ifdh 0
>
>
> $ ./pkcs15-init.exe -G rsa/2048 -a 01 --pin 12345 --so-pin 123456 -u
> sign,decrypt --id 45
> 2015-04-24 11:49:48.705 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:58.254 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:59.082 cannot lock memory, sensitive data may be paged
> to disk
> 2015-04-24 11:49:59.696 cannot lock memory, sensitive data may be paged
> to disk
> Using reader with a card: AKS ifdh 0
>
>
> $ ./pkcs15-tool.exe --list-keys -k -c -C
> Private RSA Key [Private Key]
>           Object Flags   : [0x3], private, modifiable
>           Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>           Access Flags   : [0x1D], sensitive, alwaysSensitive,
> neverExtract, local
>           ModLength      : 2048
>           Key ref        : 16 (0x10)
>           Native         : yes
>           Path           : 3f005015
>           Auth ID        : 01
>           ID             : 45
>           MD:guid        : {ce92c7be-ec89-8a73-acae-68759a047368}
>             :cmap flags  : 0x0
>             :sign        : 0
>             :key-exchange: 0
>
> Using reader with a card: AKS ifdh 0
>
> $ ./pkcs11-tool.exe --pin 12345 -O --module ./opensc-pkcs11.dll
> Public Key Object; RSA 2048 bits
>     label:      Private Key
>     ID:         45
>     Usage:      encrypt, verify, wrap
> Using slot 1 with a present token (0x1)
>
>
> $ ./openssl.exe
> OpenSSL> engine dynamic -pre
> SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre
> LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/home/mdtancsa/opensc-pkcs11.dll
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL> req -engine pkcs11 -new -key 1:45 -keyform engine -out req.pem
> -text -x509 -subj "/CN=Mike Tancsa"
> engine "pkcs11" set.
> failed to enumerate slots
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
> ID:p11_slot.c:314:
> 2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
> loading private key:eng_pkey.c:124:
> unable to load Private Key
> error in req
> OpenSSL>
>
>
> Trying with the SafeNet DLL gives the same / similar problem
>
>
> $ ./pkcs11-tool.exe --module ./eTPKCS11.dll -l --pin 12345 --keypairgen
> --key-type rsa:2048 --id 45
> Key pair generated:
> Private Key Object; RSA
>     label:
>     ID:         45
>     Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>     label:
>     ID:         45
>     Usage:      encrypt, verify, wrap
> Using slot 2 with a present token (0x2)
>
> Trying with slot 2
> OpenSSL> req -engine pkcs11 -new -key 2:45 -keyform engine -out cert.pem
> -text -x509 -days 3640 -subj "/CN=Mike Tancsa"
> engine "pkcs11" set.
> failed to enumerate slots
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
> ID:p11_slot.c:314:
> 2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
> loading private key:eng_pkey.c:124:
> unable to load Private Key
> error in req
> OpenSSL> q
>
> And just specifying the key also fails
>
> OpenSSL> engine dynamic -pre
> SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll -pre ID:pkcs11 -pre
> LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.dll
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/home/mdtancsa/eTPKCS11.dll
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL> req -engine pkcs11 -new -key 45 -keyform engine -out cert.pem
> -text -x509 -days 3640 -subj "/CN=Mike Tancsa"
> engine "pkcs11" set.
> failed to enumerate slots
> PKCS11_get_private_key returned NULL
> cannot load Private Key from engine
> 2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
> ID:p11_slot.c:314:
> 2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
> loading private key:eng_pkey.c:124:
> unable to load Private Key
> error in req
>
>
> ---Mike
>
>

First, I have not used cygwin in years...

You may need a LD_LIBRARY_PATH=
In your examples, you refer to some absolute paths like:
/home/mdtancsa/opensc-pkcs11.dll
/usr/local/lib/engines/engine_pkcs11.dll
but run from the current directory, using ./ but don't say what that directory is.

./pkcs11-tool.exe appears to have worked using ./opensc-pkcs11.dll
What directory was this?

Do you have two copies of opensc-pkcs11.dll?
one in /usr/local/lib/
and one in /home/mdtancsa/

Should you be using MODULE_PATH=/usr/local/lib/opensc-pkcs11.dll?

>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11_engine on windows

mike tancsa-2
On 4/24/2015 2:01 PM, Douglas E Engert wrote:
>
> First, I have not used cygwin in years...

What is the best way to compile ? Cross compile on a *nix box ?

>
> You may need a LD_LIBRARY_PATH=
> In your examples, you refer to some absolute paths like:
> /home/mdtancsa/opensc-pkcs11.dll
> /usr/local/lib/engines/engine_pkcs11.dll
> but run from the current directory, using ./ but don't say what that directory is.
>
> ./pkcs11-tool.exe appears to have worked using ./opensc-pkcs11.dll
> What directory was this?

Hi,
        Its in my home dir. /home/mdtancsa/

>
> Do you have two copies of opensc-pkcs11.dll?
> one in /usr/local/lib/
> and one in /home/mdtancsa/

Just in /home/mdtancsa

>
> Should you be using MODULE_PATH=/usr/local/lib/opensc-pkcs11.dll?

I havent installed opensc inside my cygwin environment, I just copied
the libs/dlls there.  If I give openssl the wrong location, it messes up
in a different way, so I think its getting the right path info

        ---Mike




>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11_engine on windows

Douglas E Engert


On 4/24/2015 1:28 PM, mike tancsa wrote:
> On 4/24/2015 2:01 PM, Douglas E Engert wrote:
>>
>> First, I have not used cygwin in years...
>
> What is the best way to compile ? Cross compile on a *nix box ?

As far as I know, cygwin should work.

>
>>
>> You may need a LD_LIBRARY_PATH=
>> In your examples, you refer to some absolute paths like:
>> /home/mdtancsa/opensc-pkcs11.dll
>> /usr/local/lib/engines/engine_pkcs11.dll
>> but run from the current directory, using ./ but don't say what that directory is.
>>
>> ./pkcs11-tool.exe appears to have worked using ./opensc-pkcs11.dll
>> What directory was this?
>
> Hi,
>      Its in my home dir. /home/mdtancsa/
>
>>
>> Do you have two copies of opensc-pkcs11.dll?
>> one in /usr/local/lib/
>> and one in /home/mdtancsa/
>
> Just in /home/mdtancsa
>
>>
>> Should you be using MODULE_PATH=/usr/local/lib/opensc-pkcs11.dll?
>
> I havent installed opensc inside my cygwin environment, I just copied the libs/dlls there.  If I give openssl the wrong location, it messes up in a different way, so I think its getting the right path
> info

What dlls do you have in the directory? Do all the dates match?

 From the traces:

OpenSSL> req -engine pkcs11 -new -key 2:45 -keyform engine -out cert.pem
-text -x509 -days 3640 -subj "/CN=Mike Tancsa"
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
2283136:error:80002003:PKCS11 library:PKCS11_enum_slots:Invalid slot
ID:p11_slot.c:314:
2283136:error:26096080:engine routines:ENGINE_load_private_key:failed
loading private key:eng_pkey.c:124:
unable to load Private Key

p11_slot.c:314:
313         rv = CRYPTOKI_call(ctx, C_GetSlotInfo(id, &info));
314         CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_SLOTS, rv);


So the error message may be misleading, as it does not like the slot.

I have always use the -key format of slot_<n>-id_<n>
The code immpies 1:45 should work.
Can you try:  slot_1-id_45

You could also try using pkcs11-spy to see what slot is being passed to PKCS#11 C_GetSlotInfo

The following is from a unix script as an example:

if [ $SPY -eq 0 ] ; then
         MODULE=$OPENSC_LIB/opensc-pkcs11.so
else
         MODULE=$OPENSC_LIB/pkcs11-spy.so
         PKCS11SPY=$OPENSC_LIB/opensc-pkcs11.so
         export PKCS11SPY
         PKCS11SPY_OUTPUT=/tmp/pkcs11.spy.log
         export PKCS11SPY_OUTPUT
fi

# openssl.conf has prompt = no, no need for extra blank line at end...
cat >/tmp/genreq.openssl.input << EOT
engine dynamic -vvvv -pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD  -pre MODULE_PATH:$MODULE
req $SSLEAY_CONFIG -engine pkcs11 -keyform engine -sha256 -new -key slot_1-id_$ID -out cards/$1.myreq.$KEYID.pem  -text
EOT
openssl < /tmp/genreq.openssl.input

>
>      ---Mike
>
>
>
>
>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+ applications
>>> Performance metrics, stats and reports that give you Actionable Insights
>>> Deep dive visibility with transaction tracing using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel