We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(New issue here after softhsm/SoftHSMv2#784)
On Debian testing, with:
$ LIB=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so $ OPENSSL_CONF='' $ softhsm2-util --init-token --free --label test --pin 0000 --so-pin 1234 Slot 0 has a free/uninitialized token. The token has been initialized and is reassigned to slot 1593542882 $ pkcs11-tool --module $LIB --token-label test --login --pin 0000 --keypairgen --key-type EC:prime256v1 --usage-sign --label a Key pair generated: Private Key Object; EC label: a Usage: decrypt, sign, signRecover, unwrap Access: sensitive, always sensitive, never extractable, local uri: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=0907bfef807ea907;token=test;object=a;type=private Public Key Object; EC EC_POINT 256 bits EC_POINT: 044104d7ea71c30b6a33ce6565a1dbe76b1fed48190a6e22da3e93fa53cc4d8e91335a8f05ae4ff18db8294b8006b841b01352b56c647f7a6c765f536b30b16bb344b8 EC_PARAMS: 06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7) label: a Usage: encrypt, verify, verifyRecover, wrap Access: local uri: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=0907bfef807ea907;token=test;object=a;type=public $ pkcs11-tool --module $LIB --token-label test --login --pin 0000 --keypairgen --key-type EC:prime256v1 --usage-sign --label b Key pair generated: Private Key Object; EC label: b Usage: decrypt, sign, signRecover, unwrap Access: sensitive, always sensitive, never extractable, local uri: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=0907bfef807ea907;token=test;object=b;type=private Public Key Object; EC EC_POINT 256 bits EC_POINT: 044104d1230a0c45bbc6b781e3b0f3a44497833b25548a9fdbe40624e6698cd0023f7632bb6c4339f3b41d1bd4760e377850bc3e2b6a44eb2200c1ed8ee58161d87a82 EC_PARAMS: 06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7) label: b Usage: encrypt, verify, verifyRecover, wrap Access: local uri: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=0907bfef807ea907;token=test;object=b;type=public
Create and verify CSR
$ openssl req -engine pkcs11 -keyform engine -new -subj "/CN=a" -out a.csr -key "pkcs11:token=test;pin-value=0000;object=a" Engine "pkcs11" set. $ openssl req -engine pkcs11 -keyform engine -new -subj "/CN=b" -out b.csr -key "pkcs11:token=test;pin-value=0000;object=b" Engine "pkcs11" set. $ openssl req -noout -verify -in a.csr Certificate request self-signature verify OK $ openssl req -noout -verify -in b.csr Warning: CSR self-signature does not match the contents Certificate request self-signature verify failure 40270299F77F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../crypto/asn1/a_verify.c:218: 40270299F77F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../crypto/asn1/a_verify.c:218:
If key b is created before key a, b.csr is ok and a.csr is wrong.
There is no issue with RSA:2048 keys.
$ openssl asn1parse -i -in a.csr -dump 0:d=0 hl=3 l= 199 cons: SEQUENCE 3:d=1 hl=2 l= 110 cons: SEQUENCE 5:d=2 hl=2 l= 1 prim: INTEGER :00 8:d=2 hl=2 l= 12 cons: SEQUENCE 10:d=3 hl=2 l= 10 cons: SET 12:d=4 hl=2 l= 8 cons: SEQUENCE 14:d=5 hl=2 l= 3 prim: OBJECT :commonName 19:d=5 hl=2 l= 1 prim: UTF8STRING :a 22:d=2 hl=2 l= 89 cons: SEQUENCE 24:d=3 hl=2 l= 19 cons: SEQUENCE 26:d=4 hl=2 l= 7 prim: OBJECT :id-ecPublicKey 35:d=4 hl=2 l= 8 prim: OBJECT :prime256v1 45:d=3 hl=2 l= 66 prim: BIT STRING 0000 - 00 04 d7 ea 71 c3 0b 6a-33 ce 65 65 a1 db e7 6b ....q..j3.ee...k 0010 - 1f ed 48 19 0a 6e 22 da-3e 93 fa 53 cc 4d 8e 91 ..H..n".>..S.M.. 0020 - 33 5a 8f 05 ae 4f f1 8d-b8 29 4b 80 06 b8 41 b0 3Z...O...)K...A. 0030 - 13 52 b5 6c 64 7f 7a 6c-76 5f 53 6b 30 b1 6b b3 .R.ld.zlv_Sk0.k. 0040 - 44 b8 D. 113:d=2 hl=2 l= 0 cons: cont [ 0 ] 115:d=1 hl=2 l= 10 cons: SEQUENCE 117:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 127:d=1 hl=2 l= 73 prim: BIT STRING 0000 - 00 30 46 02 21 00 bc 25-77 10 b1 13 9f d7 97 23 .0F.!..%w......# 0010 - 1f 28 74 e5 05 9e af 57-60 39 59 fe 91 ed d8 48 .(t....W`9Y....H 0020 - e2 60 89 61 7d 10 02 21-00 f3 d1 cd da fa 33 ab .`.a}..!......3. 0030 - 8f d8 03 2d 09 67 9d 17-bb a1 4a 7d 30 29 85 a4 ...-.g....J}0).. 0040 - 23 d4 76 07 d2 09 5c 36-39 #.v...\69 $ openssl asn1parse -i -in b.csr -dump 0:d=0 hl=3 l= 198 cons: SEQUENCE 3:d=1 hl=2 l= 110 cons: SEQUENCE 5:d=2 hl=2 l= 1 prim: INTEGER :00 8:d=2 hl=2 l= 12 cons: SEQUENCE 10:d=3 hl=2 l= 10 cons: SET 12:d=4 hl=2 l= 8 cons: SEQUENCE 14:d=5 hl=2 l= 3 prim: OBJECT :commonName 19:d=5 hl=2 l= 1 prim: UTF8STRING :b 22:d=2 hl=2 l= 89 cons: SEQUENCE 24:d=3 hl=2 l= 19 cons: SEQUENCE 26:d=4 hl=2 l= 7 prim: OBJECT :id-ecPublicKey 35:d=4 hl=2 l= 8 prim: OBJECT :prime256v1 45:d=3 hl=2 l= 66 prim: BIT STRING 0000 - 00 04 d7 ea 71 c3 0b 6a-33 ce 65 65 a1 db e7 6b ....q..j3.ee...k 0010 - 1f ed 48 19 0a 6e 22 da-3e 93 fa 53 cc 4d 8e 91 ..H..n".>..S.M.. 0020 - 33 5a 8f 05 ae 4f f1 8d-b8 29 4b 80 06 b8 41 b0 3Z...O...)K...A. 0030 - 13 52 b5 6c 64 7f 7a 6c-76 5f 53 6b 30 b1 6b b3 .R.ld.zlv_Sk0.k. 0040 - 44 b8 D. 113:d=2 hl=2 l= 0 cons: cont [ 0 ] 115:d=1 hl=2 l= 10 cons: SEQUENCE 117:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 127:d=1 hl=2 l= 72 prim: BIT STRING 0000 - 00 30 45 02 20 0d 64 3c-31 58 d0 f3 c7 e5 15 6b .0E. .d<1X.....k 0010 - aa e2 4d 52 f7 2c 58 a2-ef 3c 42 4c aa b0 11 df ..MR.,X..<BL.... 0020 - e8 a9 c7 fa c4 02 21 00-98 8e af be 12 94 ab ca ......!......... 0030 - 06 c6 e0 43 20 98 df 92-e4 93 cf a3 8c b5 b4 86 ...C ........... 0040 - 7e d8 3a 7d 3a 95 f7 e3- ~.:}:...
As I understand b.csr includes public key a.
Creating and selecting keys with id (token reset)
$ pkcs11-tool --module $LIB --token-label test --login --pin 0000 --keypairgen --key-type EC:prime256v1 --usage-sign --label a --id 01 $ pkcs11-tool --module $LIB --token-label test --login --pin 0000 --keypairgen --key-type EC:prime256v1 --usage-sign --label b --id 02 $ openssl req -engine pkcs11 -keyform engine -new -subj "/CN=a" -out 01.csr -key "pkcs11:token=test;pin-value=0000;id=%01" $ openssl req -engine pkcs11 -keyform engine -new -subj "/CN=b" -out 02.csr -key "pkcs11:token=test;pin-value=0000;id=%02" $ openssl req -noout -verify -in 01.csr $ openssl req -noout -verify -in 02.csr
01.csr and 02.csr are OK.
$ pkcs11-tool --module $LIB --token-label test --login --pin 0000 --keypairgen --key-type EC:prime256v1 --usage-sign --label a --id 01 $ pkcs11-tool --module $LIB --token-label test --login --pin 0000 --keypairgen --key-type EC:prime256v1 --usage-sign --label b --id 02 $ openssl req -engine pkcs11 -keyform engine -new -subj "/CN=a" -out 01.csr -key "pkcs11:token=test;pin-value=0000;object=a" $ openssl req -engine pkcs11 -keyform engine -new -subj "/CN=b" -out 02.csr -key "pkcs11:token=test;pin-value=0000;object=b" $ openssl req -noout -verify -in 01.csr $ openssl req -noout -verify -in 02.csr
01.csr and 02.csr are also OK.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
(New issue here after softhsm/SoftHSMv2#784)
On Debian testing, with:
Error with ECDSA key selected by label
Create and verify CSR
If key b is created before key a, b.csr is ok and a.csr is wrong.
There is no issue with RSA:2048 keys.
ASN.1 analysis
As I understand b.csr includes public key a.
OK when ECDSA key selected by ID
Creating and selecting keys with id (token reset)
01.csr and 02.csr are OK.
Stranger: OK when creating keys with ID and selecting them with label
01.csr and 02.csr are also OK.
The text was updated successfully, but these errors were encountered: