TechQA.

Why OpenSSL doesn`t work with PKCS11-URI?

106 views Asked by At

My problem:

I try to use an RSA key via pkcs11 uri, stored into external sql file created by tpm2_ptool. My goal is to create an Certificate-Sign-Request (CSR).

I get the follow error message:

Could not open file or uri for loading private key from pkcs11:model=SLB9670%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=tokenname;id=%66%66%31%34%31%66%35%38%35%38%64%33%62%37%62%64;object=objectname;type=private;pin-value=userpin
40C7C3379C7F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
40C7C3379C7F0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:model=SLB9670%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=tokenname;id=%66%66%31%34%31%66%35%38%35%38%64%33%62%37%62%64;object=objectname;type=private;pin-value=userpin)
40C7C3379C7F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=pkcs11
40C7C3379C7F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:../crypto/store/store_meth.c:359:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (?provider=tpm2)

What`s wrong? Can anyone help me to find a solution for this problem?

My approach

export PKCS11_MODULE="/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so"
export OPENSSL_CONF="/root/openssl.cnf"
TPM2_PKCS11_STORE=/root/.tpm2_pkcs11
GNUTLS_PIN=userpin
GNUTLS_SO_PIN=sopin
LABEL="tokenname"
KEY_LABEL="objectname"

rm -v -R "${TPM2_PKCS11_STORE}" 2>/dev/null

tpm2_ptool init
tpm2_ptool addtoken --pid=1 --sopin="${GNUTLS_SO_PIN}" --userpin="${GNUTLS_PIN}" --label="${LABEL}"
tpm2_ptool addkey --algorithm=rsa2048 --label="${LABEL}" --key-label="${KEY_LABEL}" --userpin="${GNUTLS_PIN}"

pkcs11-tool --module "${PKCS11_MODULE}" -L

# Print:
# WARNING: Getting tokens from fapi backend failed.
# Available slots:
# Slot 0 (0x1): tokenname
#   token label        : tokenname
#   token manufacturer : Infineon
#   token model        : SLB9670
#   token flags        : login required, rng, token initialized, PIN initialized
#   hardware version   : 1.38
#   firmware version   : 7.85
#   serial num         : 0000000000000000
#   pin min/max        : 0/128
# Slot 1 (0x2): 
#   token state:   uninitialized



pkcs11-tool --module "${PKCS11_MODULE}" -O

# Print:
# WARNING: Getting tokens from fapi backend failed.
# Using slot 0 with a present token (0x1)
# Public Key Object; RSA 2048 bits
#   label:      objectname
#   ID:         66663134316635383538643362376264
#   Usage:      encrypt, verify
#   Access:     local

TOKEN=$(p11tool --list-token-urls | grep "token=${LABEL}")

# TOKEN: pkcs11:model=SLB9670%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=tokenname

p11tool --login --list-all "${TOKEN}" --outfile p11tool.out
PRIVATE_KEY="$(cat p11tool.out | grep private | awk '{ print $2 }')"

# PRIVATE_KEY: 'pkcs11:model=SLB9670%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=tokenname;id=%66%66%31%34%31%66%35%38%35%38%64%33%62%37%62%64;object=objectname;type=private'

openssl req \
-new \
-provider tpm2 \
-provider default \
-propquery "?provider=tpm2" \
-key "${PRIVATE_KEY};pin-value=${GNUTLS_PIN}" \
-out "$(hostname).csr" \
-verbose

After OpenSSL command the error message is returned.

My system:

System: Ubuntu 22.04

Linux hostname 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

openssl version

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

openssl engine -t

(rdrand) Intel RDRAND engine
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
(pkcs11) pkcs11 engine
     [ available ]
openssl pkcs#11 tpm openssl-engine tpm-2.0
Original Q&A
1

There are 1 answers

1
Et7f3XIV On

In recent version of openssl you have -keyform DER|PEM|ENGINE in some applications https://www.openssl.org/docs/man1.1.1/man1/x509.html maybe you can use it. Don't know how many application openssl have to make csr.

PS: I am searching for x509 to display my certificate and I found a link that might help you https://colinpaice.blog/2021/03/08/using-openssl-with-an-hsm-keystore-and-opensc-pkcs11-engines/.

Related Questions in OPENSSL

Related Questions in PKCS#11

Related Questions in TPM

Related Questions in OPENSSL-ENGINE

Related Questions in TPM-2.0

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions