You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I don't know if I'm doing something wrong, if there's a bug with CloudHSM PKCS11 client, or a bug in pkcs11 engine.
I'm trying to sign a smime message using openssl 1.0.1e-fips, the latest versions of pkcs11 engine, CloudHSM PKCS11 client.
I get the error "Found slot without user PIN". Using pkcs11-spy I see that the flags returned by C_GetTokenInfo is 404 (CKF_LOGIN_REQUIRED | CKF_TOKEN_INITIALIZED)
In eng_back.c (ctx_load_key), isPrivate is true, userPinSet is false, readOnly is false
/* The following check is non-critical to ensure interoperability
* with some other (which ones?) PKCS#11 libraries */
if (!tok->initialized)
ctx_log(ctx, 0, "Found uninitialized token\n");
if (isPrivate && !tok->userPinSet && !tok->readOnly) {
ctx_log(ctx, 0, "Found slot without user PIN\n");
return NULL;
}
I do not see and C_Login in the pkcs11-spy log.
Steps to reproduce:
$ openssl genrsa -out private.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
..........+++
e is 65537 (0x10001)
$ openssl req -new -x509 -days 3650 -subj "/C=ZA/ST=State/L=Locality/O=Organization/OU=OrganizationalUnit/CN=localhost/emailAddress=test@test.lan" -sha256 -key private.key -out certificate.pem
$ /opt/cloudhsm/bin/key_mgmt_util
Command: loginHSM -u CU -s crypto_user -p <password>
Cfm3LoginHSM returned: 0x00 : HSM Return: SUCCESS
Cluster Error Status
Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
Command: genSymKey -t 31 -s 16 -sess -l wrapping_key_for_import
Cfm3GenerateSymmetricKey returned: 0x00 : HSM Return: SUCCESS
Symmetric Key Created. Key Handle: 6
Cluster Error Status
Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
Command: importPrivateKey -f private.key -l rsa2048 -w 6
BER encoded key length is 1217
Cfm3WrapHostKey returned: 0x00 : HSM Return: SUCCESS
Cfm3CreateUnwrapTemplate returned: 0x00 : HSM Return: SUCCESS
Cfm3UnWrapKey returned: 0x00 : HSM Return: SUCCESS
Private Key Imported. Key Handle: 8
Cluster Error Status
Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
Command: ^C
$ echo "ABC" > file.txt
$ openssl smime -sign -engine pkcs11 -keyform engine -inkey 'pkcs11:object=rsa2048;type=private' -signer certificate.pem -in file.txt -out file.sgn
SDK Version: 2.03
engine "pkcs11" set.
Found slot without user PIN
Found slot without user PIN
PKCS11_get_private_key returned NULL
cannot load signing key file from engine
140149400663880:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862:
140149400663880:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key
:eng_pkey.c:126:
unable to load signing key file
In that example I'm importing the private key, but it also fails if I get CloudHSM to generate the private key.
If I modify the line in eng_back.c (ctx_load_key) to
if (isPrivate && !tok->userPinSet && !tok->readOnly && !tok->loginRequired) {
I can run and sign the file (although it does display a warning that may be another bug),
also I don't know if this is the right modification.
I don't know if I'm doing something wrong, if there's a bug with CloudHSM PKCS11 client, or a bug in pkcs11 engine.
I'm trying to sign a smime message using openssl 1.0.1e-fips, the latest versions of pkcs11 engine, CloudHSM PKCS11 client.
I get the error "Found slot without user PIN". Using pkcs11-spy I see that the flags returned by C_GetTokenInfo is 404 (CKF_LOGIN_REQUIRED | CKF_TOKEN_INITIALIZED)
In eng_back.c (ctx_load_key), isPrivate is true, userPinSet is false, readOnly is false
I do not see and C_Login in the pkcs11-spy log.
Steps to reproduce:
pkcs11spy_log_pre_fix.txt
In that example I'm importing the private key, but it also fails if I get CloudHSM to generate the private key.
If I modify the line in eng_back.c (ctx_load_key) to
if (isPrivate && !tok->userPinSet && !tok->readOnly && !tok->loginRequired) {
I can run and sign the file (although it does display a warning that may be another bug),
also I don't know if this is the right modification.
pkcs11spy_log_post_fix.txt
openssl.cnf contains:
Is there something I'm doing wrong or missing ?
The text was updated successfully, but these errors were encountered: