Engine issue with LUNA CA3 HSM

Fri, 20 Jan 2006 07:34:13 -0800 

Hi,
I'm trying to sign a CSR with a private key stored on a Luna CA3 token. I use for this 2 versions of OpenSSL : 

- The first one is provided by SafeNet : openssl-lunaca3-0.9.6-5.i386.rpm

- The second one is constructed from OpenSSL 0.9.7b with the patch  
openssl-lunaca3-patch-0.9.7.tar


The token is placed on slot 1, then

- initialized with a 1024bit RSA private key ; command = ca3util -g 1024 
-f server.key -s 1 -i 4:2

- activated with the enabler command :

As you can see, the RSA key is present :

# pkcs11-tool --module /usr/luna/lib/libcrystoki2.so -O
Public Key Object; RSA 1024 bits
 label:      RSA 1024-bit Public Key
 Usage:      encrypt, verify
Private Key Object; RSA
 label:      RSA 1024-bit Private Key
 ID:         6964
 Usage:      decrypt, sign

The token is activated :

# enabler
==============================================================================

Slot  1: token present.                                  Application 
ACTIVATED
      token type : Luna CA3       
           label : test                 
   serial number : 35085          
   open sessions : 4

------------------------------------------------------------------------------

The HSM is configured as below :

#more /etc/Chrystoki.conf
Chrystoki2 = {
  LibUNIX=/usr/lib/libcrystoki2.so;
}
CardReader = {
 RemoteCommand=1;
}
Luna = {
 DefaultTimeOut=500000;
 PEDTimeout1=100000;
 PEDTimeout2=100000;
}
Misc = {
AppIdMajor=4;
AppIdMinor=2;
LogFile = /var/log/lunaca3.log;
}
EngineLunaCA3= {
 EngineInit = 1:4:2;
 LibPath = /usr/luna/lib/libcrystoki2.so;
}


Each time I try to load a key from the token, an error occurs whatever 
the version of OpenSSL :



/usr/local/ssl/bin/openssl req -engine LunaCA3 -keyform engine -text 
-key "RSA 1024-bit Private Key:1" -out cr.pem

Using configuration from /usr/local/ssl/openssl.cnf
engine "LunaCA3" set.
unable to load Private key

9510:error:2609607D:engine routines:ENGINE_load_private_key:no load 
function:engine_lib.c:239:



I notice the same issue when I change the content of the -key option 
with : 6964, 6964:1... I tried all sorts of strings without success.



Has anyone been able to sign, decrypt files with OpenSSL and an HSM 
SafeNet Luna CA3 ??? Is there another way to perform those operations 
without OpenSSL ?  It seems possible wth the command pkcs11-tool (from 
OpenSC project) but I can't make it work


Thanks in advance for your help,
Regards,
Yo.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to