I managed to get this to work with a 2048 bit key by using the Aladdin PKCS#11 library instead of the OpenSC one:
engine dynamic -pre SO_PATH:C:\WINDOWS\SYSTEM32\engine_pkcs11.dll -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:C:\WINDOWS\SYSTEM32\eTPKCS11.dll req -engine pkcs11 -new -key slot_0 -keyform engine -out csr.pem -text I'm guessing that this indicates the problem is actually in OpenSC somewhere; I'd still be interested in any other ideas people have though. Thanks! - Craig. On 21 April 2011 19:12, Craig Heath <cr...@franklinheath.co.uk> wrote: > I'm trying to generate a PKCS#10 CSR using an Aladdin eToken Pro 64k > with a 2048 bit key. > > I'm using Windows Vista 32bit, with the Aladdin PKI Client drivers > v5.1, OpenSC 0.12.0, and Win32 OpenSSL 1.0.0d. > > I can generate the CSR with a 1024 bit key generated on board with no > problems. When I use a 2048 bit key, I get this error: > > 7640:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP > lib:.\crypto\asn1\a_sign.c:279: > error in req > > There are no other error messages shown, and no output file is generated. > > The OpenSSL commands I'm using are: > > engine dynamic -pre SO_PATH:C:\WINDOWS\SYSTEM32\engine_pkcs11.dll -pre > ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre > MODULE_PATH:C:\WINDOWS\SYSTEM32\opensc-pkcs11.dll > req -engine pkcs11 -new -key slot_1-id_<40HexDigits> -keyform engine > -out csr.pem -text > > The only change between the commands for the 1024 and 2048 bit keys is > using a different key id. > > To see if it made a difference, I tried a cygwin build of OpenSSL and > engine_pkcs11.dll, as follows: > > engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.dll -pre > ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre > MODULE_PATH:C:\\WINDOWS\\SYSTEM32\\opensc-pkcs11.dll > req -engine pkcs11 -new -key slot_1-id_<40HexDigits> -keyform engine > -out csr.pem -text > > I got the same error, just a different line number: > > 7128:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP > lib:a_sign.c:281: > error in req > > I've seen a couple of reports from people having problems with longer > keys on USB tokens before, was there any resolution of those? (There > was a suggestion it might be something to do with padding.) > > I'd be grateful for any ideas. > > Thanks! > > - Craig. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
