Hi Marc, I just came across your below message of March, which arrived in a bit weird form (I removed duplicate text sections in the below quote) and appears unanswered - sorry for that.
It has been a while since I last used engines, but the following variant -newkey org.openssl.engine:pkcs11:<keyid> should work, rather than -engine pkcs11 -keyform engine because the latter pertains to all key options used, including -key, which is not what you want. HTH, David On 25.03.21 18:56, mbalembo wrote: > > Hello all, > > > I'm trying to do a CMP request using openssl with a private key inside > a pkcs11 device (on linux). > So i'm using opsenssl 3.0.0 alpha 13. > > I did compile fine (./config --prefix=/opt/openssl enable-deprecated > --openssldir=/usr/local/ssl -Wl,-rpath=/opt/openssl/lib), > but i ran into trouble when compiling libp11 to get my pkcs11 engine. > (i had a similar issue while trying to use tpm2-tss-engine) > I can't find a way to build openssl with ERR_put_error() symbol. > I know it's deprecated so i changed the code in libp11 to use > ERR_raise() instead, but again the symbol is also missing. > I ended up removing the function call in the engine as a dirty fix, > but i'd like to have a better solution. > > > So, with everything compiled, I tried to use the engine only and > create a CSR first. > > # /opt/openssl/bin/openssl req -new -engine pkcs11 -keyform engine > -key > > "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000" > -subj "<my subject>" -out testpkcs11.csr > > > and, everything works so far ! > > but i get errors when trying to do a CMP request with the engine, > thing is, i'm not so sure of the command. > > # /opt/openssl/bin/openssl cmp -cmd ir -engine pkcs11 -server <my > server>:8080 -path ejbca/publicweb/cmp/WKS-RA-Bootstrap_auth -cert > <path to my cert> -key file:<path to key file> -keypass > file:<password for the file> -keyform engine -newkey > > "pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=tpm2-token;id=%c1%b2%36%b2%eb%53%f0%4f%ea%24%1a%4d%01%ac%d1%9e%fe%11%19%6d;object=test;type=private;pin-value=000000" > -subject '<my subject>' -certout testcmppkcs11.pem -trusted <> my > root CA> -reqexts san -config /opt/conf/openssl_reqext.cnf > > > i get the following error : > > cmp_main:apps/cmp.c:2728:CMP info: using section(s) 'cmp' of > OpenSSL configuration file '/opt/conf/openssl_reqext.cnf' > cmp_main:apps/cmp.c:2737:CMP info: no [cmp] section found in > config file '/opt/conf/openssl_reqext.cnf'; will thus use just > [default] and unnamed section if > present > > Engine "pkcs11" > set. > > Format not > recognized! > > The key ID is not a valid PKCS#11 > URI > > The PKCS#11 URI format is defined by RFC7512 > > > The legacy ENGINE_pkcs11 ID format is also still accepted for > now > Format not recognized! > > > > The key ID is not a valid PKCS#11 > URI > > > The PKCS#11 URI format is defined by > RFC7512 > > > The legacy ENGINE_pkcs11 ID format is also still accepted for > now > PKCS11_get_private_key returned > NULL > > Could not read private key for CMP client certificate from > org.openssl.engine:pkcs11:file:/foo/usine.boot.key.pem > 00E01783A47F0000:error:13000080:engine > routines:ENGINE_load_private_key:failed loading private > key:crypto/engine/eng_pkey.c:78: > cmp_main:apps/cmp.c:2879:CMP error: cannot set up CMP context > > > I'm quite confuse about the PKCS11 error since i know from the req > command that openssl rsa show that the passphrase for the CMP client > certificate is good. > my URI is good and openssl rsa show that the passphrase for the CMP > client certificate is good. > > I've tried various modification of the command, mostly removing the > "keyform engine" and using just 'newkey "pkcs11:(...)" ' with no succes. > > Maybe openssl is mixing engine format for everything and not just for > the newkey ? > > > Thanks, > Marc
