PKCS#11 stuff: "sign-only" vs "crypto-accelerator"
Johan Ihren
johani at johani.org
Mon Feb 15 23:55:29 UTC 2010
Hi Francis,
On 15 Feb 2010, at 15:16, Francis Dupont wrote:
> In your previous mail you wrote:
>
> Here I was using softhsm.
>
> => it should work (i.e., I tested it with success).
Ok, that is an important data point. Then is must be an error of some sort in my end.
> You should try the openssl command:
> - "openssl engine" shows the compiled-on engines
mango:/tmp#/usr/pkg/bin/openssl engine(padlock) VIA PadLock (no-RNG, no-ACE)
(dynamic) Dynamic engine loading support
(pkcs11) PKCS #11 engine support (crypto accelerator)
> - "openssl engine -t" loads the engines too (so the "pkcs11" engine must be available)
mango:/tmp#/usr/pkg/bin/openssl engine -t
(padlock) VIA PadLock (no-RNG, no-ACE)
[ unavailable ]
(dynamic) Dynamic engine loading support
[ unavailable ]
(pkcs11) PKCS #11 engine support (crypto accelerator)
[ available ]
> - "openssl rsa" has a poorly documented way to load keys from engine,
> needed parameters are:
> -engine pkcs11
> -inform engine
> -in pkcs11:johani.se-zsk
> after you can play with -pubin, -pubout, -text. Of course don't expect to get
> private parameters this way (you get only the public part).
> I didn't try with the PIN in the openssl.cnf file but it should work (through
> the OPENSSL_CONF environment variable).
> Of course you get only the OpenSSL errors, not the PKCS 11 one, but they should
> be a bit better than the BIND one (not found).
Aha. Ok, I tried that, but I admit that the new error doesn't really tell me much more:
mango:/tmp#/usr/pkg/bin/openssl rsa -engine pkcs11 -inform engine -in pkcs11:johani.se-zsk -pubout
engine "pkcs11" set.
unable to load Private Key
16701:error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119:
> PS: usually I forgot to set correctly SOFTHSM_CONF so try it first.
That didn't change anything.
Regards,
Johan
More information about the bind-workers
mailing list