search

OpenSC / libp11

PKCS#11 wrapper library
GNU Lesser General Public License v2.1
306 stars 183 forks source link

Error while generate a certificate signing request #338

Closed Darsh-Dev closed 4 years ago

Darsh-Dev commented 4 years ago

Hi,

I am following the steps as mentioned https://aws.amazon.com/blogs/iot/using-a-trusted-platform-module-for-endpoint-device-security-in-aws-iot-greengrass/

I am facing issue while Generate a certificate signing request the below command is used,

openssl req -engine pkcs11 -new -key "pkcs11:model=SLI9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /tmp/req.csr

OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
    (dynamic) Dynamic engine loading support
    [Success]: SO_PATH:/usr/lib/engines-1.1/libpkcs11.so
    [Success]: ID:pkcs11
    [Success]: LIST_ADD:1
    [Success]: LOAD
    [Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so
    Loaded: (pkcs11) pkcs11 engine

openssl req -verbose -engine pkcs11 -new -key "pkcs11:model=SLI9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=1 23456" -keyform engine -out /tmp/req.csr engine "pkcs11" set. Using configuration from /usr/lib/ssl-1.1/openssl.cnf Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory Specified object not found PKCS11_get_private_key returned NULL cannot load Private Key from engine 3070050320:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862: 3070050320:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1b/crypto/engine/eng_pkey.c:78: unable to load Private Key Error: can't open /var/run/openct/status: No such file or directory Error: can't open /var/run/openct/status: No such file or directory root@stm32mp1-av96:~#

OpenSSL> req -engine pkcs11 -new -key "pkcs11:model=SLI9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /r engine "pkcs11" set. problem creating object tsa_policy1=1.2.3.4.1 3069923344:error:08064066:object identifier routines:OBJ_create:oid exists:../openssl-1.1.1b/crypto/objects/obj_dat.c:698: error in req OpenSSL>

Can you pl guide us further here?

Darsh-Dev commented 4 years ago

@mtrojnar

I have checked the similar thread https://github.com/OpenSC/libp11/issues/104. No solution found.

We are following the steps on Linux-Yocto build.

dengert commented 4 years ago

Looks like OpenSSL error: Google for: OID 1.2.3.4.1 this leads to: https://github.com/openssl/openssl/issues/4598 with some suggestions about if openssc.cnf has multiple entries.

Darsh-Dev commented 4 years ago

@dengert We have check same thread , I am not getting the solution yet.

Error:

Specified object not found PKCS11_get_private_key returned NULL cannot load Private Key from engine 3070050320:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862: 3070050320:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1b/crypto/engine/eng_pkey.c:78: unable to load Private Key

Below commands working fine, just to validate the openssl, openssl req -new -key verificationCert.key -out verificationCert.csr

dengert commented 4 years ago

Your first post had: 

problem creating object tsa_policy1=1.2.3.4.1
3069923344:error:08064066:object identifier routines:OBJ_create:oid exists:../openssl-1.1.1b/crypto/objects/obj_dat.c:698:

Did you fix it?

https://aws.amazon.com/blogs/iot/using-a-trusted-platform-module-for-endpoint-device-security-in-aws-iot-greengrass/ is very complicated. Are you building this on a Raspberry Pi?

I think the problem is the wrong PKCS11 module is being used. git clone https://github.com/tpm2-software/tpm2-pkcs11 This looks like it builds its own PKCS11 module. But Your openssl.cnf has MODULE_PATH:/usr/lib/opensc-pkcs11.so which is trying to use the OpenSC PKCS11 module.

If you change MODULE_PATH: to point to the tmp2-pkcs11 module (not sure what is is called) it might work. libp11 can load other PKCS11 modules. It does not have to be the OpenSC module.

Darsh-Dev commented 4 years ago

@dengert Thanks for the update.

After changing the MODULE_PATH:/usr/lib/opensc-pkcs11.so to MODULE_PATH:/usr/lib/pkcs11/libtpm2_pkcs11.so.

Its working fine.