jans23
commented
1 year ago @frankmorgner might have an idea.
Closed nponsard closed 1 year ago
jans23
commented
1 year ago @frankmorgner might have an idea.
dengert
commented
1 year ago It maybe related to RSA_set0_key being deprecated in OpenSSL 3.0 and internally OpenSSL does not handle a NULL "d"
See: https://www.openssl.org/docs/man3.1/man3/RSA_set0_key.html
In libp11 and PKCS11 there are private keys and public keys. In OpenSSL there are just keys. Libp11 looks like it is writing the public key components into an OpenSSL RSA key. "d" is the private secret.
The OpenSSL error messages don't seem to be related to the problem.
You did some debugging... Do you have an backtrace or other info?
It looks like you are using OpenSC to some smart card too. What card? Are libp11 and OpenSC linked to the same version of OpenSSL? Many cards will never give you the RSA "d".
Maybe libp11 should be be updated to not use the deprecated RSA calls.
nponsard
commented
1 year ago It maybe related to
RSA_set0_keybeing deprecated in OpenSSL 3.0 and internally OpenSSL does not handle a NULL "d" See: https://www.openssl.org/docs/man3.1/man3/RSA_set0_key.html
It looks like that could be the problem, in the man page it says that only n and e must be non NULL but apparently they expect everything to be non-NULL ?
The OpenSSL error messages don't seem to be related to the problem.
You did some debugging... Do you have an backtrace or other info?
It happens when OpenSSL tries to convert the EVP_PKEY that libp11 created into a PKCS8 structure with the function EVP_PKEY2PKCS8. The errors happens in the call of pkey->ameth->priv_encode that is implemented by rsa_priv_encode in rsa_ameth the OpenSSL code. It then gets into a loop in ASN1_item_ex_i2d in tasn_enc.c where it reads the templates (I did not find where it's defined) and one of the "templates" needs to read the d value.
It looks like you are using OpenSC to some smart card too. What card? Are libp11 and OpenSC linked to the same version of OpenSSL? Many cards will never give you the RSA "d". I tested with the Nitrokey 3 and OpenSC. I tried with libp11 and OpenSC linked to the same OpenSSL version (compiled locally) and the problem is still here.
After reading the man page it looks like this is more a bug in OpenSSL, but since this function is being deprecated I don't know if I should report the issue. Also the whole "engine" interface of OpenSSL is being deprecated in favor of the "provider api" https://github.com/openssl/openssl/blob/master/README-ENGINES.md .
nponsard
commented
1 year ago I think I found the root of my problem, it was user error and confusion. Since the security keys don't give access to the private components of the key I only wanted to get the public key. Turns out I only needed to add the -pubin or -pubout option to the OpenSSL.
dengert
commented
1 year ago Great. In regard to OpenSSL 3.0 and providers vs engines, you may want to look at https://github.com/latchset/pkcs11-provider
nponsard
commented
1 year ago Thanks !
I tried with OpenSSL version 3.0.9 / 3.1.1 / 3.2.0-dev. Libp11 version 0.4.12 and (compiled from source) commit 74497e0fa5b69b15790d6697e1ebce13af842d4c
When you execute the command
You get the error from OpenSSL :
This command works with the older Openssl 1.1 and libp11 0.4.9.
I did some debugging and found out that it tries to read the
dvalue of the RSA key. Inp11_rsa.c, functionpkcs11_get_rsa: the pointer todis set toNULLin the call toRSA_set0_key.I tried to create a pointer to a big number with the value 0, I still had the same problem but with the
pfactor. After setting values forRSA_set0_factorsandRSA_set0_crt_params:The OpenSSL command worked.