search

Yubico / developers.yubico.com

Source code for generating our website
https://developers.yubico.com
53 stars 64 forks source link

Using YubiHSM2 With OpenSSL on Windows with Cygwin #454

Closed dustt411 closed 2 years ago

dustt411 commented 2 years ago

Hello, Not sure if this is the correct place to put this, but I've been running into some issues getting my YubiHSM2 running in Cygwin with openssl. I followed: https://github.com/Yubico/developers.yubico.com/blob/master/content/YubiHSM2/Usage_Guides/OpenSSL_with_pkcs11_engine.adoc

  1. Installed the Yubihsm-shell and connector.
  2. Got the latest cygwin installer from https://www.cygwin.com/setup-x86_64.exe
  3. Installed cygwin - updated OpenSSL to latest.
  4. Tried to follow https://github.com/OpenSC/libp11/blob/master/INSTALL.md - ran into build errors.
  5. Cheated and got the pre-built dlls at https://github.com/OpenSC/libp11/releases/download/libp11-0.4.11/libp11-0.4.11-windows.zip
  6. Edited openssl.cnf with the following: openssl_conf = openssl_init

[openssl_init] engines=engine_section

[engine_section] pkcs11 = pkcs11_section

[pkcs11_section] engine_id = pkcs11 dynamic_path = C:/Users/ITSAMEMARIO/pkcs11/pkcs11.dll MODULE_PATH = C:/Users/ITSAMEMARIO/pkcs11/YubiHSM_Shell/bin/pkcs11/yubihsm_pkcs11.dll INIT_ARGS = connector=http://127.0.0.1:12345 init = 0

  1. Added YubiHSM Shell/bin to my path in cygwin
  2. Created an asymmetric key on the YubiHSM2 in slot 2 (ECP256) - This works fine in Cygwin.
  3. Self Signed a certificate, for the key created in step 7, using openssl ($ openssl req -new -x509 -nodes -days 3650 -out myCert.pem -engine pkcs11 -keyform engine -key 0:0002) - NOTE this worked fine showing cygwin and openssl can access the YubiHSM2.
  4. Using Openssl created another key and CSR for that key (newKey.csr)
  5. Tired to sign the csr from step 9 with the key stored on the YubiHSM2 ($ openssl x509 -req -in newKey.csr -CA myCert.pem -CAkeyform engine -engine pkcs11 -CAkey 0:0002 -out newKey.pem -CAcreateserial -sha256

Here are the results I get

Getting CA Private Key CA certificate and CA private key do not match 34359738384:error:10071065:elliptic curve routines:EC_POINT_cmp:incompatible objects:crypto/ec/ec_lib.c:960: 34359738384:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:crypto/evp/p_lib.c:93: 34359738384:error:10071065:elliptic curve routines:EC_POINT_cmp:incompatible objects:crypto/ec/ec_lib.c:960: 34359738384:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto/x509/x509_cmp.c:303:

I can add debug to the yubi connector and I clearly see that openssl is reading out the public key from the YubiHSM2. If I use the YubiHSM Shell to read the public key (off the YubiHSM2) and use openSSL to read the public key out of the cert they are the same. Yet when I try to sign the CSR I get this error. Any thoughts?

Note the same issue occurs if I use MSYS. But if I use mingw64 or windows powershell it works fine. All environments are using the same pkcs11.dll and yubihsm_pkcs11.dll debug.txt Show the debug output when running the openssl command

dustt411 commented 2 years ago

Moving to different page: https://github.com/Yubico/yubihsm-shell/issues/250