qq8512852
commented
2 years ago anybody can help me?
Closed qq8512852 closed 2 years ago
qq8512852
commented
2 years ago anybody can help me?
gotthardp
commented
2 years ago Hello. That error message should be followed by additional information on what was wrong (printed on stderr). If you have that information we may be able to provide you with some additional clues.
qq8512852
commented
2 years ago Thanks for your support.
I can use my pkcs11 engine by OPENSSL. as follow:
# openssl rand -engine pkcs11 -hex 2
#engine "pkcs11" set.
#f1b4
but when I use by SSCEP, as follow:
strace sscep getca \ -u $HTTPS_ADDR \ -g 'pkcs11' \ -c ./ca.pem
partial log:
_openat(AT_FDCWD, "/lib/libdl.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\230\t\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=9600, ...}) = 0 mmap2(NULL, 73916, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x76c37000 mprotect(0x76c39000, 61440, PROT_NONE) = 0 mmap2(0x76c48000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x76c48000 close(3) = 0 openat(AT_FDCWD, "tls/v7l/neon/vfp/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "tls/v7l/neon/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "tls/v7l/vfp/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "tls/v7l/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "tls/neon/vfp/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "tls/neon/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "tls/vfp/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "tls/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "v7l/neon/vfp/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "v7l/neon/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "v7l/vfp/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "v7l/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "neon/vfp/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "neon/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "vfp/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/root/3.18/openssl/lib/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/root/3.18/pkcs11-lib/lib/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/root/3.18/openssl/lib/engines-1.1/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0AJ\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=109148, ...}) = 0 mmap2(NULL, 148052, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x76c12000 mprotect(0x76c24000, 61440, PROT_NONE) = 0 mmap2(0x76c33000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x76c33000 mmap2(0x76c35000, 4692, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76c35000 close(3) = 0 mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x76f65000 set_tls(0x76f654d0) = 0 mprotect(0x76d39000, 8192, PROT_READ) = 0 mprotect(0x76c33000, 4096, PROT_READ) = 0 mprotect(0x76c48000, 4096, PROT_READ) = 0 mprotect(0x76ebe000, 90112, PROT_READ) = 0 mprotect(0x76f37000, 20480, PROT_READ) = 0 mprotect(0x2e000, 4096, PROT_READ) = 0 mprotect(0x76f69000, 4096, PROT_READ) = 0 set_tid_address(0x76f65078) = 190 set_robust_list(0x76f65080, 12) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x76c165ed, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x76c709c1}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x76c16671, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x76c709c1}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 ugetrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 brk(NULL) = 0x30000 brk(0x51000) = 0x51000 futex(0x76ed7ad8, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x76ed7adc, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x76ed7ae0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x76ed7afc, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x76ed5404, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x76ed7a40, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x76ed5998, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x76ed5490, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x76ed7ae4, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x76ed7b00, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x76c490b0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 openat(AT_FDCWD, "/home/wubo/Desktop/code/pkcs11/installs/optee-3.18/openssl/lib/engines-1.1/pkcs11.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) write(2, "sscep: Executing LOAD did not su"..., 39sscep: Executing LOAD did not succeed: ) = 39 exitgroup(1) = ? +++ exited with 1 +++
gotthardp
commented
2 years ago What happens when you do ls -la /home/wubo/Desktop/code/pkcs11/installs/optee-3.18/openssl/lib/engines-1.1/pkcs11.so?
qq8512852
commented
2 years ago 
could you see the picture? This path is on my host. After compiled with correspond tools , move it to device or QEMU.
pjasicek
commented
2 years ago Hi,
sscep does support pkcs11. I tested it with OP-TEE:
1) Generate private key inside the "HSM" (optee):
pkcs11-tool \
--module /usr/lib/libckteec.so.0
--slot 1 \
--login --pin 123456 \
--label "sscep_crt_privkey" \
--id 1234567890ABCDEF \
--keypairgen --key-type RSA:20482) Create certificate signing request (CSR):
# Prepare openssl config with proper module paths
$ cat /tmp/optee_openssl.cnf
openssl_conf = openssl_def
[ req ]
prompt = no
string_mask = nombstr
attributes=req_attributes
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_attributes ]
challengePassword=1601F99F411ED1234
[ req_distinguished_name ]
CN=some_name
[ v3_req ]
subjectAltName = @alt_names
digitalSignature, keyEncipherment
serverAuth
[alt_names]
DNS.1 = some_name
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/libckteec.so.0
init = 0
PIN=123456OPENSSL_CONF=/tmp/optee_openssl.cnf openssl req \
-engine pkcs11 \
-new \
-sha256 \
-keyform engine -key 1:1234567890ABCDEF \
-passin pass:123456 \
-out /tmp/cert.csr3) Execute certificate enrollment request
# sscep configuration file
$ cat /tmp/sscep.cnf
[sscep]
engine = sscep_engine_pkcs11
[sscep_engine_pkcs11]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/pkcs11.so
init = 0
MODULE_PATH = /usr/lib/libckteec.so.0
PIN=123456/usr/bin/sscep enroll \
-u <scep-server-uri> \
-f /tmp/sscep.cnf \
-c /tmp/ra.crt \
-k 1:1234567890ABCDEF \
-r /tmp/cert.csr \
-l /tmp/cert.crt \
-e /tmp/ca.crtSimiliar approach should work with other pkcs11 capable devices, e.g. tpm2 using pkcs11 engine, usb-hsm tokens like NitroKey/YubiHSM or smart cards. Setup for these devices would differ though - different devices have different naming / convention for naming the "key" - e.g. OPTEE is using
qq8512852
commented
2 years ago Thank you very much. It's working now.
qq8512852
commented
2 years ago Thanks for your help, the problem has been solved. The reason is that point a wrong path for pkcs11 engine.
I'm using the sscep with v0.10.0 version. But when I point the pkcs11 engine. The error as follow: "/sscep: Executing LOAD did not succeed:"
any clues can be provided?