Closed TheMonsterIT closed 8 months ago
mtrojnar
commented
9 months ago Your opensc-pkcs11.dll is a PKCS#11 module, and not a PKCS#11 engine. An engine is an interface between OpenSSL and a module, while a module is an interface between an engine and your hardware. Different software, different role, different interfaces. Both are shared libraries, which often causes confusion. Be sure to specify the right one for each option.
TheMonsterIT
commented
9 months ago ok, so after your reply i downloaded libp11-0.4.11-windows that should be the engine
osslsigncode sign -verbose -pkcs11engine "pkcs11.dll" -pkcs11module "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" -pkcs11cert "pkcs11:object=win-sign-test1" -h sha1 -in "a.exe" -out b.exe Failed to set 'dynamic' engine Failed to read key or certificates AC3B0000:error:12800067:DSO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(pkcs11.dll.dll) AC3B0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto\dso\dso_lib.c:152: AC3B0000:error:13000084:engine routines:dynamic_load:dso not found:crypto\engine\eng_dyn.c:442: Failed
and same with engine libp11-3.dll
p.s in the meantime i fixed an error where legacy.dll was not found in the path. so what i have missed now?
mtrojnar
commented
9 months ago pkcs11.dll.dll?
TheMonsterIT
commented
9 months ago yes, i see the double .dll in the error message, as you can see i load with one .dll, but also without .dll extension (so error message show correct file) the result don't change.
mtrojnar
commented
9 months ago I guess what you need is to set OPENSSL_ENGINES=. in your environment instead of specifying a command-line option to your osslsigncode. Also, make sure all of your dlls and your osslsigncode.exe are either 64-bit or 32-bit.
TheMonsterIT
commented
9 months ago all dll are 64 bit, doublechecked right now specifying the path with OPENSSL_ENGINES makes no difference, but skipping the pkcs11engine in combination with path set the correct filename in the log.
osslsigncode sign -verbose -pkcs11module "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" -pkcs11cert "pkcs11:object=win-sign-test1" -h sha1 -in "a.exe" -out b.exe Failed to set 'dynamic' engine Failed to read key or certificates B03D0000:error:12800067:DSO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(C:\osslsign2\pkcs11.dll) B03D0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto\dso\dso_lib.c:152: B03D0000:error:13000084:engine routines:dynamic_load:dso not found:crypto\engine\eng_dyn.c:442: Failed
mtrojnar
commented
8 months ago @olszomal Can you take a look?
olszomal
commented
8 months ago My pkcs11.dll library is located in the directory C:\Program Files (x86)\stunnel\engines\
I can use the -pkcs11engine option:
>osslsigncode.exe sign -in unsigned.exe -out signed.exe
-pkcs11module "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"
-pkcs11engine "C:\Program Files (x86)\stunnel\engines\pkcs11.dll"
-pkcs11cert "pkcs11:type=cert;object=test_cert;pin-value=1234"
Engine "pkcs11" set.
Succeededor set OPENSSL_ENGINES environment variable:
>set OPENSSL_ENGINES=C:\Program Files (x86)\stunnel\engines
>osslsigncode.exe sign -in unsigned.exe -out signed.exe
-pkcs11module "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"
-pkcs11cert "pkcs11:type=cert;object=test_cert;pin-value=1234"
Engine "pkcs11" set.
SucceededGood point! using the pkcs11.dll from stunnel download makes the trick. somehow the library from p11 was not compatible with the exe. now i need to figure out how the pkcs11cert is made to access the certificate, but a big thankyou to all. Artur
olszomal
commented
8 months ago TheMonsterIT
commented
8 months ago perfect, working to sum up you need the x64 bit of osslsigncode, install the stunnel software "stunnel-latest-win64-installer.exe" my private key is: Private RSA Key [7EB923BE095E40D6872E0995CCD08F3D] found with "pkcs15-tool -D" command add to command line the public certificate matching the HSM private key "public_crt.pem" and that's it, signed file :)
osslsigncode.exe sign -in unsigned.exe -out signed.exe -pkcs11module "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" -pkcs11engine "C:\Program Files (x86)\stunnel\engines\pkcs11.dll" -pkcs11cert "pkcs11:object=7EB923BE095E40D6872E0995CCD08F3D;pin-value=648219" -certs "public_crt.pem" Engine "pkcs11" set.
thank you!
Hello i have problems, can't find a way to sign an executable under windows with nitrokey hsm usb module. let's say that using signtool works properly, but this involves many windows components that can go wrong, pin popup and so on.. so trying to find a simpler working method.
what i have done: 1) installed latest OpenSC Project 0.24 to have access to hsm dongle 2) run the sign command osslsigncode sign -verbose -pkcs11engine "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" -pkcs11cert "pkcs11:object=win-sign-test1" -h sha1 -in "a.exe" -out b.exe Failed to set 'dynamic' engine Failed to read key or certificates 142F0000:error:1280006A:DSO support routines:win32_bind_func:could not bind to the requested symbol name:crypto\dso\dso_win32.c:184:symname(bind_engine) 142F0000:error:1280006A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:crypto\dso\dso_lib.c:176: 142F0000:error:13000068:engine routines:dynamic_load:DSO failure:crypto\engine\eng_dyn.c:455: Failed
i think there is some problem with pkcs11 dll provided by opensc and the osslsigncode, or i am missing something in the command line... any help?