| Summary: | pkcs15-tool generate broken key pair | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Denis Kostousov <denis.kostousov> |
| Component: | opensc | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | gmazyland, jjelen, klember, nmavrogi, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-29 10:47:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Denis Kostousov
2016-11-10 09:19:25 UTC
Can you verify in which last OpenSC version it worked for you? Does it work for you with latest OpenSC from Fedora 25 (version 0.16.0): # dnf update opensc --releasever=25 There are nothing changed after upgrade to opensc-0.16.0-1.fc25.x86_64: [kostousov-ds@kostousov-ds 15:24:45]pkcs11(0)% openssl OpenSSL> req -engine pkcs11 -new -key 'pkcs11:id=newkeyset' -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus" engine "pkcs11" set. PKCS#11 token PIN: 140398552491896:error:80009005:Vendor defined:PKCS11_rsa_encrypt:General Error:p11_rsa.c:117: 140398552491896:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306: error in req OpenSSL> % [kostousov-ds@kostousov-ds 15:25:10]pkcs11(0)% rpm -qa opensc opensc-0.16.0-1.fc25.x86_64 Then I updated libp11 and engine_pkcs11 [kostousov-ds@kostousov-ds 15:27:23]pkcs11(0)% rpm -qa \*p11\* p11-kit-0.23.2-2.fc24.x86_64 p11-kit-0.23.2-2.fc24.i686 libp11-0.4.0-2.fc25.x86_64 p11-kit-trust-0.23.2-2.fc24.x86_64 But nothing changed openssl was updated... nothing changed > Can you verify which was the last OpenSC version it worked for you by downgrading to previous versions from Koji [1] to bisect when the problem was introduced? [1] http://koji.fedoraproject.org/koji/packageinfo?packageID=2698 libp11 (i.e., engine_pkcs11) could also the culprit. Could you try using dnf downgrade to the involved packages to detect which one caused the problem? I downgraded many packages to base version, but nothing changed. I can't undestand what break the generation
[kostousov-ds@kostousov-ds 18:05:09]~(0)% sudo dnf list libp11 opensc openssl{,-libs,-devel} p11-kit engine_pkcs11
Last metadata expiration check: 4:12:40 ago on Thu Nov 10 13:52:30 2016.
Installed Packages
engine_pkcs11.x86_64 0.2.0-2.fc24 @fedora
libp11.x86_64 0.3.0-2.fc24 @fedora
opensc.x86_64 0.15.0-5.fc24 @fedora
openssl.x86_64 1:1.0.2h-1.fc24 @fedora
openssl-devel.x86_64 1:1.0.2h-1.fc24 @fedora
openssl-libs.i686 1:1.0.2h-1.fc24 @fedora
openssl-libs.x86_64 1:1.0.2h-1.fc24 @fedora
p11-kit.i686 0.23.2-2.fc24 @System
p11-kit.x86_64 0.23.2-2.fc24 @System
Error:
[kostousov-ds@kostousov-ds 17:58:14]pkcs11(130)% openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib64/openssl/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib64/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib64/openssl/engines/libpkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib64/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key slot_1-id_6e65776b6579736574 -keyform engine -out /var/tmp/req.csr -subj "/C=RU/O=Billing SystemsLtd/OU=Project Department/CN=ledentsov-ov-ra/emailAddress=user"
engine "pkcs11" set.
PKCS#11 token PIN:
140625847474040:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:193:
140625847474040:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:
error in req
OpenSSL>
No idea here. If you use the gnutls tool? $ p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all --login [copy the URL of the object you'd like to use and then] $ certtool --provider /usr/lib64/opensc-pkcs11.so --generate-request --load-privkey "pkcs11:xxx" --outfile cert.csr by replacing pkcs11:xxx with the actual URL. [kostousov-ds@irtysh 20:30:02]~(0)% p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all --login
Token 'Rutoken ECP (User PIN)' with URL 'pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29' requires user PIN
Enter PIN:
Object 0:
URL: pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29;id=%6e%65%77%6b%65%79%73%65%74;object=user;type=private
Type: Private key
Label: user
Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE;
ID: 6e:65:77:6b:65:79:73:65:74
Object 1:
URL: pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29;id=%6e%65%77%6b%65%79%73%65%74;object=user;type=public
Type: Public key
Label: user
Flags: CKA_WRAP/UNWRAP; CKA_SENSITIVE;
ID: 6e:65:77:6b:65:79:73:65:74
[kostousov-ds@irtysh 20:30:11]~(0)% certtool --provider /usr/lib64/opensc-pkcs11.so --generate-request --load-privkey "pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29;id=%6e%65%77%6b%65%79%73%65%74;object=user;type=private" --outfile cert.csr
Generating a PKCS #10 certificate request...
Token 'Rutoken ECP (User PIN)' with URL 'pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29' requires user PIN
Enter PIN:
Common name: Some User
Organizational unit name:
Organization name:
Locality name:
State or province name:
Country name (2 chars):
Enter the subject's domain component (DC):
UID:
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N):
Will the certificate be used for signing (DHE ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Is this a TLS web client certificate? (y/N):
Is this a TLS web server certificate? (y/N):
sign: PKCS #11 error.
Now I realized that this is a rutoken. Does do normal ECDSA, or it only provides GOST? If it is the latter most likely you miss the openssl gost engine. I don't think there is a package for it in fedora (and gnutls doesn't yet support gost). I forgot option "--finalize" |