Description of problem: openssl returns an error during CSR generation on rsa key stored in RutokenESP Usually I run these commands for init new rutoken: [kostousov-ds@kostousov-ds 10:12:30]pkcs11(0)% pkcs15-init --erase-card Using reader with a card: Aktiv Rutoken ECP 00 00 [kostousov-ds@kostousov-ds 10:13:55]pkcs11(0)% pkcs15-init --create-pkcs15 --so-pin 1234567890 --so-puk "" Using reader with a card: Aktiv Rutoken ECP 00 00 [kostousov-ds@kostousov-ds 10:14:11]pkcs11(0)% pkcs15-init --store-pin --label "User PIN" --auth-id 02 --pin 123456 --so-pin 1234567890 --puk "" Using reader with a card: Aktiv Rutoken ECP 00 00 [kostousov-ds@kostousov-ds 10:14:34]pkcs11(0)% pkcs11-tool --keypairgen --key-type rsa:2048 --login --label "user" --id 6e65776b6579736574 Using slot 1 with a present token (0x1) Logging in to "Rutoken ECP (User PIN)". Please enter User PIN: Key pair generated: Private Key Object; RSA label: user ID: 6e65776b6579736574 Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: user ID: 6e65776b6579736574 Usage: encrypt, verify, wrap [kostousov-ds@kostousov-ds 13:52:04]pkcs11(130)% openssl OpenSSL> req -engine pkcs11 -new -key 'pkcs11:id=newkeyset' -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus" engine "pkcs11" set. PKCS#11 token PIN: OpenSSL> But today last step returns an error: [kostousov-ds@kostousov-ds 11:50:13]pkcs11(0)% openssl OpenSSL> req -engine pkcs11 -new -key 'pkcs11:id=newkeyset' -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus" engine "pkcs11" set. PKCS#11 token PIN: 139834512435064:error:80009005:Vendor defined:PKCS11_rsa_encrypt:General Error:p11_rsa.c:117: 139834512435064:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306: error in req OpenSSL> Some investigation shows that the errors occurs only with newly created keys. With one month old token request generation works fine. Version-Release number of selected component (if applicable): [kostousov-ds@kostousov-ds 14:10:22]pkcs11(0)% rpm -qa opensc engine\* openssl libp11 p11\* p11-kit-0.23.2-2.fc24.x86_64 p11-kit-0.23.2-2.fc24.i686 engine_pkcs11-0.4.0-2.fc24.x86_64 openssl-1.0.2j-1.fc24.x86_64 opensc-0.15.0-6.fc24.x86_64 p11-kit-trust-0.23.2-2.fc24.x86_64 libp11-0.4.0-2.fc24.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Can you verify in which last OpenSC version it worked for you? Does it work for you with latest OpenSC from Fedora 25 (version 0.16.0): # dnf update opensc --releasever=25
There are nothing changed after upgrade to opensc-0.16.0-1.fc25.x86_64: [kostousov-ds@kostousov-ds 15:24:45]pkcs11(0)% openssl OpenSSL> req -engine pkcs11 -new -key 'pkcs11:id=newkeyset' -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus" engine "pkcs11" set. PKCS#11 token PIN: 140398552491896:error:80009005:Vendor defined:PKCS11_rsa_encrypt:General Error:p11_rsa.c:117: 140398552491896:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306: error in req OpenSSL> % [kostousov-ds@kostousov-ds 15:25:10]pkcs11(0)% rpm -qa opensc opensc-0.16.0-1.fc25.x86_64
Then I updated libp11 and engine_pkcs11 [kostousov-ds@kostousov-ds 15:27:23]pkcs11(0)% rpm -qa \*p11\* p11-kit-0.23.2-2.fc24.x86_64 p11-kit-0.23.2-2.fc24.i686 libp11-0.4.0-2.fc25.x86_64 p11-kit-trust-0.23.2-2.fc24.x86_64 But nothing changed
openssl was updated... nothing changed
> Can you verify which was the last OpenSC version it worked for you by downgrading to previous versions from Koji [1] to bisect when the problem was introduced? [1] http://koji.fedoraproject.org/koji/packageinfo?packageID=2698
libp11 (i.e., engine_pkcs11) could also the culprit. Could you try using dnf downgrade to the involved packages to detect which one caused the problem?
I downgraded many packages to base version, but nothing changed. I can't undestand what break the generation [kostousov-ds@kostousov-ds 18:05:09]~(0)% sudo dnf list libp11 opensc openssl{,-libs,-devel} p11-kit engine_pkcs11 Last metadata expiration check: 4:12:40 ago on Thu Nov 10 13:52:30 2016. Installed Packages engine_pkcs11.x86_64 0.2.0-2.fc24 @fedora libp11.x86_64 0.3.0-2.fc24 @fedora opensc.x86_64 0.15.0-5.fc24 @fedora openssl.x86_64 1:1.0.2h-1.fc24 @fedora openssl-devel.x86_64 1:1.0.2h-1.fc24 @fedora openssl-libs.i686 1:1.0.2h-1.fc24 @fedora openssl-libs.x86_64 1:1.0.2h-1.fc24 @fedora p11-kit.i686 0.23.2-2.fc24 @System p11-kit.x86_64 0.23.2-2.fc24 @System Error: [kostousov-ds@kostousov-ds 17:58:14]pkcs11(130)% openssl OpenSSL> engine dynamic -pre SO_PATH:/usr/lib64/openssl/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib64/opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib64/openssl/engines/libpkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib64/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL> req -engine pkcs11 -new -key slot_1-id_6e65776b6579736574 -keyform engine -out /var/tmp/req.csr -subj "/C=RU/O=Billing SystemsLtd/OU=Project Department/CN=ledentsov-ov-ra/emailAddress=user" engine "pkcs11" set. PKCS#11 token PIN: 140625847474040:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:193: 140625847474040:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306: error in req OpenSSL>
No idea here. If you use the gnutls tool? $ p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all --login [copy the URL of the object you'd like to use and then] $ certtool --provider /usr/lib64/opensc-pkcs11.so --generate-request --load-privkey "pkcs11:xxx" --outfile cert.csr by replacing pkcs11:xxx with the actual URL.
[kostousov-ds@irtysh 20:30:02]~(0)% p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all --login Token 'Rutoken ECP (User PIN)' with URL 'pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29' requires user PIN Enter PIN: Object 0: URL: pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29;id=%6e%65%77%6b%65%79%73%65%74;object=user;type=private Type: Private key Label: user Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; ID: 6e:65:77:6b:65:79:73:65:74 Object 1: URL: pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29;id=%6e%65%77%6b%65%79%73%65%74;object=user;type=public Type: Public key Label: user Flags: CKA_WRAP/UNWRAP; CKA_SENSITIVE; ID: 6e:65:77:6b:65:79:73:65:74 [kostousov-ds@irtysh 20:30:11]~(0)% certtool --provider /usr/lib64/opensc-pkcs11.so --generate-request --load-privkey "pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29;id=%6e%65%77%6b%65%79%73%65%74;object=user;type=private" --outfile cert.csr Generating a PKCS #10 certificate request... Token 'Rutoken ECP (User PIN)' with URL 'pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29' requires user PIN Enter PIN: Common name: Some User Organizational unit name: Organization name: Locality name: State or province name: Country name (2 chars): Enter the subject's domain component (DC): UID: Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Enter a challenge password: Does the certificate belong to an authority? (y/N): Will the certificate be used for signing (DHE ciphersuites)? (Y/n): Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): Is this a TLS web client certificate? (y/N): Is this a TLS web server certificate? (y/N): sign: PKCS #11 error.
Now I realized that this is a rutoken. Does do normal ECDSA, or it only provides GOST? If it is the latter most likely you miss the openssl gost engine. I don't think there is a package for it in fedora (and gnutls doesn't yet support gost).
I forgot option "--finalize"