我有 softhsm-v2.5.0-rc1,其中导入了 ec 密钥。现在,当我尝试使用 pkcs11 引擎从 openssl CLI 使用这些密钥时,它会失败。
SoftHSM 版本
[]:~$ softhsm2-util --version 2.5.0rc1SoftHSM 令牌初始化
[]:~$ softhsm2-util --init-token --slot 0 --label "token 2.5.0-rc1" === SO PIN (4-255 characters) === Please enter SO PIN: **** Please reenter SO PIN: **** === User PIN (4-255 characters) === Please enter user PIN: **** Please reenter user PIN: **** The token has been initialized and is reassigned to slot 928024111pkcs8 格式的 ECC 密钥
[]:~$ openssl pkey -in ~/tmp/secp256k1-key.pem.pkcs8 -text -----BEGIN PRIVATE KEY----- MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgYCXpIJyEAexhkvrCMGlF A4sQItcIp6wm83WVoeOFzEyhRANCAATMfAkLtsynHRmRyYLn+uRpJUm6bOZJBQhK N81nJv06fN6MY0nEzWG9jJsvSNlf5jW7yecbje2wWQL/JYqviFwr -----END PRIVATE KEY----- Private-Key: (256 bit) priv: 60:25:e9:20:9c:84:01:ec:61:92:fa:c2:30:69:45: 03:8b:10:22:d7:08:a7:ac:26:f3:75:95:a1:e3:85: cc:4c pub: 04:cc:7c:09:0b:b6:cc:a7:1d:19:91:c9:82:e7:fa: e4:69:25:49:ba:6c:e6:49:05:08:4a:37:cd:67:26: fd:3a:7c:de:8c:63:49:c4:cd:61:bd:8c:9b:2f:48: d9:5f:e6:35:bb:c9:e7:1b:8d:ed:b0:59:02:ff:25: 8a:af:88:5c:2b ASN1 OID: secp256k1将密钥导入softhsm
[]:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key" --id 1111 --token "token 2.5.0-rc1" Found slot 928024111 with matching token label. === User PIN (4-255 characters) === Please enter user PIN: **** Please reenter user PIN: **** The key pair has been imported.获取私钥的 pkcs11 url
[]:~$ p11tool --login --provider=/usr/local/lib/softhsm/libsofthsm2.so --set-pin=1111 --list-all Object 0: URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private Type: Private key Label: ec key Flags: CKA_PRIVATE; CKA_SENSITIVE; ID: 11:11 Object 1: URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=public Type: Public key Label: ec key ID: 11:11尝试使用 openssl 引擎访问密钥。
[]:~$ openssl version OpenSSL 1.1.1 11 Sep 2018 []:~$ more ~/tmp/openssl.cnf openssl_conf = openssl_init [openssl_init] engines=engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /Users/parashah/Downloads/libp11-0.4.9/src/.libs/pkcs11.dylib MODULE_PATH = /usr/local/lib/softhsm/libsofthsm2.so init = 0 []:~$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%11%11;object=ec%20key;type=private" -inform ENGINE -engine pkcs11 -text engine "pkcs11" set. Enter PKCS#11 token PIN for token 2.5.0-rc1: 140736065815424:error:100C0010:elliptic curve routines:i2d_ECPrivateKey:EC lib:crypto/ec/ec_asn1.c:995: 140736065815424:error:100D6010:elliptic curve routines:eckey_priv_encode:EC lib:crypto/ec/ec_ameth.c:242: 140736065815424:error:06071092:digital envelope routines:EVP_PKEY2PKCS8:private key encode error:crypto/evp/evp_pkey.c:72: 140736065815424:error:0907E073:PEM routines:do_pk8pkey:error converting private key:crypto/pem/pem_pk8.c:73:
====
只是为了完整性,执行完全相同的步骤,但对于 RSA 密钥工作正常