Comments (17)

dengert commented on June 16, 2024

First of all, OpenSSL does not export the ecs_locl.h that is needed by
libp11 that is used by the engine to use ECC.
So please ask OpenSSL to addrsss the bugs listed below.

See:
http://www.mail-archive.com/[email protected]/msg31530.html
and my responses to that note.

That contains:
But note that an engine that supports ECC needs access to
ecdsa_method in ecs_locl.h (I have OpenSC engine that needs this.)

See these bug reports that are over a year and a half old:

http://rt.openssl.org/Ticket/Display.html?id=2568&user=guest&pass=guest
http://rt.openssl.org/Ticket/Display.html?id=2459&user=guest&pass=guest

But one can build the libp11 with ECC support by copying the ecs_locl.h for now.

from opensc.

dengert commented on June 16, 2024

Attached is a diff file that was last built in 2011. But libp11 has not changed much.
Giv it a try.

On 8/28/2013 8:36 AM, sanaullah82 wrote:

Hi,
I have compiled the softhsm with ECC and openssl support. I can create the ECC based key pair using PKCS11-tool but when i try to generate the csr using openssl pkcs11 engine after loading the modules
with the following command.
engine dynamic -pre SO_PATH:/usr/lib/ssl/engines/engine_pkcs11.so
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:/usr/local/lib/softhsm/libsofthsm.so
(dynamic) Dynamic engine loading support

Loaded: (pkcs11) pkcs11 engin

after this when i tried to generate the CSR using openssl based on ECC keys generated by pkcs11-tool in softhsm. I am getting the following error.

req -engine pkcs11 -new -key id_04 -keyform engine -out req.pem
engine "pkcs11" set.
key not found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
3073751240:error:26096080:engine
routines:ENGINE_load_private_key:failed loading private
key:eng_pkey.c:126:
unable to load Private Key
error in req

Can i generate the CSR using pkcs11-tool? or something i am missing with openssl to read the keys?

Regards,
Sanaullah

—
Reply to this email directly or view it on GitHub #178.

Douglas E. Engert [email protected]
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

Index: src/Makefile.mak

--- src/Makefile.mak (revision 197)
+++ src/Makefile.mak (working copy)
@@ -10,7 +10,7 @@
TARGET = libp11.dll

OBJECTS = libpkcs11.obj p11_attr.obj p11_cert.obj p11_err.obj \

p11_key.obj p11_load.obj p11_misc.obj p11_rsa.obj p11_slot.obj p11_ops.obj
p11_key.obj p11_load.obj p11_misc.obj p11_rsa.obj p11_ec.obj p11_slot.obj p11_ops.obj

all: $(TARGET) versioninfo.res

Index: src/p11_ec.c

--- src/p11_ec.c (revision 0)
+++ src/p11_ec.c (revision 0)
@@ -0,0 +1,251 @@
+/* libp11, a simple layer on to of PKCS#11 API

* Copyright (C) 2005 Olaf Kirch [email protected]
* Copyright (C) 2011 Douglas E. Engert [email protected]
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
/
+
+/
* This file implements the handling of EC keys stored on a
* PKCS11 token
/
+
+#include <config.h>
+#include <string.h>
+#include <openssl/opensslv.h>
+#include <openssl/opensslconf.h>
+
+#if defined(BUILD_WITH_EC) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDSA)
+/ OpenSSL has ECDSA_METHOD defined in internal header file ecs_locl.h
* For now:
* CPPFLAGS="-DBUILD_WITH_EC -I/path.to.openssl-1.0.0a/crypto/ecdh"
* See OpenSSL bug report #2459 02/23/2011
* When this is fixed, the BUILD_WITH_EC test can be removed
*
* TODO ECDH_METHOD is in ech_locl.h too!
/
+
+#include "ecs_locl.h"
+#include <openssl/evp.h>
+#include <openssl/ec.h>
+#include <openssl/ecdsa.h>
+#include "libp11-int.h"
+
+static int pkcs11_get_ec_public(PKCS11_KEY *, EVP_PKEY *);
+static int pkcs11_get_ec_private(PKCS11_KEY *, EVP_PKEY *);
+
+
+/
* Get EC key material and stach pointer in ex_data
* Note we get called twice, once for private key, and once for public
* We need to get the EC_PARAMS and EC_POINT into both,
* as lib11 dates from RSA only where all the pub key components
* were also part of the privite key. With EC the point
* is not in the privite key, and the params may or may not be.
*
*/
+static int pkcs11_get_ec_private(PKCS11_KEY * key, EVP_PKEY * pk)
+{
CK_BBOOL sensitive, extractable;
EC_KEY * ec = NULL;
CK_RV ckrv;
int rv;
size_t ec_paramslen = 0;
CK_BYTE * ec_params = NULL;
size_t ec_pointlen = 0;
CK_BYTE * ec_point = NULL;
PKCS11_KEY * prkey;
PKCS11_KEY * pubkey;
ASN1_OCTET_STRING *os=NULL;
if (key->isPrivate) { /* Are we being called for the prive or pub key */
```
  prkey = key;
```

  pubkey = PKCS11_find_key_from_key(key);

} else {
```
  pubkey = key;
```

  prkey = PKCS11_find_key_from_key(key);

}

+fprintf(stderr,"%s:%d %p %p\n",FUNCTION,LINE,key, pk);
+fprintf(stderr,"%s:%d %p %p\n",FUNCTION,LINE, prkey, pubkey);
+

if (!(ec = EVP_PKEY_get1_EC_KEY(pk))) {

  ERR_clear_error();  /\* the above flags an error */

```
  ec = EC_KEY_new();
```
+fprintf(stderr,"%s:%d \n",FUNCTION,LINE);
```
  EVP_PKEY_set1_EC_KEY(pk, ec);
```
}

if (prkey) {

  if (key_getattr(prkey, CKA_SENSITIVE, &sensitive, sizeof(sensitive))

      || key_getattr(prkey, CKA_EXTRACTABLE, &extractable, sizeof(extractable))) {

```
      EC_KEY_free(ec);
```
+fprintf(stderr,"%s:%d \n",FUNCTION,LINE);
```
      return -1;
```
```
  }
```

  /\* For Openssl req we need at least the

   \* EC_KEY_get0_group(ec_key)) to return the group.

   \* Even if it fails will continue as a sign only does not need

   \* need this if the pkcs11 or card can figure this out.

```
   */ 
```

  if (key_getattr_var(prkey, CKA_EC_PARAMS, NULL, &ec_paramslen) == CKR_OK &&

```
          ec_paramslen > 0) {
```

      ec_params = malloc(ec_paramslen);

      ckrv = key_getattr_var(prkey, CKA_EC_PARAMS, ec_params, &ec_paramslen);

+fprintf(stderr,"%s:%d 0x%08x %p %d\n",FUNCTION,LINE,ckrv,ec_params, ec_paramslen);

```
      if (ckrv == CKR_OK) {
```

          const unsigned char \* a = ec_params;

          /\* convert to OpenSSL parmas */

          d2i_ECParameters(&ec, &a, ec_paramslen);

```
      }
```
```
  }
```
}

/* Now get the ec_point */
if (pubkey) {

  if (key_getattr_var(pubkey, CKA_EC_POINT, NULL, &ec_pointlen) == CKR_OK &&

```
              ec_pointlen > 0) {
```
```
      ec_point = malloc(ec_pointlen);
```

      ckrv = key_getattr_var(pubkey, CKA_EC_POINT, ec_point, &ec_pointlen);

+fprintf(stderr,"%s:%d 0x%08x %p %d\n",FUNCTION,LINE,ckrv,ec_point, ec_pointlen);

```
      if (ckrv == CKR_OK) {
```

          /\* PKCS#11 returns ASN1 octstring*/

```
          const unsigned char \* a;
```

          /\*  we have asn1 octet string, need to strip off 04 len */

```
          a = ec_point;
```

          os = d2i_ASN1_OCTET_STRING(NULL, &a, ec_pointlen);

```
          if (os) {
```
```
              a = os->data;
```

              o2i_ECPublicKey(&ec, &a, os->length);

```
          }
```
+EC_KEY_print_fp(stderr, ec, 5);
+fprintf(stderr,"%s:%d\n",FUNCTION,LINE);
```
      }
```
```
  }
```
}
+fprintf(stderr,"%s:%d %p \n",FUNCTION,LINE,ec);

/* If the key is not extractable, create a key object
* that will use the card's functions to sign & decrypt
*/
if (os)
```
  M_ASN1_OCTET_STRING_free(os);
```
if (ec_point)
```
  free(ec_point);
```
if (ec_params)
```
  free(ec_params);
```
if (sensitive || !extractable) {
```
  ECDSA_set_ex_data(ec, 0, key);
```
+fprintf(stderr,"%s:%d %p \n",FUNCTION,LINE,ec);
```
  return 0;
```
}

return -1;
+}

+static int pkcs11_get_ec_public(PKCS11_KEY * key, EVP_PKEY * pk)
+{

/* TBD */
+fprintf(stderr,"%s:%d %p %p \n",FUNCTION,LINE,key,pk);
return pkcs11_get_ec_private(key, pk);
+}

+/* TODO Looks like this is never called */
+static int pkcs11_ecdsa_do_sign_setup(EC_KEY *ec, BN_CTX *ctx_in,

BIGNUM *_kinvp, BIGNUM *_rp) {

+fprintf(stderr,"%s:%d \n",FUNCTION,LINE);
+

if (*kinvp != NULL)
```
  BN_clear_free(*kinvp);
```
*kinvp = BN_new();

if (*rp != NULL)
```
  BN_clear_free(*rp);
```
*rp = BN_new();
return 1;
+}

+static ECDSA_SIG * pkcs11_ecdsa_do_sign(const unsigned char *dgst, int dlen,

      const BIGNUM *inv, const BIGNUM *r, EC_KEY \* ec)

int type;
unsigned char sigret[512]; /* HACK for now */
ECDSA_SIG * sig = NULL;
PKCS11_KEY * key = NULL;
int siglen;
int nLen = 48; /* HACK */;
int rv;

+fprintf(stderr,"%s:%d dgst %p:%d %p\n",FUNCTION,LINE,dgst,dlen,ec);

key = (PKCS11_KEY *) ECDSA_get_ex_data(ec, 0);
if (key == NULL)
```
  return NULL;
```
siglen = sizeof(sigret);
rv = PKCS11_ecdsa_sign(dgst,dlen,sigret,&siglen, key);
nLen = siglen / 2;
if (rv > 0) {
```
  sig = ECDSA_SIG_new();
```
```
  if (sig) { 
```

      BN_bin2bn(&sigret[0], nLen, sig->r);

      BN_bin2bn(&sigret[nLen], nLen, sig->s);

```
  }
```
}
return sig;
+}

+/*

* Overload the default OpenSSL methods for ECDSA
*/
+ECDSA_METHOD *PKCS11_get_ecdsa_method(void)
+{
static ECDSA_METHOD ops;

+fprintf(stderr,"%s:%d\n",FUNCTION,LINE);

if (!ops.ecdsa_do_sign) {
```
  ops = *ECDSA_get_default_method();
```

  ops.ecdsa_do_sign = pkcs11_ecdsa_do_sign;

  ops.ecdsa_sign_setup = pkcs11_ecdsa_do_sign_setup;

}
return &ops;
+}

+PKCS11_KEY_ops pkcs11_ec_ops = {

EVP_PKEY_EC,
pkcs11_get_ec_public,
pkcs11_get_ec_private
+};

+#else
+/* if not built with EC or OpenSSL does not support ECDSA

* add these so engine_pocs11 can be built now and not
* require further changes */
+void * PKCS11_get_ecdsa_method(void)
+{
+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDSA)
return ECDSA_get_default_method();
+#else
+fprintf(stderr,"ECDSA support not built with libp11\n");
return NULL;
+#endif
+}
+#endif /*BUILD_WITH_EC OPENSSL_NO_EC */
Index: src/p11_key.c
===================================================================
--- src/p11_key.c (revision 197)
+++ src/p11_key.c (working copy)
@@ -51,6 +51,7 @@
{
PKCS11_TOKEN_private *priv = PRIVTOKEN(token);

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
if (priv->nkeys < 0) {
priv->nkeys = 0;
if (pkcs11_find_keys(token, CKO_PRIVATE_KEY)) {
@@ -78,6 +79,7 @@
PKCS11_KEY *key;
unsigned int n, count;

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
cpriv = PRIVCERT(cert);
if (PKCS11_enumerate_keys(CERT2TOKEN(cert), &key, &count))
return NULL;
@@ -91,6 +93,35 @@
}

* Find key matching a key of the other type pub vs priv
*/
+PKCS11_KEY *PKCS11_find_key_from_key(PKCS11_KEY * keyin)
+{
```
  PKCS11_TOKEN_private *tpriv;
```
```
   PKCS11_KEY_private *kinpriv;
```
```
   PKCS11_KEY_private *kpriv;
```
```
   PKCS11_KEY *key;
```
```
  int isprivate;
```
```
   unsigned int n, count;
```
+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
```
  kinpriv = PRIVKEY(keyin);
```
```
  tpriv = KEY2TOKEN(keyin);
```

   PKCS11_enumerate_keys(KEY2TOKEN(keyin), &key, &count);

  /\* We want to use all the keys, the above only returns count for private */

```
  count = tpriv->nkeys;
```

  if (count < 2)  /\* must be at least two key to have a match */

```
          return;
```

   for (n = 0; n < count; n++, key++) {

```
           kpriv = PRIVKEY(key);
```

          if (keyin->isPrivate != key->isPrivate

              && kinpriv->id_len == kpriv->id_len

               && !memcmp(kinpriv->id, kpriv->id, kinpriv->id_len))

```
                   return key;
```
```
   }
```
```
   return NULL;
```
+}
+/*
- Store a private key on the token
  */
  int PKCS11_store_private_key(PKCS11_TOKEN * token, EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len)
  @@ -168,6 +199,7 @@
  {
  PKCS11_KEY_private *priv = PRIVKEY(key);

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
if (key->evp_key == NULL) {
EVP_PKEY *pk = EVP_PKEY_new();
if (pk == NULL)
@@ -185,6 +217,7 @@

EVP_PKEY *PKCS11_get_public_key(PKCS11_KEY * key)
{
+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
return PKCS11_get_private_key(key);
}

@@ -199,6 +232,7 @@
CK_SESSION_HANDLE session;
int rv, res = -1;

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
/* Make sure we have a session */
if (!PRIVSLOT(slot)->haveSession && PKCS11_open_session(slot, 0))
return -1;
@@ -225,6 +259,7 @@
CK_ULONG count;
int rv;

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
/* Get the next matching object */
rv = CRYPTOKI_call(ctx, C_FindObjects(session, &obj, 1, &count));
CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_KEYS, rv);
@@ -251,6 +286,7 @@
PKCS11_KEY_ops *ops;
size_t size;

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
size = sizeof(key_type);
if (pkcs11_getattr_var(token, obj, CKA_KEY_TYPE, &key_type, &size))
return -1;
@@ -259,6 +295,9 @@
case CKK_RSA:
ops = &pkcs11_rsa_ops;
break;

case CKK_EC:
```
  ops = &pkcs11_ec_ops;
```
```
  break;
```
default:
/* Ignore any keys we don't understand */
return 0;
@@ -307,6 +346,7 @@
{
PKCS11_TOKEN_private *priv = PRIVTOKEN(token);

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
while (priv->nkeys > 0) {
PKCS11_KEY *key = &priv->keys[--(priv->nkeys)];

Index: src/libp11.exports

--- src/libp11.exports (revision 197)
+++ src/libp11.exports (working copy)
@@ -34,4 +34,5 @@
PKCS11_seed_random
PKCS11_generate_random
PKCS11_get_rsa_method
+PKCS11_get_ecdsa_method
ERR_load_PKCS11_strings

Index: src/p11_ops.c

--- src/p11_ops.c (revision 197)
+++ src/p11_ops.c (working copy)
@@ -24,6 +24,49 @@
#include <string.h>
#include "libp11-int.h"

+#ifdef BUILD_WITH_EC
+int
+PKCS11_ecdsa_sign(const unsigned char *m, unsigned int m_len,

```
  unsigned char _sigret, unsigned int *siglen, const PKCS11_KEY \* key)
```
+{
+/_ signature size is the issue, will assume caller has a big buffer ! /
+/ No padding or other stuff needed, we can cal PKCS11 from here */
int rv;
PKCS11_KEY_private *priv;
PKCS11_SLOT *slot;
PKCS11_CTX *ctx;
CK_SESSION_HANDLE session;
CK_MECHANISM mechanism;
CK_ULONG ck_sigsize;

ctx = KEY2CTX(key);
priv = PRIVKEY(key);
slot = TOKEN2SLOT(priv->parent);
session = PRIVSLOT(slot)->session;

ck_sigsize = *siglen;

memset(&mechanism, 0, sizeof(mechanism));
mechanism.mechanism = CKM_ECDSA;

if((rv = CRYPTOKI_call(ctx, C_SignInit

             (session, &mechanism, priv->object))) == 0) {

```
  rv = CRYPTOKI_call(ctx, C_Sign
```

             (session, (CK_BYTE *) m, m_len,

```
              sigret, &ck_sigsize));
```
}

if (rv) {

  PKCS11err(PKCS11_F_PKCS11_EC_KEY_SIGN, pkcs11_map_err(rv));

```
  return -1;
```
}
*siglen = ck_sigsize;

return ck_sigsize;
+}
+#endif /* BUILD_WITH_EC _/

+/_ Following used for RSA /
int
PKCS11_sign(int type, const unsigned char m, unsigned int m_len,
unsigned char sigret, unsigned int siglen, const PKCS11_KEY * key)
Index: src/libp11-int.h

--- src/libp11-int.h (revision 197)
+++ src/libp11-int.h (working copy)
@@ -143,6 +143,9 @@
#define key_getattr_bn(key, t, bn)
pkcs11_getattr_bn(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (bn))

+#define key_getattr_var(key, t, p, s) \

pkcs11_getattr_var(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (p), (s))

typedef int (pkcs11_i2d_fn) (void *, unsigned char *);
extern void pkcs11_addattr(CK_ATTRIBUTE_PTR, int, const void *, size_t);
extern void pkcs11_addattr_int(CK_ATTRIBUTE_PTR, int, unsigned long);
@@ -155,5 +158,6 @@
extern void *memdup(const void *, size_t);

extern PKCS11_KEY_ops pkcs11_rsa_ops;
+extern PKCS11_KEY_ops pkcs11_ec_ops;

#endif

Index: src/Makefile.am

--- src/Makefile.am (revision 197)
+++ src/Makefile.am (working copy)
@@ -9,7 +9,7 @@
pkgconfig_DATA = libp11.pc

libp11_la_SOURCES = libpkcs11.c p11_attr.c p11_cert.c p11_err.c p11_key.c \

p11_load.c p11_misc.c p11_ops.c p11_rsa.c p11_slot.c \
p11_load.c p11_misc.c p11_ops.c p11_rsa.c p11_ec.c p11_slot.c
libp11.exports
if WIN32
libp11_la_SOURCES += versioninfo.rc
Index: src/libp11.h
===================================================================
--- src/libp11.h (revision 197)
+++ src/libp11.h (working copy)
@@ -258,6 +258,9 @@
/* Find the corresponding key (if any) */
extern PKCS11_KEY *PKCS11_find_key(PKCS11_CERT *);

+/* Find the corresponding key (if any) pub <-> priv base on label /
+extern PKCS11_KEY *PKCS11_find_key_from_key(PKCS11_KEY *);
+
/ Get a list of all certificates associated with this token /
extern int PKCS11_enumerate_certs(PKCS11_TOKEN *, PKCS11_CERT *, unsigned int *);

@@ -413,6 +416,8 @@
#define PKCS11_F_PKCS11_GENERATE_RANDOM 21
#define PKCS11_F_PKCS11_CHANGE_PIN 22
#define PKCS11_F_PKCS11_GETATTR 40
+#define PKCS11_F_PKCS11_EC_KEY_SIGN 41
+#define PKCS11_F_PKCS11_EC_KEY_VERIFY 42

#define PKCS11_ERR_BASE 1024
#define PKCS11_LOAD_MODULE_ERROR (PKCS11_ERR_BASE+1)

from opensc.

sanaullah82 commented on June 16, 2024

Thanks for the support.
I was using the libp11-2 0.2.8-2 version provided by ubuntu 12.04. as per your comments I have to recompile the code with ecs_local.h.let I will try this.

from opensc.

sanaullah82 commented on June 16, 2024

I read the libp11 patch link...
here I am confused little bit.. as you can see the path is exported to openssl and then run configure? its seems its applying the patch to openssl and compile the openssl not libp11
Can you please clarify little bit where to apply the patch? either libp11 or openssl

So if anyone is interested, these mods can be used by building libp11:

export CPPFLAGS="-DBUILD_WITH_EC -I/some.path/openssl-1.0.0a/crypto/ecdsa/"
./configure

The code will then find #include "ecs_locl.h";

When OpenSSL addresses #r2459 the modification can be updated.

from opensc.

sanaullah82 commented on June 16, 2024

there are some issues with patch. its not patching up.. getting the maloform error for pk11_key.c.. any one can have a tested copy of the patch ?

Index: src/p11_key.c

--- src/p11_key.c (revision 197)
+++ src/p11_key.c (working copy)
@@ -51,6 +51,7 @@
{
PKCS11_TOKEN_private *priv = PRIVTOKEN(token);

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
cpriv = PRIVCERT(cert);
if (PKCS11_enumerate_keys(CERT2TOKEN(cert), &key, &count))
return NULL;
@@ -91,6 +93,35 @@
}

* Find key matching a key of the other type pub vs priv
*/
+PKCS11_KEY *PKCS11_find_key_from_key(PKCS11_KEY * keyin)
+{
```
          PKCS11_TOKEN_private *tpriv;
```
```
   PKCS11_KEY_private *kinpriv;
```
```
   PKCS11_KEY_private *kpriv;
```
```
   PKCS11_KEY *key;
```
```
          int isprivate;
```
```
   unsigned int n, count;
```
+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
```
          kinpriv = PRIVKEY(keyin);
```
```
          tpriv = KEY2TOKEN(keyin);
```

   PKCS11_enumerate_keys(KEY2TOKEN(keyin), &key, &count);

          /\* We want to use all the keys, the above only returns count

for private */

```
          count = tpriv->nkeys;
```

          if (count < 2)  /\* must be at least two key to have a match */

```
                          return;
```

   for (n = 0; n < count; n++, key++) {

```
           kpriv = PRIVKEY(key);
```

                          if (keyin->isPrivate != key->isPrivate

                  && kinpriv->id_len == kpriv->id_len

               && !memcmp(kinpriv->id, kpriv->id, kinpriv->id_len))

```
                   return key;
```
```
   }
```
```
   return NULL;
```
+}
+/*
- Store a private key on the token
  */
  int PKCS11_store_private_key(PKCS11_TOKEN * token, EVP_PKEY * pk, char *label,
  unsigned char *id, size_t id_len)
  @@ -168,6 +199,7 @@
  {
  PKCS11_KEY_private *priv = PRIVKEY(key);

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
if (key->evp_key == NULL) {
EVP_PKEY *pk = EVP_PKEY_new();
if (pk == NULL)
@@ -185,6 +217,7 @@

EVP_PKEY *PKCS11_get_public_key(PKCS11_KEY * key)
{
+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
return PKCS11_get_private_key(key);
}

@@ -199,6 +232,7 @@
CK_SESSION_HANDLE session;
int rv, res = -1;

```
  case CKK_EC:
```
```
          ops = &pkcs11_ec_ops;
```

          break;
default:
        /\* Ignore any keys we don't understand */
        return 0;

@@ -307,6 +346,7 @@
{
PKCS11_TOKEN_private *priv = PRIVTOKEN(token);

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
while (priv->nkeys > 0) {
PKCS11_KEY *key = &priv->keys[--(priv->nkeys)];

from opensc.

dengert commented on June 16, 2024

On 8/29/2013 1:48 AM, sanaullah82 wrote:

I read the libp11 patch link...
here I am confused little bit.. as you can see the path is exported to openssl and then run configure? its seems its applying the patch to openssl and compile the openssl not libp11
Can you please clarify little bit where to apply the patch? either libp11 or openssl

So if anyone is interested, these mods can be used by building libp11:

export CPPFLAGS="-DBUILD_WITH_EC -I/some.path/openssl-1.0.0a/crypto/ecdsa/"

The export is the sh or bash export command to set the CPPFLAGS in the environment.
It is done before the libp11 ./configure, because the configure does some tests
that need the CPPFLAGS.

The -DBUILD_WITH_EC is used in the compile of libp11 to build with EC support.
The -I tells compiler where it can find the internal OpenSSL header files,
actually only the ecs_locl.h file which has definition of "struct ecdsa_method"

OpenSSL does not install the src/ecdsa/ecs_locl.h file. It is only in the source.
You don't have to compile OpenSSL, just get a copy of ecs_locl.h, that matches
the version of OpenSSL you are running. and put it in some directory
then change -I option point at the directory.

./configure

The code will then find #include "ecs_locl.h";

When OpenSSL addresses #r2459 the modification can be updated.

The OpenSSL bug request is to expose the definition of the ecdsa_method
They expose the RSA_METHOD (rsa_meth_st) which is needed by an engine,
or the libp11 used by the engine so why not the ecdsa_method and ecdh_method

(On the TODO list is to support ECDH using the ecdh_method via the engine.)

—
Reply to this email directly or view it on GitHub #178 (comment).

Douglas E. Engert [email protected]
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

from opensc.

dengert commented on June 16, 2024

On 8/29/2013 4:19 AM, sanaullah82 wrote:

there are some issues with patch. its not patching up.. getting the maloform error for pk11_key.c.. any one can have a tested copy of the patch ?

The patch was from 2011, against the libp11-svn version 197.

What is a "maloform error"?
Is this from patch? If so what hunk failed?

Is this from the compiler?

What version of libp11 are you using?

Index: src/p11_key.c

--- src/p11_key.c (revision 197)
+++ src/p11_key.c (working copy)
@@ -51,6 +51,7 @@
{
PKCS11_TOKEN_private *priv = PRIVTOKEN(token);

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
if (priv->nkeys < 0) {
priv->nkeys = 0;
if (pkcs11_find_keys(token, CKO_PRIVATE_KEY)) {
@@ -78,6 +79,7 @@
PKCS11_KEY *key;
unsigned int n, count;

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
cpriv = PRIVCERT(cert);
if (PKCS11_enumerate_keys(CERT2TOKEN(cert), &key, &count))
return NULL;
@@ -91,6 +93,35 @@
}

/*

* Find key matching a key of the other type pub vs priv

*/ +PKCS11_KEY *PKCS11_find_key_from_key(PKCS11_KEY * keyin) +{

PKCS11_TOKEN_private *tpriv;

PKCS11_KEY_private *kinpriv;

PKCS11_KEY_private *kpriv;

PKCS11_KEY *key;

int isprivate;

unsigned int n, count; + +fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);

kinpriv = PRIVKEY(keyin);

tpriv = KEY2TOKEN(keyin);

PKCS11_enumerate_keys(KEY2TOKEN(keyin), &key, &count);

/* We want to use all the keys, the above only returns count for private */

count = tpriv->nkeys;

if (count < 2) /* must be at least two key to have a match */

return;

for (n = 0; n < count; n++, key++) {

kpriv = PRIVKEY(key);

if (keyin->isPrivate != key->isPrivate

&& kinpriv->id_len == kpriv->id_len

&& !memcmp(kinpriv->id, kpriv->id, kinpriv->id_len))

return key;

}

return NULL; +} +/*
o Store a private key on the token */ int PKCS11_store_private_key(PKCS11_TOKEN * token, EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len) @@ -168,6 +199,7 @@ { PKCS11_KEY_private
*priv = PRIVKEY(key);

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
if (key->evp_key == NULL) {
EVP_PKEY *pk = EVP_PKEY_new();
if (pk == NULL)
@@ -185,6 +217,7 @@

EVP_PKEY *PKCS11_get_public_key(PKCS11_KEY * key)
{
+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
return PKCS11_get_private_key(key);
}

@@ -199,6 +232,7 @@
CK_SESSION_HANDLE session;
int rv, res = -1;

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
/* Make sure we have a session */
if (!PRIVSLOT(slot)->haveSession && PKCS11_open_session(slot, 0))
return -1;
@@ -225,6 +259,7 @@
CK_ULONG count;
int rv;

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
/* Get the next matching object */
rv = CRYPTOKI_call(ctx, C_FindObjects(session, &obj, 1, &count));
CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_KEYS, rv);
@@ -251,6 +286,7 @@
PKCS11_KEY_ops *ops;
size_t size;

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
size = sizeof(key_type);
if (pkcs11_getattr_var(token, obj, CKA_KEY_TYPE, &key_type, &size))
return -1;
@@ -259,6 +295,9 @@
case CKK_RSA:
ops = &pkcs11_rsa_ops;
break;

case CKK_EC:

ops = &pkcs11_ec_ops;

break; default: /* Ignore any keys we don't understand */ return 0; @@ -307,6 +346,7 @@ { PKCS11_TOKEN_private *priv = PRIVTOKEN(token);

+fprintf(stderr,"%s %s:%d\n",FILE,FUNCTION,LINE);
while (priv->nkeys > 0) {
PKCS11_KEY *key = &priv->keys[--(priv->nkeys)];

—
Reply to this email directly or view it on GitHub #178 (comment).

Douglas E. Engert [email protected]
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

from opensc.

sanaullah82 commented on June 16, 2024

I am using 0.2.8-2 library.
and malformed error is on line 62 of the patch in p11_key.c file. but i compared those line with the patch one havnt seen much diference except some +fprint
the error are from patch implementation.

from opensc.

frankmorgner commented on June 16, 2024

@sanaullah82 has your problem been solved?

from opensc.

sanaullah82 commented on June 16, 2024

its was solved.

On Tue, Oct 28, 2014 at 2:41 AM, Frank Morgner [email protected]
wrote:

@sanaullah82 https://github.com/sanaullah82 has your problem been
solved?

—
Reply to this email directly or view it on GitHub
#178 (comment).

from opensc.

dengert commented on June 16, 2024

Actually it is not solved. This should be a libp11 problem, waiting for OpenSSL to expose some
of the internal headers. See above comments. I have the code for ECDSA and ECDH in libp11,
but it depends on the internal OpenSSL headers. So far no one else has been interested in using the opensc_engine with ECC that needs the libp11 partches.

from opensc.

sanaullah82 commented on June 16, 2024

Agreed with Doug Engret, Doug help me to resolve this issue using some
libp11 patches.

On Wed, Oct 29, 2014 at 12:34 AM, Doug Engert [email protected]
wrote:

Actually it is not solved. This should be a libp11 problem, waiting for
OpenSSL to expose some
of the internal headers. See above comments. I have the code for ECDSA and
ECDH in libp11,
but it depends on the internal OpenSSL headers. So far no one else has
been interested in using the opensc_engine with ECC that needs the libp11
partches.

—
Reply to this email directly or view it on GitHub
#178 (comment).

from opensc.

frankmorgner commented on June 16, 2024

So if I am reading the correspondence correctly, then the 'fix' would require

Porting the changes to the current libp11
Patching OpenSSL for exporting the required functionality

The first point is doable since it's a subproject of OpenSC. However, it's unclear when/whether the second problem can be solved. What about creating a git submodule of OpenSSL in libp11 that contain the required changes. Then ./configure libp11 with installing the patched version of OpenSSL. This at least is what we can do in this project that's independant from the OpenSSL team...

from opensc.

dengert commented on June 16, 2024

On 10/29/2014 7:34 AM, Frank Morgner wrote:

So if I am reading the correspondence correctly, then the 'fix' would require

Porting the changes to the current libp11

Patching OpenSSL for exporting the required functionality

There are no patch to OpenSSL, one of these is needed:

(1) access to the OpenSSL source src/crypto/ecdh/ech_locl.h and src/crypto/ecdsa/ecs_locl.h

(2) or a matching definition of the ecdsa_method and ecdh_method structures from the above.

In either case OpenSSL developers want the ability to changes these structures in the future.
This complicates keeping up the libp11 code.

The first point is doable since it's a subproject of OpenSC. However, it's unclear when/whether the second problem can be solved. What about creating a git submodule of OpenSSL in libp11 that contain
the required changes. Then ./configure libp11 with installing the patched version of OpenSSL. This at least is what we can do in this project that's independant from the OpenSSL team...

In either case I need to get the code updated in github, dengert/libp11 which only has the ECDSA part and is out of date.

—
Reply to this email directly or view it on GitHub #178 (comment).

Douglas E. Engert [email protected]

from opensc.

frankmorgner commented on June 16, 2024

@dengert, you can create a git submodule in libp11 referencing a specific commit of OpenSSL (I suggest some stable release where definitions don't change anymore). This will then be the (only) supported version that works with libp11.

from opensc.

dengert commented on June 16, 2024

On 12/11/2014 3:53 PM, Frank Morgner wrote:

@dengert https://github.com/dengert, you can create a git submodule in libp11 referencing a specific commit of OpenSSL (I suggest some stable release where definitions don't change anymore). This
will then be the (only) supported version that works with libp11.

Interesting, maybe in January, if we can get OpenSSL developers moving on the engine issue, a submodule might not
be needed.

—
Reply to this email directly or view it on GitHub #178 (comment).

Douglas E. Engert [email protected]

from opensc.

frankmorgner commented on June 16, 2024

@dengert please re-open the issue in libp11 if it has not been solved yet.

from opensc.

PKCS11-tool with softhsm about opensc HOT 17 CLOSED

Comments (17)

Index: src/Makefile.mak

Index: src/p11_ec.c

Index: src/libp11.exports

Index: src/p11_ops.c

+/_ Following used for RSA /
int
PKCS11_sign(int type, const unsigned char m, unsigned int m_len,
unsigned char sigret, unsigned int siglen, const PKCS11_KEY * key)
Index: src/libp11-int.h

Index: src/Makefile.am

Index: src/p11_key.c

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Comments (17)

Index: src/Makefile.mak

Index: src/p11_ec.c

Index: src/libp11.exports

Index: src/p11_ops.c

+/_ Following used for RSA */ int PKCS11_sign(int type, const unsigned char *m, unsigned int m_len, unsigned char *sigret, unsigned int *siglen, const PKCS11_KEY * key) Index: src/libp11-int.h

Index: src/Makefile.am

Index: src/p11_key.c

Related Issues (20)

Recommend Projects

Recommend Topics

Recommend Org

+/_ Following used for RSA /
int
PKCS11_sign(int type, const unsigned char m, unsigned int m_len,
unsigned char sigret, unsigned int siglen, const PKCS11_KEY * key)
Index: src/libp11-int.h