Hi, i want to sign a CSR on an embedded device with am62x-SOM using a private key on the nitrokey HSM. I already have certificates and keys stored on the HSM.
I tried a tutorial from SmartCardHSM · OpenSC/OpenSC Wiki · GitHub
I have to use command line for an automated script. Also I’m fixed to openssl3, so the tutorial commands does not work. Is there a tutorial for openssl3?
OpenSSL 3+ has dropped the engine support and introduced the provider concept.
There is a PKCS#11 Provider, but we have not tried that yet.
Thx a lot! I have installed pkcs11-provider additionally and now i got a step further. But now it can not find the private key on the HSM. Am I using the correct key id?
openssl ca -keyfile pkcs11:id=3367dd2bf0d91233a8c4c7694fc985453d358305 -policy signing_policy -extensions signing_req -out new.pem -infiles nginx.csr
Using configuration from /usr/lib/ssl-3/openssl.cnf
Enter pass phrase for PKCS#11 Token (Slot 0 - Nitrokey Nitrokey HSM (ID) 00 00):
Could not find CA private key from pkcs11:id=3367dd2bf0d91233a8c4c7694fc985453d358305
pkcs15-tool --list-keys
Using reader with a card: Nitrokey Nitrokey HSM (ID) 00 00
Private EC Key [HansWerner]
Object Flags : [0x01], private
Usage : [0x104], sign, derive
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
FieldLength : 256
Key ref : 1 (0x01)
Native : yes
Auth ID : 01
ID : 3367dd2bf0d91233a8c4c7694fc985453d358305
MD:guid : 74c2f304-1064-f187-7d6b-13db27dcee6c
Additional Info: With pkcs11-tool I am missing sign as usage option.
pkcs11-tool --list-objects
Using slot 0 with a present token (0x0)
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 04410492f8db4beab7bad4b6a34e7786f47ad6084ae255e79845ad3e1caac9914d31ce9d51ed792b3f97881bc978b757aacd7511348842733c6cd5919bfff1ac528ca2
EC_PARAMS: 06092b2403030208010107 (OID 1.3.36.3.3.2.8.1.1.7)
label: HansWerner
ID: 3367dd2bf0d91233a8c4c7694fc985453d358305
Usage: verify, derive
Access: none
I don’t have a NitroHSM. But you’ll most likely only see your “protected” keys (such as for signing) after logging in, i.e., when running pkcs11-tool --login --list-objects. Also, the PKCS#11 URIs that I know are much more complicated than “pkcs11:id=3367dd2bf0d91233a8c4c7694fc985453d358305”. Newer OpenSC versions will show you the correct URI, as will p11tool from GnuTLS.
PS: I haven’t checked how this OpenSSL 3 PKCS#11 provider parses PKCS#11 URIs, but most likely at the very least you would have to “percent-encode” the ID. Here’s an example from the PKCS#11 URI RFC:
RFC 7512 The PKCS #11 URI Scheme April 2015
pkcs11:token=The%20Software%20PKCS%2311%20Softtoken;
manufacturer=Snake%20Oil,%20Inc.;
model=1.0;
object=my-certificate;
type=cert;
id=%69%95%3E%5C%F4%BD%EC%91;
A typical URI looks like
pkcs11:token=SmartCard-HSM;id=%0C%D0%43%5A%2A%7E%88%17%C9%90%F4%7A%0A%A5%82%F7%F7%FF%67%7A;type=private
You can use p11tool to list the objects and thier URIs
asc@bolzano:~/projects/openssl-hsm$ p11tool --login --list-all "pkcs11:model=SmartCard-HSM"
Token 'SmartCard-HSM' with URL 'pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM' requires user PIN
Enter PIN:
Object 0:
URL: pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM;object=C.DevAut;type=cert
Type: X.509 Certificate
Label: C.DevAut
ID:
Object 1:
URL: pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM;object=C.DICA;type=cert
Type: X.509 Certificate
Label: C.DICA
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;
ID:
Object 2:
URL: pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM;id=%0C%D0%43%5A%2A%7E%88%17%C9%90%F4%7A%0A%A5%82%F7%F7%FF%67%7A;object=DevNetCA%2FAndreas%20Schwier%20%5BTue%20Jul%2018%202023%2014%3A25%3A04%20GMT%2B0200%20%28CEST%29%5D;type=cert
Type: X.509 Certificate (RSA-2048)
Expires: Thu Jul 17 14:25:12 2025
Label: DevNetCA/Andreas Schwier [Tue Jul 18 2023 14:25:04 GMT+0200 (CEST)]
ID: 0c:d0:43:5a:2a:7e:88:17:c9:90:f4:7a:0a:a5:82:f7:f7:ff:67:7a
Object 3:
URL: pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM;id=%0C%D0%43%5A%2A%7E%88%17%C9%90%F4%7A%0A%A5%82%F7%F7%FF%67%7A;object=DevNetCA%2FAndreas%20Schwier%20%5BTue%20Jul%2018%202023%2014%3A25%3A04%20GMT%2B0200%20%28CEST%29%5D;type=public
Type: Public key (RSA-2048)
Label: DevNetCA/Andreas Schwier [Tue Jul 18 2023 14:25:04 GMT+0200 (CEST)]
ID: 0c:d0:43:5a:2a:7e:88:17:c9:90:f4:7a:0a:a5:82:f7:f7:ff:67:7a
Object 4:
URL: pkcs11:model=SmartCard-HSM;manufacturer=CardContact%20%28www.cardcontact.de%29;serial=DECC0900024;token=SmartCard-HSM;id=%0C%D0%43%5A%2A%7E%88%17%C9%90%F4%7A%0A%A5%82%F7%F7%FF%67%7A;object=DevNetCA%2FAndreas%20Schwier%20%5BTue%20Jul%2018%202023%2014%3A25%3A04%20GMT%2B0200%20%28CEST%29%5D;type=private
Type: Private key (RSA-2048)
Label: DevNetCA/Andreas Schwier [Tue Jul 18 2023 14:25:04 GMT+0200 (CEST)]
Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: 0c:d0:43:5a:2a:7e:88:17:c9:90:f4:7a:0a:a5:82:f7:f7:ff:67:7a
I solved the problem:
I can set the key by label and I was missing the “-cert” param, which is in my case the same as “-keyfile”
openssl ca -policy policy_anything -out new.pem -keyfile “pkcs11:object=testCA;type=private” -cert “pkcs11:object=testCA;type=cert” -in nginx.csr
Also I found a bug inside of XCA program: If you choose a template for an intermediate key, it will make it self-signed but displays it as signed by rootCA. Chain verification will then fail.
Did you already report the XCA bug ?
If not, can you provide me with the details to reproduce the bug ?
Then I will try and report it.
It was no bug, but my fault. If you want to verify the whole chain with openssl3 you have to set the flag “untrusted” on top, otherwise only the last certificate will be checked:
openssl verify -CAfile <path> -untrusted <csr>.pem <csr>.pem