Dear Nitrokey Support
The integration of OpenSC’s PKCS11 engine for OpenSSL works, but when I try to create a self-signed certificate with it, I get the following error:
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/Cellar/opensc/0.16.0/lib/pkcs11/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/local/Cellar/opensc/0.16.0/lib/pkcs11/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
[ available ]
OpenSSL>
OpenSSL>
OpenSSL>
OpenSSL> req -engine pkcs11 -new -keyform engine -out cert.pem -text -x509 -days 3640 -key label_test -subj '/CN=test'
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140735752430600:error:80002030:PKCS11 library:PKCS11_enum_slots:Device error:p11_slot.c:312:
140735752430600:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124:
unable to load Private Key
error in req
Do you have any hint for me? What is probably going wrong?
Nitrokey information:
- Nitrokey Pro
- Firmware version: 0.8
Thx & best wishes
In addition, creating new RSA keys (2048 & 4096) via the pkcs11-tool doesn’t work yet as well. In both cases, I get the following exceptions:
- RSA 2048 => error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_USER_NOT_LOGGED_IN (0x101)
- RSA 4096 => error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Here are some fragments of the logs (with OpenSC log level = 9):
-
RSA 2048 case:
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] apdu.c:386:sc_single_transmit: returning with: 0 (Success)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] apdu.c:539:sc_transmit: returning with: 0 (Success)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] card.c:434:sc_unlock: called
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] card-openpgp.c:2157:pgp_gen_key: Card has done key generation.
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] iso7816.c:121:iso7816_check_sw: Security status not satisfied
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] card-openpgp.c:2167:pgp_gen_key: Please verify PIN first.
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] card-openpgp.c:2177:pgp_gen_key: returning with: -1211 (Security status not satisfied)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] card-openpgp.c:2595:pgp_card_ctl: returning with: -1211 (Security status not satisfied)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] card.c:866:sc_card_ctl: returning with: -1211 (Security status not satisfied)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs15-openpgp.c:217:openpgp_generate_key: returning with: -1211 (Security status not satisfied)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs15-lib.c:1383:sc_pkcs15init_generate_key: Failed to generate key: -1211 (Security status not satisfied)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] framework-pkcs15.c:2803:pkcs15_gen_keypair: sc_pkcs15init_generate_key returned -1211
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1211 (Security status not satisfied)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs15-lib.c:419:sc_pkcs15init_unbind: called
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs15-lib.c:420:sc_pkcs15init_unbind: Pksc15init Unbind: 0:0x7f80ac2054f0:1
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] card.c:434:sc_unlock: called
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] reader-pcsc.c:587:pcsc_unlock: called
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs11-global.c:304:C_Finalize: C_Finalize()
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] ctx.c:819:sc_cancel: called
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] reader-pcsc.c:637:pcsc_cancel: called
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] slot.c:163:card_removed: Nitrokey Nitrokey Pro: card removed
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] slot.c:425:slot_token_removed: slot_token_removed(0x0)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs11-session.c:129:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x0) 1
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs11-session.c:98:sc_pkcs11_close_session: real C_CloseSession(0x7f80aae00280)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] framework-pkcs15.c:1364:pkcs15_release_token: pkcs15_release_token() not implemented
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] slot.c:425:slot_token_removed: slot_token_removed(0x1)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs11-session.c:129:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x1) 0
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] framework-pkcs15.c:1364:pkcs15_release_token: pkcs15_release_token() not implemented
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] slot.c:425:slot_token_removed: slot_token_removed(0x2)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs11-session.c:129:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x2) 0
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] slot.c:425:slot_token_removed: slot_token_removed(0x3)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs11-session.c:129:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x3) 0
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs15.c:1264:sc_pkcs15_unbind: called
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] pkcs15-pin.c:690:sc_pkcs15_pincache_clear: called
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: 0 (Success)
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] card.c:336:sc_disconnect_card: called
0x7fff9887e3c0 13:39:04.309 [opensc-pkcs11] reader-pcsc.c:533:pcsc_disconnect: called
0x7fff9887e3c0 13:39:05.265 [opensc-pkcs11] card.c:357:sc_disconnect_card: returning with: 0 (Success)
0x7fff9887e3c0 13:39:05.265 [opensc-pkcs11] ctx.c:842:sc_release_context: called
0x7fff9887e3c0 13:39:05.265 [opensc-pkcs11] reader-pcsc.c:794:pcsc_finish: called
-
RSA 4096 case
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] framework-pkcs15.c:2791:pkcs15_gen_keypair: Try on-card key pair generation
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs15-lib.c:1326:sc_pkcs15init_generate_key: called
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs15-lib.c:2094:check_keygen_params_consistency: returning with: -1408 (Not supported)
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs15-lib.c:1329:sc_pkcs15init_generate_key: Invalid key size: -1408 (Not supported)
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] framework-pkcs15.c:2803:pkcs15_gen_keypair: sc_pkcs15init_generate_key returned -1408
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1408 (Not supported)
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs15-lib.c:419:sc_pkcs15init_unbind: called
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs15-lib.c:420:sc_pkcs15init_unbind: Pksc15init Unbind: 0:0x7fdd44f06860:1
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] card.c:434:sc_unlock: called
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] reader-pcsc.c:587:pcsc_unlock: called
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs11-global.c:304:C_Finalize: C_Finalize()
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] ctx.c:819:sc_cancel: called
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] reader-pcsc.c:637:pcsc_cancel: called
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] slot.c:163:card_removed: Nitrokey Nitrokey Pro: card removed
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] slot.c:425:slot_token_removed: slot_token_removed(0x0)
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs11-session.c:129:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x0) 1
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs11-session.c:98:sc_pkcs11_close_session: real C_CloseSession(0x7fdd44d1eae0)
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs15-pin.c:690:sc_pkcs15_pincache_clear: called
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] framework-pkcs15.c:1364:pkcs15_release_token: pkcs15_release_token() not implemented
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] slot.c:425:slot_token_removed: slot_token_removed(0x1)
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs11-session.c:129:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x1) 0
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] framework-pkcs15.c:1364:pkcs15_release_token: pkcs15_release_token() not implemented
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] slot.c:425:slot_token_removed: slot_token_removed(0x2)
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs11-session.c:129:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x2) 0
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] slot.c:425:slot_token_removed: slot_token_removed(0x3)
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs11-session.c:129:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x3) 0
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs15.c:1264:sc_pkcs15_unbind: called
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] pkcs15-pin.c:690:sc_pkcs15_pincache_clear: called
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: 0 (Success)
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] card.c:336:sc_disconnect_card: called
0x7fff9887e3c0 13:45:55.751 [opensc-pkcs11] reader-pcsc.c:533:pcsc_disconnect: called
0x7fff9887e3c0 13:45:56.706 [opensc-pkcs11] card.c:357:sc_disconnect_card: returning with: 0 (Success)
0x7fff9887e3c0 13:45:56.706 [opensc-pkcs11] ctx.c:842:sc_release_context: called
0x7fff9887e3c0 13:45:56.706 [opensc-pkcs11] reader-pcsc.c:794:pcsc_finish: called
It seems that 4096 bit keys are not supported, but they should be supported.
Thx for any hints & best wishes
jan
3
Since this is about OpenSC’s details, could you ask at the OpenSC
mailinglist or submit a Github ticket, please?
Hi Jan
Thx for your reply. I’ve created a new OpenSC ticket.
Thx & best wishes
