В Ubuntu 18.04.1 openssl engine pkcs11 -t -c правильно показывает
(pkcs11) pkcs11 engine
[RSA, rsaEncryption, id-ecPublicKey]
[ available ]
Целью является сертификация PDF-файлов с использованием токена Safenet (Gemalto 5110), загруженного с помощью AATL цепного сертификата вслот 0:
$ pkcs11-tool --module /usr/lib/libeTPkcs11.so --login -O
Using slot 0 with a present token (0x0)
Logging in to "pdfsigner".
Please enter User PIN:
Private Key Object; RSA
label:
ID: hexstringblah
Usage: decrypt, sign, unwrap
Certificate Object; type = X.509 cert
label: te-123456-123456aa
ID: hexstringblah
Certificate Object; type = X.509 cert
label:
Certificate Object; type = X.509 cert
label:
Certificate Object; type = X.509 cert
label:
Certificate Object; type = X.509 cert
label:
$ pkcs11-tool --module /usr/lib/libeTPkcs11.so --list-slots
Available slots:
Slot 0 (0x0): AKS ifdh [eToken 5110 SC] 00 00
token label : pdfsigner
token manufacturer : SafeNet, Inc.
token model : eToken
token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
hardware version : 16.0
firmware version : 16.1
serial num : 123456
pin min/max : 6/20
Когда я пытаюсь подписать с openssl pkeyutl -sign -keyform ENGINE -engine pkcs11 -inkey "pkcs11:object=te-123456-123456aa;type=cert;pin-value=password" -in certifyme.pdf -out certifyme.pdf, я получаю
engine "pkcs11" set.
No private keys found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
139808273490368:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:876:
139808273490368:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load Private Key
pkeyutl: Error initializing context
В токене есть закрытый ключ:
$ pkcs11-dump dump /usr/lib/libeTPkcs11.so 0 password
pkcs11-dump 0.3.4 - PKI Cryptoki token dump
Written by Alon Bar-Lev
Copyright (C) 2005-2006 Alon Bar-Lev.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Token Information:
label: pdfsigner
manufacturerID: SafeNet, Inc.
model: eToken
serialNumber: 123456
flags: CKF_RNG,CKF_LOGIN_REQUIRED,CKF_USER_PIN_INITIALIZED,CKF_DUAL_CRYPTO_OPERATIONS,CKF_TOKEN_INITIALIZED
ulMaxSessionCount: 0
ulMaxSessionCount: 0
ulMaxPinLen: 20
ulMinPinLen: 6
ulTotalPublicMemory: 81920
ulFreePublicMemory: 32767
ulTotalPrivateMemory: 81920
ulFreePrivateMemory: 32767
hardwareVersion: 016.000
firmwareVersion: 016.001
utcTime: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 Object 0
Object size: 65
CKA_CLASS: CKO_PRIVATE_KEY
CKA_TOKEN: TRUE
CKA_PRIVATE: TRUE
CKA_LABEL:
CKA_KEY_TYPE: CKK_RSA
CKA_SUBJECT: ERROR
CKA_ID: 7c 14 f6 86 13 6b 31 9e
CKA_SENSITIVE: TRUE
CKA_DECRYPT: TRUE
CKA_UNWRAP: TRUE
CKA_SIGN: TRUE
CKA_SIGN_RECOVER: TRUE
CKA_DERIVE: FALSE
CKA_START_DATE:
CKA_END_DATE:
CKA_MODULUS:
$ p11tool --provider=/usr/lib/libeTPkcs11.so --list-all
Object 0:
URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;id=00escapedhex;object=te-123456-123456aa;type=cert
Type: X.509 Certificate
Label: te-123456-123456aa
ID: 00escapedhex
Object 1:
URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
Type: X.509 Certificate
Label:
Flags: CKA_CERTIFICATE_CATEGORY=CA;
ID:
Object 2:
URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
Type: X.509 Certificate
Label:
Flags: CKA_CERTIFICATE_CATEGORY=CA;
ID:
Object 3:
URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
Type: X.509 Certificate
Label:
Flags: CKA_CERTIFICATE_CATEGORY=CA;
ID:
Object 4:
URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
Type: X.509 Certificate
Label:
Flags: CKA_CERTIFICATE_CATEGORY=CA;
ID:
AFAIK cmd не должен запрашивать PK, а только чтобы токен подписывал запрос.У меня есть неправильный параметр в pkeyutl?
Я смог использовать тот же токен для сертификации и подписи PDF в Windows. Как мне подписать PDF через PKCS # 11 и openssl?