yubico-piv-tool: Problem generating key through PKCS11 library

I am trying to setup a small CA with OpenSSL+PKCS11 with keys stored on a Yubikey 4.

I managed to achive this with the following:

yubico-piv-tool -s 9c -a generate -A ECCP256 -o pubkey.pem --pin-policy never --touch-policy always

yubico-piv-tool -s 9c -a selfsign-certificate -S '/CN=bar/OU=test/O=example.com/' -i pubkey.pem -o cert.pem

yubico-piv-tool -a import-certificate -s 9c -i cert.pem

Now the certificate is correctly displayed:

$ yubico-piv-tool -a status -s 9c
CHUID:  No data available
CCC:    No data available
Slot 9c:
        Algorithm:      ECCP256
        Subject DN:     CN=bar, OU=test, O=example.com
        Issuer DN:      CN=bar, OU=test, O=example.com
        Fingerprint:    c9c472be632cbd72d4d5632260591a13a84b49f10b5832380776a0b22fca0d56
        Not Before:     May  8 16:01:50 2018 GMT
        Not After:      May  8 16:01:50 2019 GMT
PIN tries left: 3

and I can sign certificate requests with:

openssl req -config openssl.cnf -engine pkcs11 -keyform engine -key 02 -new -x509 -days 3653 -sha256 -out cert.pem

I was wondering if it is possibile to do the root key generation on the key with pkcs11-tool and then do the creation of the root certificate with openssl through PKCS11, here is what I did:

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so.1.3.4 -k --key-type EC:prime256v1 --usage-sign --login --id 01 --login-type so --so-pin 010203040506070801020304050607080102030405060708Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; EC
  label:      Private key for Card Authentication
  ID:         01
  Usage:      decrypt, sign
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   0441046d525faa9872313bc250102ebe145cbca913c2574bb90c2026ea83c6d027baea7b91137e11cd745535f941e558cf03f4a2f4a224a77a3f78bf68657587df98d8
  EC_PARAMS:  06082a8648ce3d030107
  label:      Public key for Card Authentication
  ID:         01
  Usage:      encrypt, verify

$ yubico-piv-tool -a status
CHUID:  No data available
CCC:    No data available
Slot 9e:
        Algorithm:      ECCP256
        Subject DN:
        Issuer DN:
        Fingerprint:    ce024f43b46d5982657c6fc163e3c72d2dc1f08d9bcb5347944b83ae9ef52d58
        Not Before:     Jan  1 00:00:00 0 GMT
        Not After:      Jan  1 00:00:00 0 GMT
PIN tries left: 3

$ openssl req -config root/root.cnf -engine pkcs11 -keyform engine -key 04 -new -x509 -days 3653 -sha256 -extensions v3_ca -out p.pem
engine "pkcs11" set.
Enter PKCS#11 token PIN for YubiKey PIV:
Key not found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140052743316736:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:876:
140052743316736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load Private Key

I think that I am misunderstanding something, could anyone please point me in the right direction?

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 15 (8 by maintainers)

Most upvoted comments

I’ve pushed bdfe49f223f00a63c9c9a331d17259f8665e4ab9 to a branch. If you have the possibility to build it, it would be nice.

+1
a-dma on May 9, 2018
Read more comments on GitHub
← yubico-piv-tool: Pin-policy seems to be ignored for ssh keys
yubico-piv-tool: SCardBeginTransaction on card #16389519 failed after 0 retries, rc=ffffffff8010001d →