Question

在Ubuntu 18.04.1中，openssl engine pkcs11 -t -c正确显示

(pkcs11) pkcs11 engine
 [RSA, rsaEncryption, id-ecPublicKey]
     [ available ]

目的是使用在插槽0中装有AATL链式证书的Safenet令牌（Gemalto 5110）对PDF进行认证：

$ pkcs11-tool --module /usr/lib/libeTPkcs11.so --login -O
Using slot 0 with a present token (0x0)
Logging in to "pdfsigner".
Please enter User PIN:
Private Key Object; RSA
  label:
  ID:         hexstringblah
  Usage:      decrypt, sign, unwrap
Certificate Object; type = X.509 cert
  label:      te-123456-123456aa
  ID:         hexstringblah
Certificate Object; type = X.509 cert
  label:
Certificate Object; type = X.509 cert
  label:
Certificate Object; type = X.509 cert
  label:
Certificate Object; type = X.509 cert
  label:

$ pkcs11-tool --module /usr/lib/libeTPkcs11.so --list-slots
Available slots:
Slot 0 (0x0): AKS ifdh [eToken 5110 SC] 00 00
  token label        : pdfsigner
  token manufacturer : SafeNet, Inc.
  token model        : eToken
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
  hardware version   : 16.0
  firmware version   : 16.1
  serial num         : 123456
  pin min/max        : 6/20

当我尝试与openssl pkeyutl -sign -keyform ENGINE -engine pkcs11 -inkey "pkcs11:object=te-123456-123456aa;type=cert;pin-value=password" -in certifyme.pdf -out certifyme.pdf签名时，我会得到

engine "pkcs11" set.
No private keys found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
139808273490368:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:876:
139808273490368:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load Private Key
pkeyutl: Error initializing context

令牌中有一个私钥：

$ pkcs11-dump dump /usr/lib/libeTPkcs11.so 0 password
pkcs11-dump 0.3.4 - PKI Cryptoki token dump
Written by Alon Bar-Lev

Copyright (C) 2005-2006 Alon Bar-Lev.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Token Information:
                         label: pdfsigner
                manufacturerID: SafeNet, Inc.
                         model: eToken
                  serialNumber: 123456
                         flags: CKF_RNG,CKF_LOGIN_REQUIRED,CKF_USER_PIN_INITIALIZED,CKF_DUAL_CRYPTO_OPERATIONS,CKF_TOKEN_INITIALIZED
             ulMaxSessionCount: 0
             ulMaxSessionCount: 0
                   ulMaxPinLen: 20
                   ulMinPinLen: 6
           ulTotalPublicMemory: 81920
            ulFreePublicMemory: 32767
          ulTotalPrivateMemory: 81920
           ulFreePrivateMemory: 32767
               hardwareVersion: 016.000
               firmwareVersion: 016.001
                       utcTime: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 Object 0
                   Object size: 65
                     CKA_CLASS: CKO_PRIVATE_KEY
                     CKA_TOKEN: TRUE
                   CKA_PRIVATE: TRUE
                     CKA_LABEL:
                  CKA_KEY_TYPE: CKK_RSA
                   CKA_SUBJECT: ERROR

                        CKA_ID: 7c 14 f6 86 13 6b 31 9e

                 CKA_SENSITIVE: TRUE
                   CKA_DECRYPT: TRUE
                    CKA_UNWRAP: TRUE
                      CKA_SIGN: TRUE
              CKA_SIGN_RECOVER: TRUE
                    CKA_DERIVE: FALSE
                CKA_START_DATE:
                  CKA_END_DATE:
                   CKA_MODULUS:

$ p11tool --provider=/usr/lib/libeTPkcs11.so --list-all
    Object 0:
            URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;id=00escapedhex;object=te-123456-123456aa;type=cert
            Type: X.509 Certificate
            Label: te-123456-123456aa
            ID: 00escapedhex

    Object 1:
            URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
            Type: X.509 Certificate
            Label:
            Flags: CKA_CERTIFICATE_CATEGORY=CA;
            ID:

    Object 2:
            URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
            Type: X.509 Certificate
            Label:
            Flags: CKA_CERTIFICATE_CATEGORY=CA;
            ID:

    Object 3:
            URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
            Type: X.509 Certificate
            Label:
            Flags: CKA_CERTIFICATE_CATEGORY=CA;
            ID:

    Object 4:
            URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
            Type: X.509 Certificate
            Label:
            Flags: CKA_CERTIFICATE_CATEGORY=CA;
            ID:

AFAIK，cmd不应请求PK，而应仅使令牌对请求进行签名。 pkeyutl中的参数是否不正确？

我能够使用相同的令牌在Windows中认证和签名PDF。 如何通过PKCS＃11和openssl签名PDF？

Answer 1

好像您在PKCS11对象存储中有一个RSA私钥对象和多个证书对象。但是，您正在尝试使用证书来签署“ certifyme.pdf”文件。从您的命令中，它表明对象“ te-123456-123456aa”（CKA_LABEL）是证书。

openssl pkeyutl -sign -keyform ENGINE -engine pkcs11 -inkey "pkcs11:object=te-123456-123456aa;type=cert;pin-value=password" -in certifyme.pdf -out certifyme.pdf

Certificate Object; type = X.509 cert
  label:      te-123456-123456aa
  ID:         hexstringblah

相反，您可以使用RSA私钥ID（CKA_ID，因为您没有私钥标签）来对pdf文件签名。

Private Key Object; RSA
  label:
  ID:         hexstringblah
  Usage:      decrypt, sign, unwrap

openssl pkeyutl -sign -keyform ENGINE -engine pkcs11 -inkey "pkcs11:id=hexstringblah;type=private;pin-value=password" -in certifyme.pdf -out signed_certifyme.pdf

还请注意，在命令中输入文件和输出文件具有相同的名称。

希望这会有所帮助。

PDF签名：PKCS11_get_private_key返回NULL

1 个答案: