我的问题:
我尝试通过 pkcs11 uri 使用 RSA 密钥,该密钥存储在 tpm2_ptool 创建的外部 sql 文件中。 我的目标是创建证书签名请求 (CSR)。
我收到以下错误消息:
无法打开文件或 uri 以从 pkcs11 加载私钥:model=SLB9670%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=tokenname;id= %66%66%31%34%31%66%35%38%35%38%64%33%62%37%62%64;对象=对象名称;类型=私有;pin值=用户pin 40C7C3379C7F0000:错误:16000069:存储例程:ossl_store_get0_loader_int:未注册方案:../crypto/store/store_register.c:237:scheme = file 40C7C3379C7F0000:错误:80000002:系统库:file_open:没有这样的文件或目录:../providers/implementations/storemgmt/file_store.c:267:调用统计(pkcs11:model=SLB9670%00%00%00%00%00 %00%00%00%00;制造商=英飞凌;序列=0000000000000000;令牌=令牌名称;id=%66%66%31%34%31%66%35%38%35%38%64%33%62% 37%62%64;对象=对象名称;类型=私有;pin值=用户pin) 40C7C3379C7F0000:错误:16000069:存储例程:ossl_store_get0_loader_int:未注册方案:../crypto/store/store_register.c:237:scheme = pkcs11 40C7C3379C7F0000:错误:1608010C:存储例程:inner_loader_fetch:不支持:../crypto/store/store_meth.c:359:找不到存储加载程序。对于标准商店加载器,您至少需要一个可用的默认或基本提供程序。您忘记加载它们了吗?信息:全局默认库上下文、方案 (pkcs11 : 0)、属性 (?provider=tpm2)
怎么了?谁能帮我找到这个问题的解决方案吗?
我的方法
export PKCS11_MODULE="/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so"
export OPENSSL_CONF="/root/openssl.cnf"
TPM2_PKCS11_STORE=/root/.tpm2_pkcs11
GNUTLS_PIN=userpin
GNUTLS_SO_PIN=sopin
LABEL="tokenname"
KEY_LABEL="objectname"
rm -v -R "${TPM2_PKCS11_STORE}" 2>/dev/null
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --sopin="${GNUTLS_SO_PIN}" --userpin="${GNUTLS_PIN}" --label="${LABEL}"
tpm2_ptool addkey --algorithm=rsa2048 --label="${LABEL}" --key-label="${KEY_LABEL}" --userpin="${GNUTLS_PIN}"
pkcs11-tool --module "${PKCS11_MODULE}" -L
# Print:
# WARNING: Getting tokens from fapi backend failed.
# Available slots:
# Slot 0 (0x1): tokenname
# token label : tokenname
# token manufacturer : Infineon
# token model : SLB9670
# token flags : login required, rng, token initialized, PIN initialized
# hardware version : 1.38
# firmware version : 7.85
# serial num : 0000000000000000
# pin min/max : 0/128
# Slot 1 (0x2):
# token state: uninitialized
pkcs11-tool --module "${PKCS11_MODULE}" -O
# Print:
# WARNING: Getting tokens from fapi backend failed.
# Using slot 0 with a present token (0x1)
# Public Key Object; RSA 2048 bits
# label: objectname
# ID: 66663134316635383538643362376264
# Usage: encrypt, verify
# Access: local
TOKEN=$(p11tool --list-token-urls | grep "token=${LABEL}")
# TOKEN: pkcs11:model=SLB9670%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=tokenname
p11tool --login --list-all "${TOKEN}" --outfile p11tool.out
PRIVATE_KEY="$(cat p11tool.out | grep private | awk '{ print $2 }')"
# PRIVATE_KEY: 'pkcs11:model=SLB9670%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=tokenname;id=%66%66%31%34%31%66%35%38%35%38%64%33%62%37%62%64;object=objectname;type=private'
openssl req \
-new \
-provider tpm2 \
-provider default \
-propquery "?provider=tpm2" \
-key "${PRIVATE_KEY};pin-value=${GNUTLS_PIN}" \
-out "$(hostname).csr" \
-verbose
OpenSSL 命令后返回错误消息。
我的系统:
System: Ubuntu 22.04
Linux hostname 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
curl --version
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd
curl --engine list
Build-time engines:
rdrand
dynamic
pkcs11
openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
openssl engine -t
(rdrand) Intel RDRAND engine
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
(pkcs11) pkcs11 engine
[ available ]
在最新版本的 openssl 中,某些应用程序中有
-keyform DER|PEM|ENGINE