My problem:
I try to use an RSA key via pkcs11 uri, stored into external sql file created by tpm2_ptool. My goal is to create an Certificate-Sign-Request (CSR).
I get the follow error message:
Could not open file or uri for loading private key from pkcs11:model=SLB9670%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=tokenname;id=%66%66%31%34%31%66%35%38%35%38%64%33%62%37%62%64;object=objectname;type=private;pin-value=userpin
40C7C3379C7F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
40C7C3379C7F0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:model=SLB9670%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=tokenname;id=%66%66%31%34%31%66%35%38%35%38%64%33%62%37%62%64;object=objectname;type=private;pin-value=userpin)
40C7C3379C7F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=pkcs11
40C7C3379C7F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:../crypto/store/store_meth.c:359:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (?provider=tpm2)
What`s wrong? Can anyone help me to find a solution for this problem?
My approach
export PKCS11_MODULE="/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so"
export OPENSSL_CONF="/root/openssl.cnf"
TPM2_PKCS11_STORE=/root/.tpm2_pkcs11
GNUTLS_PIN=userpin
GNUTLS_SO_PIN=sopin
LABEL="tokenname"
KEY_LABEL="objectname"
rm -v -R "${TPM2_PKCS11_STORE}" 2>/dev/null
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --sopin="${GNUTLS_SO_PIN}" --userpin="${GNUTLS_PIN}" --label="${LABEL}"
tpm2_ptool addkey --algorithm=rsa2048 --label="${LABEL}" --key-label="${KEY_LABEL}" --userpin="${GNUTLS_PIN}"
pkcs11-tool --module "${PKCS11_MODULE}" -L
# Print:
# WARNING: Getting tokens from fapi backend failed.
# Available slots:
# Slot 0 (0x1): tokenname
# token label : tokenname
# token manufacturer : Infineon
# token model : SLB9670
# token flags : login required, rng, token initialized, PIN initialized
# hardware version : 1.38
# firmware version : 7.85
# serial num : 0000000000000000
# pin min/max : 0/128
# Slot 1 (0x2):
# token state: uninitialized
pkcs11-tool --module "${PKCS11_MODULE}" -O
# Print:
# WARNING: Getting tokens from fapi backend failed.
# Using slot 0 with a present token (0x1)
# Public Key Object; RSA 2048 bits
# label: objectname
# ID: 66663134316635383538643362376264
# Usage: encrypt, verify
# Access: local
TOKEN=$(p11tool --list-token-urls | grep "token=${LABEL}")
# TOKEN: pkcs11:model=SLB9670%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=tokenname
p11tool --login --list-all "${TOKEN}" --outfile p11tool.out
PRIVATE_KEY="$(cat p11tool.out | grep private | awk '{ print $2 }')"
# PRIVATE_KEY: 'pkcs11:model=SLB9670%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=tokenname;id=%66%66%31%34%31%66%35%38%35%38%64%33%62%37%62%64;object=objectname;type=private'
openssl req \
-new \
-provider tpm2 \
-provider default \
-propquery "?provider=tpm2" \
-key "${PRIVATE_KEY};pin-value=${GNUTLS_PIN}" \
-out "$(hostname).csr" \
-verbose
After OpenSSL command the error message is returned.
My system:
System: Ubuntu 22.04
Linux hostname 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
openssl engine -t
(rdrand) Intel RDRAND engine
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
(pkcs11) pkcs11 engine
[ available ]
In recent version of openssl you have
-keyform DER|PEM|ENGINE
in some applications https://www.openssl.org/docs/man1.1.1/man1/x509.html maybe you can use it. Don't know how many application openssl have to make csr.PS: I am searching for x509 to display my certificate and I found a link that might help you https://colinpaice.blog/2021/03/08/using-openssl-with-an-hsm-keystore-and-opensc-pkcs11-engines/.