SKi*_*SKi 5 openssl pki hsm openssl-engine
我通过pkcs11 openssl引擎使用HSM.
ENGINE_load_private_key()用于加载要使用的密钥.除了生成密钥对之外,它工作正常:
在为HSM生成新密钥对后,ENGINE_load_private_key()仍会返回旧密钥.
显然后来的调用ENGINE_load_private_key()不会从HSM读取密钥.相反,ENGINE_load_private_key()似乎返回一些缓存的值.
是否有某种方法可以强制openssl从HSM中读取新密钥,而不返回HSM中不再存在的旧密钥?
这段代码用于解决问题:
static void print_public_key_via_openssl( const char* name )
{
ENGINE *e = ENGINE_by_id( "pkcs11");
if ( e )
{
if ( ENGINE_init( e ) )
{
EVP_PKEY* key = ENGINE_load_private_key( e, name, NULL, NULL );
if( key )
{
printf( "Public key:\n%s", public_key_to_str(key) );
EVP_PKEY_free( key );
}
ENGINE_finish( e );
}
ENGINE_free( e );
}
}
int main( int argc, char** argv )
{
...
// Load the key and print it to stdout
print_public_key_via_openssl( "slot_1-label_Private02" );
// Generate new key pair value.
system( "hsmtool --dump_key 2" );
system( "hsmtool --gen_key 2" );
system( "hsmtool --dump_key 2" );
// Load the key and print it to stdout
print_public_key_via_openssl( "slot_1-label_Private02" );
...
}
结果:HSM中的密钥确实发生了变化,但openssl仍然返回旧密钥:
Public key:
Public-Key: (256 bit)
pub:
04:da:6e:4a:5f:e8:80:e4:e8:07:b8:79:7c:62:f6:
57:78:91:c4:42:89:13:da:72:61:e7:69:07:51:84:
6a:a2:a2:74:7b:79:7b:31:74:1d:b0:74:16:d7:9f:
fa:fd:2f:12:34:b9:80:06:16:84:c0:a3:0a:46:27:
a5:90:30:38:c9
ASN1 OID: prime256v1
NIST CURVE: P-256
Key #2:
X : DA6E4A5FE880E4E807B8797C62F6577891C4428913DA7261E7690751846AA2A2
Y : 747B797B31741DB07416D79FFAFD2F1234B980061684C0A30A4627A5903038C9
Key #2:
X : D6321B2DAAC592DB1E06D43F674804D0107252012BBDD214A7BB519109DD5D6E
Y : 0315E667625CBECA08A1D61BD0087D20D888A41AAE0E28D8789B8BDC8F6D09FF
Public key:
Public-Key: (256 bit)
pub:
04:da:6e:4a:5f:e8:80:e4:e8:07:b8:79:7c:62:f6:
57:78:91:c4:42:89:13:da:72:61:e7:69:07:51:84:
6a:a2:a2:74:7b:79:7b:31:74:1d:b0:74:16:d7:9f:
fa:fd:2f:12:34:b9:80:06:16:84:c0:a3:0a:46:27:
a5:90:30:38:c9
ASN1 OID: prime256v1
NIST CURVE: P-256
有几个程序将使用HSM的密钥对.这些程序还主动使用其他密钥对进行TLS.因此,重新启动进程不是解决方案.
| 归档时间: |
|
| 查看次数: |
711 次 |
| 最近记录: |