Yubico 私钥证书签名不再适用于 openssl3

Question

我将 PKI CA 证书和私钥存储在 Yubikey 上，并用它来颁发最终用户证书，但从 openssl1 升级到 openssl3 后，这不再起作用。

\n

我用来签署证书请求的脚本适用于 openssl1，但不再适用于 openssl3：

\n

pki_path=~/pki/paul\npin=$(cat ~/yubico/pin.txt)\necho "Yubico PIN: $pin"\nopenssl engine dynamic -pre SO_PATH:/usr/lib/engines-3/pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so -pre VERBOSE\nopenssl x509 -engine pkcs11 -CAkeyform engine -CAkey slot_0-id_2 -sha384 -CA $pki_path/ca.crt -req -passin pass:$pin -in $pki_path/reqs/$2.req -extfile x509-types/$1 -days 365 -out $pki_path/issued/$2.crt\ncat $pki_path/issued/$2.crt $pki_path/ca.crt > $pki_path/bundle/$2.crt\n

\n

我已经更新了 pkcs11 路径，但其他一切都相同，手动运行命令可以注册引擎，但尝试签名失败。

\n

\xce\xbb ~/pki/scripts/ openssl engine dynamic -pre SO_PATH:/usr/lib/engines-3/pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so -pre VERBOSE\n(dynamic) Dynamic engine loading support\n[Success]: SO_PATH:/usr/lib/engines-3/pkcs11.so\n[Success]: ID:pkcs11\n[Success]: NO_VCHECK:1\n[Success]: LIST_ADD:1\n[Success]: LOAD\n[Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so\n[Success]: VERBOSE\nLoaded: (pkcs11) pkcs11 engine\n\xce\xbb ~/pki/scripts/ openssl x509 -engine pkcs11 -CAkeyform engine -CAkey slot_0-id_2 -sha384 -CA ~/pki/paul/ca.crt -req -passin pass:$pin -in ~/pki/paul/reqs/paul.csiki.req -extfile x509-types/client -days 365 -out ~/pki/paul/issued/paul.csiki.crt\nEngine "pkcs11" set.\nCertificate request self-signature ok\nsubject=CN = paul.csiki\nFailed to enumerate slots\nPKCS11_get_private_key returned NULL\nCould not read CA private key from org.openssl.engine:pkcs11:slot_0-id_2\n409754AB157F0000:error:40000067:pkcs11 engine:ERR_ENG_error:invalid parameter:eng_back.c:603:\n409754AB157F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:79:\n

\n

封装版本：

\n

opensc 0.23.0-1\nopenssl 3.0.9-1\n

\n

pkcs11-tool 似乎能够使用正确的 ID 将证书和私钥提取到正确的插槽中。

\n

\xce\xbb ~/ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login -O\nUsing slot 0 with a present token (0x0)\nLogging in to "Alexandru Paul Csiki CA 2022".\nPlease enter User PIN:\nPrivate Key Object; RSA\n  label:      SIGN key\n  ID:         02\n  Usage:      sign\n  Access:     always authenticate, sensitive, always sensitive, never extractable, local\nPublic Key Object; RSA 2048 bits\n  label:      SIGN pubkey\n  ID:         02\n  Usage:      verify\n  Access:     none\nCertificate Object; type = X.509 cert\n  label:      Certificate for Digital Signature\n  subject:    DN: CN=Alexandru Paul Csiki CA 2022\n  serial:     D9A92431209229505AAFE58D45432A67\n  ID:         02\n\xce\xbb ~/ pkcs15-tool -D\nUsing reader with a card: Yubico YubiKey OTP+FIDO+CCID 00 00\nPKCS#15 Card [Alexandru Paul Csiki CA 2022]:\n    Version        : 0\n    Serial number  : 00000000\n    Manufacturer ID: piv_II\n    Flags          :\n\nPrivate RSA Key [SIGN key]\n    Object Flags   : [0x01], private\n    Usage          : [0x04], sign\n    Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local\n    Algo_refs      : 0\n    ModLength      : 2048\n    Key ref        : 156 (0x9C)\n    Native         : yes\n    Auth ID        : 01\n    ID             : 02\n\nPublic RSA Key [SIGN pubkey]\n    Object Flags   : [0x00]\n    Usage          : [0xC0], verify, verifyRecover\n    Access Flags   : [0x02], extract\n    ModLength      : 2048\n    Key ref        : 156 (0x9C)\n    Native         : yes\n    ID             : 02\n    DirectValue    : <absent>\n\nX.509 Certificate [Certificate for Digital Signature]\n    Object Flags   : [0x00]\n    Authority      : no\n    Path           :\n    ID             : 02\n    Encoded serial : 02 11 00D9A92431209229505AAFE58D45432A67\n

\n

我尝试使用 token uri 而不是 slot + id 也无济于事。

\n

Answer 1

检查错误 ( ) 是否与问题 206PKCS11_get_private_key returned NULL有关OpenSC/OpenSC

opensc-pkcs11.soOpenSSL 命令引用的文件版本可能已过时。opensc这意味着它使用无法正确处理SPKI（主题公钥信息）的旧版本库，因此无法正确处理 SPKI。SPKI用于表示公钥及其相关算法和参数。

在脚本中，您将指定文件的路径opensc-pkcs11.so作为 OpenSSL 命令的一部分：

openssl engine dynamic -pre SO_PATH:/usr/lib/engines-3/pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so -pre VERBOSE

如果该opensc-pkcs11.so文件/usr/lib/opensc-pkcs11.so来自旧版本的 OpenSC，它可能与新的 OpenSSL 3.0 版本不兼容，从而导致您看到的错误。

要解决此问题，您可能需要确保opensc-pkcs11.so引用的文件来自 OpenSC 的兼容版本。这可能涉及将 OpenSC 更新到较新的版本，或opensc-pkcs11.so从更新的 OpenSC 源代码构建新文件。
执行此操作后，您将调整 OpenSSL 命令以引用更新文件的路径opensc-pkcs11.so。