Background
I have inherited the task to establish TLS 1.2 connection with server using cryptography token programmatically. The token in question is a read-only - does not allow extraction of private key - smart card. This token have been initialized during manufacture process. Token holds a private key along with certificate.
The token comes with its own PKCS11 module.
I have configured openssl to use said module in engine:
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = TOKEN_PKCS11_LIB.so
init = 0
I have extracted the certificate from SmartCard and stored in sc_cert.pem.
Issue
I have tried to establish a TLS connection to server using command line:
openssl s_client -engine pkcs11 -keyform engine -key "pkcs11:id=HEX;type=private" -cert sc_cert.pem -CAfile .../ca_bundle.pem -connect SERVER:PORT -state -tlsextdebug -debug -showcerts
Upon executing the previous command I receive following output:
engine "pkcs11" set.
PKCS#11 token PIN:
No private keys found.
PKCS11_get_private_key returned NULL
cannot load client certificate private key file from engine
140540314130072:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124:
unable to load client certificate private key file
Also, I have tried using PKCS11 URI scheme variations to specify key element bu to no avail.
To confirm that private key is present on the card I execute the following command:
pkcs11-tool -vvv -L --module TOKEN_PKCS1_LIB.so --pin PIN -O
The output:
Available slots:
Slot 0 (0x1): ACS ...
manufacturer: ...
hardware ver: ...
firmware ver: ...
flags: token present, removable device, hardware slot
token label : ...
token manufacturer : ...
token model : ...
token flags : login required, rng, token initialized, PIN initialized, other flags=0x40
hardware version : ...
firmware version : ...
serial num : ...
pin min/max : ...
Using slot 0 with a present token (0x1)
Public Key Object; RSA 2048 bits
label: LABEL
ID: ID_HEX
Usage: encrypt, verify
Access: none
Certificate Object; type = X.509 cert
label: LABEL
subject: DN: ...
ID: ID_HEX
Private Key Object; RSA
label: LABEL
ID: ID_HEX
Usage: decrypt, sign
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
warning: PKCS11 function C_GetAttributeValue(ALWAYS_SENSITIVE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Access: sensitive
Note ID_HEX and LABEL of all 3 - public, cert & private - are same values.
Questions
It seems that for reasons unknown to me, openssl engine cannot access private key.
How should I configure / call openssl to use my token in TLS 1.2 authnetication(KeyExchange?)?
Is there something wrong with my configuration?
Is my key URL the problem?
