Re: Поддержка Рутокен ЭЦП в OpenSSL
Инициализировал я токен, пытаюсь сгенерировать закрытый ключ получаю:
root@tmis-pc:~# openssl genpkey -engine pkcs11_gost -algorithm GOST2001 -pkeyopt slot_key_id:50 -pkeyopt paramset:A -pkeyopt pin:12345678
engine "pkcs11_gost" set.
unable generate gost key
Error generating key
3077568664:error:80011030:Vendor defined:PKCS11_generate_key:Device error:p11_key.c:205:
3077568664:error:8107808E:lib(129):PKEY_GOST01CP_KEYGEN:error generate gost key:gost_sign_pkcs11.c:164:
При этом система поставлена пять минут назад
root@tmis-pc:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=11.10
DISTRIB_CODENAME=oneiric
DISTRIB_DESCRIPTION="Ubuntu 11.10"
Далее генерим закрытый ключи пользователя и СА на Fedora 17
[root@fedora tls]# openssl genpkey -engine pkcs11_gost -algorithm GOST2001 -pkeyopt slot_key_id:50 -pkeyopt paramset:A -pkeyopt pin:12345678
engine "pkcs11_gost" set.
Error writing key
3075877420:error:0D0A30A7:asn1 encoding routines:i2d_PrivateKey:unsupported public key type:i2d_pr.c:77:
3075877420:error:0906900D:PEM routines:PEM_ASN1_write_bio:ASN1 lib:pem_lib.c:357:
[root@fedora tls]# openssl genpkey -engine pkcs11_gost -algorithm GOST2001 -pkeyopt slot_key_id:100 -pkeyopt paramset:A -pkeyopt pin:12345678
engine "pkcs11_gost" set.
Error writing key
3076315692:error:0D0A30A7:asn1 encoding routines:i2d_PrivateKey:unsupported public key type:i2d_pr.c:77:
3076315692:error:0906900D:PEM routines:PEM_ASN1_write_bio:ASN1 lib:pem_lib.c:357:
Переходим в Ubuntu 11.10
root@tmis-pc:~/dd# openssl req -engine pkcs11_gost -new -key 50 -keyform engine -out req.csr -subj "/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/emailAddress=s.safarov@mail.com"
engine "pkcs11_gost" set.
PKCS#11 token PIN:
root@tmis-pc:~/dd# cat req.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBRzCB9QIBADCBiDELMAkGA1UEBhMCUlUxDzANBgNVBAgTBk1vc2NvdzEPMA0G
A1UEBxMGTW9zY293MQ4wDAYDVQQKEwVLT1JVUzELMAkGA1UECxMCSVQxFzAVBgNV
BAMTDlNlcmdleSBTYWZhcm92MSEwHwYJKoZIhvcNAQkBFhJzLnNhZmFyb3ZAbWFp
bC5jb20wYzAcBgYqhQMCAhMwEgYHKoUDAgIjAQYHKoUDAgIeAQNDAARAg03vSjQv
2M7UJV4SY+Rwgcd8RE7w/XQo2SkAkw6Dmgae71eegKfXQXMW/MXehShYp1xgw+ub
guwvhUbu7C9li6AAMAoGBiqFAwICAwUAA0EAKKZfcFZImqpZHIQrxCJcXFmqP1+f
0Kolbbj29effNBMSzqnflGpHjZbXhRklno4PDqyMPwAfRlNTZt9GVd3nzQ==
-----END CERTIFICATE REQUEST-----
root@tmis-pc:~/dd# openssl req -engine pkcs11_gost -x509 -new -key 100 -keyform engine -out ca.crt -subj "/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=TEST CA/emailAddress=TESTCA@korusconsulting"
engine "pkcs11_gost" set.
PKCS#11 token PIN:
root@tmis-pc:~/dd# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIB/zCCAawCCQDimW6kzCrF6DAKBgYqhQMCAgMFADCBhTELMAkGA1UEBhMCUlUx
DzANBgNVBAgTBk1vc2NvdzEPMA0GA1UEBxMGTW9zY293MQ4wDAYDVQQKEwVLT1JV
UzELMAkGA1UECxMCSVQxEDAOBgNVBAMTB1RFU1QgQ0ExJTAjBgkqhkiG9w0BCQEW
FlRFU1RDQUBrb3J1c2NvbnN1bHRpbmcwHhcNMTIxMTEyMTcwMzQ4WhcNMTIxMjEy
MTcwMzQ4WjCBhTELMAkGA1UEBhMCUlUxDzANBgNVBAgTBk1vc2NvdzEPMA0GA1UE
BxMGTW9zY293MQ4wDAYDVQQKEwVLT1JVUzELMAkGA1UECxMCSVQxEDAOBgNVBAMT
B1RFU1QgQ0ExJTAjBgkqhkiG9w0BCQEWFlRFU1RDQUBrb3J1c2NvbnN1bHRpbmcw
YzAcBgYqhQMCAhMwEgYHKoUDAgIjAQYHKoUDAgIeAQNDAARAypPXVY6VuPOeAgQ7
v/rtlQPejsNQc+u/zX7B4SJnRGXuSGpSuD82kROmUl+MJ53D5rI8Ls+cM7DOZhgx
9Oxk8DAKBgYqhQMCAgMFAANBADqZGmTey1wC6ZkycMI3/tGVzFsaCbX/lG6KH0ge
abBJUUkMpbHzor5qWD0ZiHIQoqf7SdhpkoOY3FA6WYrC034=
-----END CERTIFICATE-----
root@tmis-pc:~/dd# openssl ca -engine pkcs11_gost -keyfile 100 -keyform engine -cert ca.crt -in req.csr -out tester.crt
Using configuration from /usr/lib/ssl/openssl.cnf
engine "pkcs11_gost" set.
PKCS#11 token PIN:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 12 17:05:48 2012 GMT
Not After : Nov 12 17:05:48 2013 GMT
Subject: C=RU, ST=Moscow, O=KORUS, OU=IT, CN=Sergey Safarov
Certificate is to be certified until Nov 12 17:05:48 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@tmis-pc:~/dd# cat tester.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
Issuer: C=RU, ST=Moscow, L=Moscow, O=KORUS, OU=IT, CN=TEST CA/emailAddress=TESTCA@korusconsulting
Validity
Not Before: Nov 12 17:05:48 2012 GMT
Not After : Nov 12 17:05:48 2013 GMT
Subject: C=RU, ST=Moscow, O=KORUS, OU=IT, CN=Sergey Safarov
Subject Public Key Info:
Public Key Algorithm: GOST R 34.10-2001
Public key:
X:69A830E930029D92874FDF04E447CC78170E463125E25D4CED82F344AEF4D83
Y:8B652FECEE46852FEC829BEBC3605CA7582885DEC5FC167341D7A7809E57EF9E
Parameter set: id-GostR3410-2001-CryptoPro-A-ParamSet
Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
ea:6c:96:5f:b3:28:04:67:9f:b3:5a:de:2c:d5:db:62:95:8e:
df:01:d7:6a:19:15:73:5f:f4:c4:47:d0:8a:2e:30:30:0c:09:
db:fb:65:aa:6e:69:9c:4e:bc:13:2f:7f:98:06:47:bf:11:dd:
33:5b:14:39:f5:07:f3:68:eb:c7
-----BEGIN CERTIFICATE-----
MIIBxTCCAXICAQEwCgYGKoUDAgIDBQAwgYUxCzAJBgNVBAYTAlJVMQ8wDQYDVQQI
EwZNb3Njb3cxDzANBgNVBAcTBk1vc2NvdzEOMAwGA1UEChMFS09SVVMxCzAJBgNV
BAsTAklUMRAwDgYDVQQDEwdURVNUIENBMSUwIwYJKoZIhvcNAQkBFhZURVNUQ0FA
a29ydXNjb25zdWx0aW5nMB4XDTEyMTExMjE3MDU0OFoXDTEzMTExMjE3MDU0OFow
VDELMAkGA1UEBhMCUlUxDzANBgNVBAgTBk1vc2NvdzEOMAwGA1UEChMFS09SVVMx
CzAJBgNVBAsTAklUMRcwFQYDVQQDEw5TZXJnZXkgU2FmYXJvdjBjMBwGBiqFAwIC
EzASBgcqhQMCAiMBBgcqhQMCAh4BA0MABECDTe9KNC/YztQlXhJj5HCBx3xETvD9
dCjZKQCTDoOaBp7vV56Ap9dBcxb8xd6FKFinXGDD65uC7C+FRu7sL2WLMAoGBiqF
AwICAwUAA0EA6myWX7MoBGefs1reLNXbYpWO3wHXahkVc1/0xEfQii4wMAwJ2/tl
qm5pnE68Ey9/mAZHvxHdM1sUOfUH82jrxw==
-----END CERTIFICATE-----
Скажите почему на Ubuntu 11.10 openssl отказался генерировать закрытые ключи?