OpenSUSE LEAP15.1を実行しており、Nitrokey USB HSMを使用しようとしている場合は、以下を参照してください。
engine "pkcs11" set.
Unable to load module (null)
Unable to load module (null)
PKCS11_get_private_key returned NULL
cannot load CA private key from engine
140396815820608:error:81065401:libp11:pkcs11_CTX_load:Unable to load PKCS#11 module:p11_load.c:77:
140396815820608:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:
unable to load CA private key
unable to load certificates
ただし、PKCSは有効です。
pkcs11-tool --test
Using slot 0 with a present token (0x0)
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signature: not a R/W session, skipping signature tests
Verify: not a R/W session, skipping verify tests
Key unwrap: not a R/W session, skipping key unwrap tests
Decryption: not a R/W session, skipping decryption tests
No errors
pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK99999999 ) 00 00
PKCS#15 Card [SmartCard-HSM]:
Version : 0
Serial number : DENK999999
Manufacturer ID: www.CardContact.de
Flags :
PIN [UserPIN]
etc.
etc.
etc.
libpkcs11-helper1、openssl-ibmpkcs11およびパッケージpkcs11-helperが openssl-engine-libp11インストールされており、openssl.confファイルに正しい設定があります。
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
#engine_id = pkcs11 #Note: I have tried both with and without this setting
dynamic_path= /usr/lib64/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib64/opensc-pkcs11.so
#init = 0 #Note: I have tried both with and without this setting
次のファイルが存在することを確認しました。
> ls /usr/lib64/engines-1.1/pkcs11.so
/usr/lib64/engines-1.1/pkcs11.so
> ls /usr/lib64/opensc-pkcs11.so
/usr/lib64/opensc-pkcs11.so