Error while generate a certificate signing request

[Darsh-Dev]

Hi,

I am following the steps as mentioned
https://aws.amazon.com/blogs/iot/using-a-trusted-platform-module-for-endpoint-device-security-in-aws-iot-greengrass/

I am facing issue while Generate a certificate signing request the below command is used,

openssl req -engine pkcs11 -new -key "pkcs11:model=SLI9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /tmp/req.csr

OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
    (dynamic) Dynamic engine loading support
    [Success]: SO_PATH:/usr/lib/engines-1.1/libpkcs11.so
    [Success]: ID:pkcs11
    [Success]: LIST_ADD:1
    [Success]: LOAD
    [Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so
    Loaded: (pkcs11) pkcs11 engine

openssl req -verbose -engine pkcs11 -new -key "pkcs11:model=SLI9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=1
23456" -keyform engine -out /tmp/req.csr
engine "pkcs11" set.
Using configuration from /usr/lib/ssl-1.1/openssl.cnf
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Specified object not found
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
3070050320:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862:
3070050320:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1b/crypto/engine/eng_pkey.c:78:
unable to load Private Key
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
root@stm32mp1-av96:~#

OpenSSL> req -engine pkcs11 -new -key "pkcs11:model=SLI9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /r
engine "pkcs11" set.
problem creating object tsa_policy1=1.2.3.4.1
3069923344:error:08064066:object identifier routines:OBJ_create:oid exists:../openssl-1.1.1b/crypto/objects/obj_dat.c:698:
error in req
OpenSSL>

Can you pl guide us further here?

[Darsh-Dev]

@mtrojnar

I have checked the similar thread #104. No solution found.

We are following the steps on Linux-Yocto build.

[dengert]

Looks like OpenSSL error: Google for: OID 1.2.3.4.1 this leads to:
openssl/openssl#4598
with some suggestions about if openssc.cnf has multiple entries.

[Darsh-Dev]

@dengert We have check same thread , I am not getting the solution yet.

Error:

Specified object not found
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
3070050320:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862:
3070050320:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1b/crypto/engine/eng_pkey.c:78:
unable to load Private Key

Below commands working fine, just to validate the openssl,
openssl req -new -key verificationCert.key -out verificationCert.csr

[dengert]

Your first post had:

problem creating object tsa_policy1=1.2.3.4.1
3069923344:error:08064066:object identifier routines:OBJ_create:oid exists:../openssl-1.1.1b/crypto/objects/obj_dat.c:698:

Did you fix it?

https://aws.amazon.com/blogs/iot/using-a-trusted-platform-module-for-endpoint-device-security-in-aws-iot-greengrass/ is very complicated. Are you building this on a Raspberry Pi?

I think the problem is the wrong PKCS11 module is being used.
git clone https://github.com/tpm2-software/tpm2-pkcs11 This looks like it builds its own PKCS11 module. But Your openssl.cnf has MODULE_PATH:/usr/lib/opensc-pkcs11.so which is trying to use the OpenSC PKCS11 module.

If you change MODULE_PATH: to point to the tmp2-pkcs11 module (not sure what is is called) it might work. libp11 can load other PKCS11 modules. It does not have to be the OpenSC module.

[Darsh-Dev]

@dengert Thanks for the update.

After changing the MODULE_PATH:/usr/lib/opensc-pkcs11.so to MODULE_PATH:/usr/lib/pkcs11/libtpm2_pkcs11.so.

Its working fine.