I recently got my YubiKey 4C and want to use it on macOS Sierra 10.12.6. What I am trying to achieve is setting up openssl to use pkcs11 as an engine. I used brew to install openssl and not to mess up my system openssl installation. Running Code:
>./openssl version
OpenSSL 1.0.2l 25 May 2017
from the installation /bin directory returns a newer version.
I followed https://dennis.silvrback.com/openssl-ca-with-yubikey-neo instructions to configure the pkcs11 engine for openssl.
To my /etc/ssl/openssl.cnf file I added:
Code:
openssl_conf = openssl_def
...
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/local/Cellar/opensc/0.17.0/lib/opensc-pkcs11.so
init = 0
Now when I start openssl shell I get:
Code:
OpenSSL>engine pkcs11 -t
140736418550792:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(/usr/local/Cellar/openssl/1.0.2l/lib/engines/libpkcs11.dylib): dlopen(/usr/local/Cellar/openssl/1.0.2l/lib/engines/libpkcs11.dylib, 2): image not found
140736418550792:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
140736418550792:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
140736418550792:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=pkcs11
Entering the dynamic engine command yields:
Code:
OpenSSL> engine dynamic -pre SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/Cellar/opensc/0.17.0/lib/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/local/Cellar/opensc/0.17.0/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
The paths should also be valid:
Code:
$ ls /usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so
/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so
$ ls /usr/local/Cellar/opensc/0.17.0/lib/opensc-pkcs11.so
/usr/local/Cellar/opensc/0.17.0/lib/opensc-pkcs11.so
Can you please point out what I did wrong?
My overall goal is setting up my own root CA like https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html describes. The only difference should be that the private key should be stored and generated on the YubiKey4C.
Thank you very much for you help and effort.Statistics: Posted by capodaster — Fri Sep 29, 2017 7:28 pm
]]>