using on windows with nitrokey HSM2

Question

using on windows with nitrokey HSM2

TheMonsterIT opened this issue a year ago · 11 comments

Hello i have problems, can't find a way to sign an executable under windows with nitrokey hsm usb module.
let's say that using signtool works properly, but this involves many windows components that can go wrong, pin popup and so on..
so trying to find a simpler working method.

what i have done:

installed latest OpenSC Project 0.24 to have access to hsm dongle
run the sign command
osslsigncode sign -verbose -pkcs11engine "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" -pkcs11cert "pkcs11:object=win-sign-test1" -h sha1 -in "a.exe" -out b.exe
Failed to set 'dynamic' engine
Failed to read key or certificates
142F0000:error:1280006A:DSO support routines:win32_bind_func:could not bind to the requested symbol name:crypto\dso\dso_win32.c:184:symname(bind_engine)
142F0000:error:1280006A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:crypto\dso\dso_lib.c:176:
142F0000:error:13000068:engine routines:dynamic_load:DSO failure:crypto\engine\eng_dyn.c:455:
Failed

i think there is some problem with pkcs11 dll provided by opensc and the osslsigncode, or i am missing something in the command line... any help?

Answer 1 · 2024-02-23T15:48:08.000Z

Your opensc-pkcs11.dll is a PKCS#11 module, and not a PKCS#11 engine. An engine is an interface between OpenSSL and a module, while a module is an interface between an engine and your hardware. Different software, different role, different interfaces. Both are shared libraries, which often causes confusion. Be sure to specify the right one for each option.

Answer 2 · 2024-02-23T16:52:43.000Z

ok, so after your reply i downloaded libp11-0.4.11-windows that should be the engine

osslsigncode sign -verbose -pkcs11engine "pkcs11.dll" -pkcs11module "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" -pkcs11cert "pkcs11:object=win-sign-test1" -h sha1 -in "a.exe" -out b.exe
Failed to set 'dynamic' engine
Failed to read key or certificates
AC3B0000:error:12800067:DSO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(pkcs11.dll.dll)
AC3B0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto\dso\dso_lib.c:152:
AC3B0000:error:13000084:engine routines:dynamic_load:dso not found:crypto\engine\eng_dyn.c:442:
Failed

and same with engine libp11-3.dll

p.s in the meantime i fixed an error where legacy.dll was not found in the path.
so what i have missed now?

Answer 3 · 2024-02-24T11:39:43.000Z

pkcs11.dll.dll?

Answer 4 · 2024-02-24T12:16:11.000Z

yes, i see the double .dll in the error message, as you can see i load with one .dll, but also without .dll extension (so error message show correct file) the result don't change.

Answer 5 · 2024-02-24T12:38:21.000Z

I guess what you need is to set OPENSSL_ENGINES=. in your environment instead of specifying a command-line option to your osslsigncode. Also, make sure all of your dlls and your osslsigncode.exe are either 64-bit or 32-bit.

Answer 6 · 2024-02-24T13:38:31.000Z

all dll are 64 bit, doublechecked right now
specifying the path with OPENSSL_ENGINES makes no difference, but skipping the pkcs11engine in combination with path set the correct filename in the log.

osslsigncode sign -verbose -pkcs11module "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" -pkcs11cert "pkcs11:object=win-sign-test1" -h sha1 -in "a.exe" -out b.exe
Failed to set 'dynamic' engine
Failed to read key or certificates
B03D0000:error:12800067:DSO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(C:\osslsign2\pkcs11.dll)
B03D0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto\dso\dso_lib.c:152:
B03D0000:error:13000084:engine routines:dynamic_load:dso not found:crypto\engine\eng_dyn.c:442:
Failed

Answer 7 · 2024-02-29T17:37:44.000Z

@olszomal Can you take a look?

Answer 8 · 2024-03-01T11:15:03.000Z

My pkcs11.dll library is located in the directory C:\Program Files (x86)\stunnel\engines\
I can use the -pkcs11engine option:

>osslsigncode.exe sign -in unsigned.exe -out signed.exe 
 -pkcs11module "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" 
 -pkcs11engine "C:\Program Files (x86)\stunnel\engines\pkcs11.dll" 
 -pkcs11cert "pkcs11:type=cert;object=test_cert;pin-value=1234"
Engine "pkcs11" set.
Succeeded

or set OPENSSL_ENGINES environment variable:

>set OPENSSL_ENGINES=C:\Program Files (x86)\stunnel\engines
>osslsigncode.exe sign -in unsigned.exe -out signed.exe
 -pkcs11module "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"
 -pkcs11cert "pkcs11:type=cert;object=test_cert;pin-value=1234"
Engine "pkcs11" set.
Succeeded

Answer 9 · 2024-03-01T12:44:47.000Z

Good point! using the pkcs11.dll from stunnel download makes the trick. somehow the library from p11 was not compatible with the exe.
now i need to figure out how the pkcs11cert is made to access the certificate, but a big thankyou to all.
Artur

Answer 10 · 2024-03-01T13:00:29.000Z

RFC7512 may be helpful
libp11 supports the following attribute names:

model
manufacturer
token
serial
object
id
pin-value
pin-source
type ( "public" / "private" / "cert")

Answer 11 · 2024-03-01T13:51:10.000Z

perfect, working
to sum up you need the x64 bit of osslsigncode, install the stunnel software "stunnel-latest-win64-installer.exe"
my private key is:
Private RSA Key [7EB923BE095E40D6872E0995CCD08F3D]
found with "pkcs15-tool -D" command
add to command line the public certificate matching the HSM private key "public_crt.pem"
and that's it, signed file :)

osslsigncode.exe sign -in unsigned.exe -out signed.exe -pkcs11module "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" -pkcs11engine "C:\Program Files (x86)\stunnel\engines\pkcs11.dll" -pkcs11cert "pkcs11:object=7EB923BE095E40D6872E0995CCD08F3D;pin-value=648219" -certs "public_crt.pem"
Engine "pkcs11" set.

thank you!