I'm trying to generate a shared session key from ECDH. I can do it with private and public key of different clients, and it gives me the same key. For example:
openssl pkeyutl -derive -inkey client_priv_key.pem -peerkey client1_pub_key.pem -hexdump
0000 - db 36 45 25 da 9d 65 da-13 bb 42 27 62 74 1e e0 .6E%..e...B'bt..
0010 - 3d 3f a8 4d be da 10 fb-96 a6 90 b0 3f a4 c3 08 =?.M........?...
openssl pkeyutl -derive -inkey client1_priv_key.pem -peerkey client_pub_key.pem -hexdump
0000 - db 36 45 25 da 9d 65 da-13 bb 42 27 62 74 1e e0 .6E%..e...B'bt..
0010 - 3d 3f a8 4d be da 10 fb-96 a6 90 b0 3f a4 c3 08 =?.M........?...
However, I'm trying to do the same with my yubikey neo (that has the keys inside the slot 3) through the PKCS11 engine.
I'm using these commands:
openssl pkeyutl -engine pkcs11 -keyform engine -derive -inkey 'pkcs11:manufacturer=piv_II;id=%03;type=private;pin-value=123456' -peerform PEM -peerkey client_pub_key.pem -hexdump
engine "pkcs11" set.
0000 - f8 36 e5 ec 0a 55 12 92-4b 3d 04 aa 2d f1 ab 0c .6...U..K=..-...
0010 - b6 18 0f 9d 55 54 9c e9-b5 21 b6 ca be 34 69 e0 ....UT...!...4i.
openssl pkeyutl -engine pkcs11 -derive -keyform PEM -inkey client_priv_key.pem -peerform engine -peerkey 'pkcs11:manufacturer=piv_II;id=%03;type=public' -hexdump
engine "pkcs11" set.
0000 - fb 72 f7 34 9e 52 9a 04-e2 3b bd 5f 89 91 e0 37 .r.4.R...;._...7
0010 - 30 c2 1e 94 e1 a8 e6 9c-5c 27 7b 35 12 78 b1 55 0.......'{5.x.U
And as you can see, the secrets are different. I already tried to extract the public key through pkcs15-tool --read-public-key 03 -o pub.keyand other ways, and it extracts the same public key , but then I pass it to the command with the file pub.key, but the same happens.
Can you help me with that?
Thanks.
question from:
https://stackoverflow.com/questions/65905092/derivation-shared-secret-different-with-pkcs11 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
