Max PKCS#11 id URI length of 100 characters? #531
Description
Hello,
Apologies if this has been asked already, I did a quick search online but couldn't find any references to "100 characters" or other PKCS#11 URI length limits, though I might have missed a doc somewhere.
Our PKCS#11 library (https://github.com/GoogleCloudPlatform/kms-integrations) uses relatively long key IDs, and I just ran into a surprising failure while trying to generate a self-signed certificate:
$ openssl req -new -x509 -days 3650 -subj '/CN=test/' -sha256 -engine pkcs11 -keyform engine -key pkcs11:id=some_id_longer_than_100_characters > my-test.crt
Engine "pkcs11" set.
The private key ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The private key ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The private key was not found at: pkcs11:id=some_id_longer_than_100_characters
PKCS11_get_private_key returned NULL
Could not read private key from org.openssl.engine:pkcs11:pkcs11:id=some_id_longer_than_100_characters
40D7D791067F0000:error:40000064:pkcs11 engine:ERR_ENG_error:invalid id:eng_back.c:400:
40D7D791067F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:79:
Aborted
"some_id_longer_than_100_characters" has been redacted, but the same behavior can also be reproduced with something simple such as 100 "a"s.
My questions:
- is this intended?
- is the limit documented anywhere?
I opened an issue in the OpenSSL repo as well, but they rightfully pointed me here. Thank you!