PDF签名:PKCS11_get_private_key返回NULL

在Ubuntu 18.04.1中，openssl engine pkcs11 -t -c正确显示

(pkcs11) pkcs11 engine
[RSA, rsaEncryption, id-ecPublicKey]
[ available ]

目的是使用安全网令牌(金雅拓5110(验证PDF，该令牌加载了插槽0:中的AATL链式证书

$ pkcs11-tool --module /usr/lib/libeTPkcs11.so --login -O
Using slot 0 with a present token (0x0)
Logging in to "pdfsigner".
Please enter User PIN:
Private Key Object; RSA
label:
ID:         hexstringblah
Usage:      decrypt, sign, unwrap
Certificate Object; type = X.509 cert
label:      te-123456-123456aa
ID:         hexstringblah
Certificate Object; type = X.509 cert
label:
Certificate Object; type = X.509 cert
label:
Certificate Object; type = X.509 cert
label:
Certificate Object; type = X.509 cert
label:
$ pkcs11-tool --module /usr/lib/libeTPkcs11.so --list-slots
Available slots:
Slot 0 (0x0): AKS ifdh [eToken 5110 SC] 00 00
token label        : pdfsigner
token manufacturer : SafeNet, Inc.
token model        : eToken
token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
hardware version   : 16.0
firmware version   : 16.1
serial num         : 123456
pin min/max        : 6/20

当我尝试用openssl pkeyutl -sign -keyform ENGINE -engine pkcs11 -inkey "pkcs11:object=te-123456-123456aa;type=cert;pin-value=password" -in certifyme.pdf -out certifyme.pdf签名时，我得到了

engine "pkcs11" set.
No private keys found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
139808273490368:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:876:
139808273490368:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load Private Key
pkeyutl: Error initializing context

令牌中有一个私钥：

$ pkcs11-dump dump /usr/lib/libeTPkcs11.so 0 password
pkcs11-dump 0.3.4 - PKI Cryptoki token dump
Written by Alon Bar-Lev
Copyright (C) 2005-2006 Alon Bar-Lev.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Token Information:
label: pdfsigner
manufacturerID: SafeNet, Inc.
model: eToken
serialNumber: 123456
flags: CKF_RNG,CKF_LOGIN_REQUIRED,CKF_USER_PIN_INITIALIZED,CKF_DUAL_CRYPTO_OPERATIONS,CKF_TOKEN_INITIALIZED
ulMaxSessionCount: 0
ulMaxSessionCount: 0
ulMaxPinLen: 20
ulMinPinLen: 6
ulTotalPublicMemory: 81920
ulFreePublicMemory: 32767
ulTotalPrivateMemory: 81920
ulFreePrivateMemory: 32767
hardwareVersion: 016.000
firmwareVersion: 016.001
utcTime: x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 Object 0
Object size: 65
CKA_CLASS: CKO_PRIVATE_KEY
CKA_TOKEN: TRUE
CKA_PRIVATE: TRUE
CKA_LABEL:
CKA_KEY_TYPE: CKK_RSA
CKA_SUBJECT: ERROR
CKA_ID: 7c 14 f6 86 13 6b 31 9e
CKA_SENSITIVE: TRUE
CKA_DECRYPT: TRUE
CKA_UNWRAP: TRUE
CKA_SIGN: TRUE
CKA_SIGN_RECOVER: TRUE
CKA_DERIVE: FALSE
CKA_START_DATE:
CKA_END_DATE:
CKA_MODULUS:
$ p11tool --provider=/usr/lib/libeTPkcs11.so --list-all
Object 0:
URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;id=00escapedhex;object=te-123456-123456aa;type=cert
Type: X.509 Certificate
Label: te-123456-123456aa
ID: 00escapedhex
Object 1:
URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
Type: X.509 Certificate
Label:
Flags: CKA_CERTIFICATE_CATEGORY=CA;
ID:
Object 2:
URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
Type: X.509 Certificate
Label:
Flags: CKA_CERTIFICATE_CATEGORY=CA;
ID:
Object 3:
URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
Type: X.509 Certificate
Label:
Flags: CKA_CERTIFICATE_CATEGORY=CA;
ID:
Object 4:
URL: pkcs11:model=eToken;manufacturer=MFG.;serial=123456;token=pdfsigner;type=cert
Type: X.509 Certificate
Label:
Flags: CKA_CERTIFICATE_CATEGORY=CA;
ID:

AFAIK cmd不应请求PK，而只能让令牌对请求进行签名。pkeyutl中的参数是否不正确？

我能够使用相同的令牌在Windows中验证和签署PDF如何通过PKCS#11和openssl对PDF进行签名