Hello to all, is anyone using or experienced the OCSPd with Engine-PKCS11
combination ? OCSPd seems to start to work (it loads the engine and it
executes without problem the "pre" commands), but all the responses are an
OCSP-Response without signature! The ASN.1 is very strange: it misses the
CONTEXT SPECIFIC (1) with the DN of the OCSP Signer certificate (i.e. the
responderID node) and the node with the signature has no signatureAlgorithm
(0 instead of the OID) and a void signature.
How is it possible ? I've read some old messages on some ML regarding the
Engine-PKCS11 not able to perform RSA signature, but this is very strange
because I use the engine in OpenCA to generate certificates!
Any help ?
p.s. this is the HSM section of ocspd.conf
[ HSM ]
engine_id = dynamic
0.engine_pre = SO_PATH:/opt/openssl_engine/lib/engines/engine_pkcs11.so
1.engine_pre = ID:pkcs11
2.engine_pre = LIST_ADD:1
3.engine_pre = LOAD
4.engine_pre = VERBOSE
5.engine_pre = MODULE_PATH:/opt/Eracom/lib/libcryptoki.so
6.engine_pre = PIN:12345678
And this is the output of OCSPd in /var/log/messages:
Initialising HSM [dynamic]
Available Engine [ dynamic ]
Executing HSM PRE commands
HSM command success
[SO_PATH:/opt/openssl_engine/lib/engines/engine_pkcs11.so]
HSM command success [ID:pkcs11]
HSM command success [LIST_ADD:1]
HSM command success [LOAD]
HSM command success [VERBOSE]
HSM command success [MODULE_PATH:/opt/Eracom/lib/libcryptoki.so]
HSM command success [PIN:12345678]
Executing HSM POST commands
HSM no commands to execute in stack
Engine Initialisation Complete ["dynamic"]
reading certificate file (/usr/local/etc/ocspd/certs/ocsp_cert.pem).
Private Key in HSM [ id = slot_0-label_OCSPNew ]
reading CA certificate file.
OCSP Daemon setup completed
The private key is loaded successfully (it seems):
OpenCA's OCSP Responder - v1.5.1
(c) 2002-2006 by Massimiliano Pala and OpenCA Project
OpenCA licensed software
initializing engine
Looking in slot 0 for key: label: OCSPNew
Found 2 slots
[0] ERACOM Software Only.:843 (OCSP)
[1] ERACOM Software Only. login (AdminToken (0000))
Found slot: ERACOM Software Only.:84324
Found token: OCSP
Found 0 certificate:
Found 1 key:
1 P OCSPNew
--
Diego
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
