Ok, resolved this problem. There is a bug in Engine PKCS#11 version 0.1.4
(and today I've discovered there is a 0.1.5 version...). With this bug, the
engine_pkcs11 didn't perform login on the token when reading private
objects. But now another problem arises: OCSPd works very well when launched
in standard way, it doesn't work well when launched in daemon way (with -d
option).
The problem is always related to signature, but this time the OCSP
certificate appears, the signature algorithm appears, instead the
signature doesn't appear! (an empty array). I've read the source code and
the only difference is that with daemon mode there is a fork(). Could be
this ?
p.s. there is a bug in the ocspd script, the if test of the ps -p on the
pid misses the " around the ' characters.
On Mon, Aug 25, 2008 at 20:08, Diego de Felice <[EMAIL PROTECTED]>wrote:
> Hello to all, is anyone using or experienced the OCSPd with
> Engine-PKCS11 combination ? OCSPd seems to start to work (it loads the
> engine and it executes without problem the "pre" commands), but all the
> responses are an OCSP-Response without signature! The ASN.1 is very strange:
> it misses the CONTEXT SPECIFIC (1) with the DN of the OCSP Signer
> certificate (i.e. the responderID node) and the node with the signature has
> no signatureAlgorithm (0 instead of the OID) and a void signature.
> How is it possible ? I've read some old messages on some ML regarding the
> Engine-PKCS11 not able to perform RSA signature, but this is very strange
> because I use the engine in OpenCA to generate certificates!
>
> Any help ?
>
> p.s. this is the HSM section of ocspd.conf
>
> [ HSM ]
> engine_id = dynamic
>
> 0.engine_pre = SO_PATH:/opt/openssl_engine/lib/engines/engine_pkcs11.so
> 1.engine_pre = ID:pkcs11
> 2.engine_pre = LIST_ADD:1
> 3.engine_pre = LOAD
> 4.engine_pre = VERBOSE
> 5.engine_pre = MODULE_PATH:/opt/Eracom/lib/libcryptoki.so
> 6.engine_pre = PIN:12345678
>
> And this is the output of OCSPd in /var/log/messages:
>
> Initialising HSM [dynamic]
> Available Engine [ dynamic ]
> Executing HSM PRE commands
> HSM command success
> [SO_PATH:/opt/openssl_engine/lib/engines/engine_pkcs11.so]
> HSM command success [ID:pkcs11]
> HSM command success [LIST_ADD:1]
> HSM command success [LOAD]
> HSM command success [VERBOSE]
> HSM command success [MODULE_PATH:/opt/Eracom/lib/libcryptoki.so]
> HSM command success [PIN:12345678]
> Executing HSM POST commands
> HSM no commands to execute in stack
> Engine Initialisation Complete ["dynamic"]
> reading certificate file (/usr/local/etc/ocspd/certs/ocsp_cert.pem).
> Private Key in HSM [ id = slot_0-label_OCSPNew ]
> reading CA certificate file.
> OCSP Daemon setup completed
> The private key is loaded successfully (it seems):
>
> OpenCA's OCSP Responder - v1.5.1
> (c) 2002-2006 by Massimiliano Pala and OpenCA Project
> OpenCA licensed software
>
> initializing engine
> Looking in slot 0 for key: label: OCSPNew
> Found 2 slots
> [0] ERACOM Software Only.:843 (OCSP)
> [1] ERACOM Software Only. login (AdminToken (0000))
> Found slot: ERACOM Software Only.:84324
> Found token: OCSP
> Found 0 certificate:
> Found 1 key:
> 1 P OCSPNew
>
> --
> Diego
>
--
Diego
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
