[opensc-devel] opensc 0.11.13 and openssl 1.0 oddity

Thu, 15 Apr 2010 02:16:12 -0700 

hi list,

I just ran into a very weird oddity with openssl 1.0 (both the fc12 
version 1.0.0-beta4 on my laptop and the official 1.0.0 version) ; I've 
initialized an etoken using pkcs15-init -C , copied a certificate to it 
using pkcs15-init -X , the priv key using pkcs15-init -S etc

Now I want to use the openssl engine support to basically do a
  openssl req -engine pkcs11 .....
to sign a certificate using a key on the token.
In order to do this I set up an openssl.cnf file like this:

openssl_conf = openssl_def

[ openssl_def ]
engines = engine_section

[ engine_section ]
pkcs11 = pkcs11_section

[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib64/opensc-pkcs11.so
init = 0

[ req ]
distinguished_name = req_distinguished_name

[ req_distinguished_name ]


and to test it I run
  openssl engine -v -t
When I compile opensc 0.11.13 , engine_pkcs 0.5 and libp11 0.2.7 against 
openssl 0.9.8 this works fine:

.../openssl-0.9.8k/apps/openssl engine -t -v
(dynamic) Dynamic engine loading support
     [ unavailable ]
     SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
(pkcs11) pkcs11 engine
     [ available ]
     SO_PATH, MODULE_PATH, PIN, VERBOSE, QUIET, INIT_ARGS


but when I recompile the same versions against openssl 1.0 I get:

.../openssl-1.0.0/apps/openssl engine -v -t
(dynamic) Dynamic engine loading support
     [ unavailable ]
     SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
(pkcs11) pkcs11 engine
openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:284
Auto configuration failed
139937913001640:error:26078067:engine 
routines:ENGINE_LIST_ADD:conflicting engine id:eng_list.c:116:
139937913001640:error:2606906E:engine routines:ENGINE_add:internal list 
error:eng_list.c:288:
139937913001640:error:260B6067:engine routines:DYNAMIC_LOAD:conflicting 
engine id:eng_dyn.c:540:
139937913001640:error:260BC066:engine 
routines:INT_ENGINE_CONFIGURE:engine configuration 
error:eng_cnf.c:204:section=pkcs11_section, name=dynamic_path, 
value=/home/janjust/src/engine_pkcs11-0.1.5/src/.libs/engine_pkcs11.so
139937913001640:error:0E07606D:configuration file 
routines:MODULE_RUN:module initialization 
error:conf_mod.c:235:module=engines, value=engine_section, retcode=-1     
    
it seems like the openssl engine code is calling the engine_pkcs11 
bind_helper function *twice*, possibly as the shared libraries that are 
loaded when the engine is loaded themselves depend on openssl...

Has anybody else experienced this? it seems like an openssl bug but I 
like to confirm that before I proceed...

Side-remarks:
- recently I obtained 2 Feitian cards ; they show the exact same problem 
so at least it is not a hardware driver issue...
- I also use etokens using Aladdin's pkiclient software and they work 
without problems on fc12 .


thanks in advance,

JJK

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to