hi list, I just ran into a very weird oddity with openssl 1.0 (both the fc12 version 1.0.0-beta4 on my laptop and the official 1.0.0 version) ; I've initialized an etoken using pkcs15-init -C , copied a certificate to it using pkcs15-init -X , the priv key using pkcs15-init -S etc
Now I want to use the openssl engine support to basically do a openssl req -engine pkcs11 ..... to sign a certificate using a key on the token. In order to do this I set up an openssl.cnf file like this: openssl_conf = openssl_def [ openssl_def ] engines = engine_section [ engine_section ] pkcs11 = pkcs11_section [ pkcs11_section ] engine_id = pkcs11 dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so MODULE_PATH = /usr/lib64/opensc-pkcs11.so init = 0 [ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] and to test it I run openssl engine -v -t When I compile opensc 0.11.13 , engine_pkcs 0.5 and libp11 0.2.7 against openssl 0.9.8 this works fine: .../openssl-0.9.8k/apps/openssl engine -t -v (dynamic) Dynamic engine loading support [ unavailable ] SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD (pkcs11) pkcs11 engine [ available ] SO_PATH, MODULE_PATH, PIN, VERBOSE, QUIET, INIT_ARGS but when I recompile the same versions against openssl 1.0 I get: .../openssl-1.0.0/apps/openssl engine -v -t (dynamic) Dynamic engine loading support [ unavailable ] SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD (pkcs11) pkcs11 engine openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:284 Auto configuration failed 139937913001640:error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id:eng_list.c:116: 139937913001640:error:2606906E:engine routines:ENGINE_add:internal list error:eng_list.c:288: 139937913001640:error:260B6067:engine routines:DYNAMIC_LOAD:conflicting engine id:eng_dyn.c:540: 139937913001640:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:204:section=pkcs11_section, name=dynamic_path, value=/home/janjust/src/engine_pkcs11-0.1.5/src/.libs/engine_pkcs11.so 139937913001640:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=engine_section, retcode=-1 it seems like the openssl engine code is calling the engine_pkcs11 bind_helper function *twice*, possibly as the shared libraries that are loaded when the engine is loaded themselves depend on openssl... Has anybody else experienced this? it seems like an openssl bug but I like to confirm that before I proceed... Side-remarks: - recently I obtained 2 Feitian cards ; they show the exact same problem so at least it is not a hardware driver issue... - I also use etokens using Aladdin's pkiclient software and they work without problems on fc12 . thanks in advance, JJK _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel