hi list,
I just ran into a very weird oddity with openssl 1.0 (both the fc12
version 1.0.0-beta4 on my laptop and the official 1.0.0 version) ; I've
initialized an etoken using pkcs15-init -C , copied a certificate to it
using pkcs15-init -X , the priv key using pkcs15-init -S etc
Now I want to use the openssl engine support to basically do a
openssl req -engine pkcs11 .....
to sign a certificate using a key on the token.
In order to do this I set up an openssl.cnf file like this:
openssl_conf = openssl_def
[ openssl_def ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib64/opensc-pkcs11.so
init = 0
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
and to test it I run
openssl engine -v -t
When I compile opensc 0.11.13 , engine_pkcs 0.5 and libp11 0.2.7 against
openssl 0.9.8 this works fine:
.../openssl-0.9.8k/apps/openssl engine -t -v
(dynamic) Dynamic engine loading support
[ unavailable ]
SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
(pkcs11) pkcs11 engine
[ available ]
SO_PATH, MODULE_PATH, PIN, VERBOSE, QUIET, INIT_ARGS
but when I recompile the same versions against openssl 1.0 I get:
.../openssl-1.0.0/apps/openssl engine -v -t
(dynamic) Dynamic engine loading support
[ unavailable ]
SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
(pkcs11) pkcs11 engine
openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:284
Auto configuration failed
139937913001640:error:26078067:engine
routines:ENGINE_LIST_ADD:conflicting engine id:eng_list.c:116:
139937913001640:error:2606906E:engine routines:ENGINE_add:internal list
error:eng_list.c:288:
139937913001640:error:260B6067:engine routines:DYNAMIC_LOAD:conflicting
engine id:eng_dyn.c:540:
139937913001640:error:260BC066:engine
routines:INT_ENGINE_CONFIGURE:engine configuration
error:eng_cnf.c:204:section=pkcs11_section, name=dynamic_path,
value=/home/janjust/src/engine_pkcs11-0.1.5/src/.libs/engine_pkcs11.so
139937913001640:error:0E07606D:configuration file
routines:MODULE_RUN:module initialization
error:conf_mod.c:235:module=engines, value=engine_section, retcode=-1
it seems like the openssl engine code is calling the engine_pkcs11
bind_helper function *twice*, possibly as the shared libraries that are
loaded when the engine is loaded themselves depend on openssl...
Has anybody else experienced this? it seems like an openssl bug but I
like to confirm that before I proceed...
Side-remarks:
- recently I obtained 2 Feitian cards ; they show the exact same problem
so at least it is not a hardware driver issue...
- I also use etokens using Aladdin's pkiclient software and they work
without problems on fc12 .
thanks in advance,
JJK
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
