hi list,
I hate to answer my own question but I think I found it:
in opensc-0.11.13/src/pkcs11/openssl.c there's section
106 void
107 sc_pkcs11_register_openssl_mechanisms(struct sc_pkcs11_card *card)
108 {
109 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
110 /* FIXME: see openssl-1.0.0-beta3/engines/ccgost/README.gost */
111 OPENSSL_config(NULL);
112 #endif
I commented out the OPENSSL_config(NULL) and now it works ...
should this added as a patch? the FIXME seems to be to *remove* the
explicit call to OPENSSL_config; I can confirm that this works for both
openssl-1.0.0-beta4 and the official openssl-1.0.0 release
cheers,
JJK
Jan Just Keijser wrote:
> hi list,
>
> I just ran into a very weird oddity with openssl 1.0 (both the fc12
> version 1.0.0-beta4 on my laptop and the official 1.0.0 version) ;
> I've initialized an etoken using pkcs15-init -C , copied a certificate
> to it using pkcs15-init -X , the priv key using pkcs15-init -S etc
>
> Now I want to use the openssl engine support to basically do a
> openssl req -engine pkcs11 .....
> to sign a certificate using a key on the token.
> In order to do this I set up an openssl.cnf file like this:
>
> openssl_conf = openssl_def
>
> [ openssl_def ]
> engines = engine_section
>
> [ engine_section ]
> pkcs11 = pkcs11_section
>
> [ pkcs11_section ]
> engine_id = pkcs11
> dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
> MODULE_PATH = /usr/lib64/opensc-pkcs11.so
> init = 0
>
> [ req ]
> distinguished_name = req_distinguished_name
>
> [ req_distinguished_name ]
>
>
> and to test it I run
> openssl engine -v -t
> When I compile opensc 0.11.13 , engine_pkcs 0.5 and libp11 0.2.7
> against openssl 0.9.8 this works fine:
>
> .../openssl-0.9.8k/apps/openssl engine -t -v
> (dynamic) Dynamic engine loading support
> [ unavailable ]
> SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
> (pkcs11) pkcs11 engine
> [ available ]
> SO_PATH, MODULE_PATH, PIN, VERBOSE, QUIET, INIT_ARGS
>
>
> but when I recompile the same versions against openssl 1.0 I get:
>
> .../openssl-1.0.0/apps/openssl engine -v -t
> (dynamic) Dynamic engine loading support
> [ unavailable ]
> SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
> (pkcs11) pkcs11 engine
> openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:284
> Auto configuration failed
> 139937913001640:error:26078067:engine
> routines:ENGINE_LIST_ADD:conflicting engine id:eng_list.c:116:
> 139937913001640:error:2606906E:engine routines:ENGINE_add:internal
> list error:eng_list.c:288:
> 139937913001640:error:260B6067:engine
> routines:DYNAMIC_LOAD:conflicting engine id:eng_dyn.c:540:
> 139937913001640:error:260BC066:engine
> routines:INT_ENGINE_CONFIGURE:engine configuration
> error:eng_cnf.c:204:section=pkcs11_section, name=dynamic_path,
> value=/home/janjust/src/engine_pkcs11-0.1.5/src/.libs/engine_pkcs11.so
> 139937913001640:error:0E07606D:configuration file
> routines:MODULE_RUN:module initialization
> error:conf_mod.c:235:module=engines, value=engine_section,
> retcode=-1 it seems like the openssl engine code is calling the
> engine_pkcs11 bind_helper function *twice*, possibly as the shared
> libraries that are loaded when the engine is loaded themselves depend
> on openssl...
>
> Has anybody else experienced this? it seems like an openssl bug but I
> like to confirm that before I proceed...
>
> Side-remarks:
> - recently I obtained 2 Feitian cards ; they show the exact same
> problem so at least it is not a hardware driver issue...
> - I also use etokens using Aladdin's pkiclient software and they work
> without problems on fc12 .
>
>
> thanks in advance,
>
> JJK
>
>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
