Hello, Jan Just Keijser wrote: > in opensc-0.11.13/src/pkcs11/openssl.c there's section > > 106 void > 107 sc_pkcs11_register_openssl_mechanisms(struct sc_pkcs11_card *card) > 108 { > 109 #if OPENSSL_VERSION_NUMBER >= 0x10000000L > 110 /* FIXME: see openssl-1.0.0-beta3/engines/ccgost/README.gost */ > 111 OPENSSL_config(NULL); > 112 #endif
It needs for loading and using engine with GOST algorithms. > I commented out the OPENSSL_config(NULL) and now it works ... > > should this added as a patch? the FIXME seems to be to *remove* the > explicit call to OPENSSL_config; I can confirm that this works for both > openssl-1.0.0-beta4 and the official openssl-1.0.0 release The FIXME means that call OPENSSL_config(NULL) may have problems and needs more cleanup solution for loading GOST algorithms' implementation. > cheers, > > JJK > > > Jan Just Keijser wrote: >> hi list, >> >> I just ran into a very weird oddity with openssl 1.0 (both the fc12 >> version 1.0.0-beta4 on my laptop and the official 1.0.0 version) ; >> I've initialized an etoken using pkcs15-init -C , copied a certificate >> to it using pkcs15-init -X , the priv key using pkcs15-init -S etc >> >> Now I want to use the openssl engine support to basically do a >> openssl req -engine pkcs11 ..... >> to sign a certificate using a key on the token. >> In order to do this I set up an openssl.cnf file like this: >> >> openssl_conf = openssl_def >> >> [ openssl_def ] >> engines = engine_section >> >> [ engine_section ] >> pkcs11 = pkcs11_section >> >> [ pkcs11_section ] >> engine_id = pkcs11 >> dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so >> MODULE_PATH = /usr/lib64/opensc-pkcs11.so >> init = 0 >> >> [ req ] >> distinguished_name = req_distinguished_name >> >> [ req_distinguished_name ] >> >> >> and to test it I run >> openssl engine -v -t >> When I compile opensc 0.11.13 , engine_pkcs 0.5 and libp11 0.2.7 >> against openssl 0.9.8 this works fine: >> >> .../openssl-0.9.8k/apps/openssl engine -t -v >> (dynamic) Dynamic engine loading support >> [ unavailable ] >> SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD >> (pkcs11) pkcs11 engine >> [ available ] >> SO_PATH, MODULE_PATH, PIN, VERBOSE, QUIET, INIT_ARGS >> >> >> but when I recompile the same versions against openssl 1.0 I get: >> >> .../openssl-1.0.0/apps/openssl engine -v -t >> (dynamic) Dynamic engine loading support >> [ unavailable ] >> SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD >> (pkcs11) pkcs11 engine >> openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:284 >> Auto configuration failed >> 139937913001640:error:26078067:engine >> routines:ENGINE_LIST_ADD:conflicting engine id:eng_list.c:116: >> 139937913001640:error:2606906E:engine routines:ENGINE_add:internal >> list error:eng_list.c:288: >> 139937913001640:error:260B6067:engine >> routines:DYNAMIC_LOAD:conflicting engine id:eng_dyn.c:540: >> 139937913001640:error:260BC066:engine >> routines:INT_ENGINE_CONFIGURE:engine configuration >> error:eng_cnf.c:204:section=pkcs11_section, name=dynamic_path, >> value=/home/janjust/src/engine_pkcs11-0.1.5/src/.libs/engine_pkcs11.so >> 139937913001640:error:0E07606D:configuration file >> routines:MODULE_RUN:module initialization >> error:conf_mod.c:235:module=engines, value=engine_section, >> retcode=-1 it seems like the openssl engine code is calling the >> engine_pkcs11 bind_helper function *twice*, possibly as the shared >> libraries that are loaded when the engine is loaded themselves depend >> on openssl... >> >> Has anybody else experienced this? it seems like an openssl bug but I >> like to confirm that before I proceed... >> >> Side-remarks: >> - recently I obtained 2 Feitian cards ; they show the exact same >> problem so at least it is not a hardware driver issue... >> - I also use etokens using Aladdin's pkiclient software and they work >> without problems on fc12 . >> >> >> thanks in advance, >> >> JJK _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel