Hello,
Jan Just Keijser wrote:
> in opensc-0.11.13/src/pkcs11/openssl.c there's section
>
> 106 void
> 107 sc_pkcs11_register_openssl_mechanisms(struct sc_pkcs11_card *card)
> 108 {
> 109 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
> 110 /* FIXME: see openssl-1.0.0-beta3/engines/ccgost/README.gost */
> 111 OPENSSL_config(NULL);
> 112 #endif
It needs for loading and using engine with GOST algorithms.
> I commented out the OPENSSL_config(NULL) and now it works ...
>
> should this added as a patch? the FIXME seems to be to *remove* the
> explicit call to OPENSSL_config; I can confirm that this works for both
> openssl-1.0.0-beta4 and the official openssl-1.0.0 release
The FIXME means that call OPENSSL_config(NULL) may have problems and
needs more cleanup solution for loading GOST algorithms' implementation.
> cheers,
>
> JJK
>
>
> Jan Just Keijser wrote:
>> hi list,
>>
>> I just ran into a very weird oddity with openssl 1.0 (both the fc12
>> version 1.0.0-beta4 on my laptop and the official 1.0.0 version) ;
>> I've initialized an etoken using pkcs15-init -C , copied a certificate
>> to it using pkcs15-init -X , the priv key using pkcs15-init -S etc
>>
>> Now I want to use the openssl engine support to basically do a
>> openssl req -engine pkcs11 .....
>> to sign a certificate using a key on the token.
>> In order to do this I set up an openssl.cnf file like this:
>>
>> openssl_conf = openssl_def
>>
>> [ openssl_def ]
>> engines = engine_section
>>
>> [ engine_section ]
>> pkcs11 = pkcs11_section
>>
>> [ pkcs11_section ]
>> engine_id = pkcs11
>> dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
>> MODULE_PATH = /usr/lib64/opensc-pkcs11.so
>> init = 0
>>
>> [ req ]
>> distinguished_name = req_distinguished_name
>>
>> [ req_distinguished_name ]
>>
>>
>> and to test it I run
>> openssl engine -v -t
>> When I compile opensc 0.11.13 , engine_pkcs 0.5 and libp11 0.2.7
>> against openssl 0.9.8 this works fine:
>>
>> .../openssl-0.9.8k/apps/openssl engine -t -v
>> (dynamic) Dynamic engine loading support
>> [ unavailable ]
>> SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
>> (pkcs11) pkcs11 engine
>> [ available ]
>> SO_PATH, MODULE_PATH, PIN, VERBOSE, QUIET, INIT_ARGS
>>
>>
>> but when I recompile the same versions against openssl 1.0 I get:
>>
>> .../openssl-1.0.0/apps/openssl engine -v -t
>> (dynamic) Dynamic engine loading support
>> [ unavailable ]
>> SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
>> (pkcs11) pkcs11 engine
>> openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:284
>> Auto configuration failed
>> 139937913001640:error:26078067:engine
>> routines:ENGINE_LIST_ADD:conflicting engine id:eng_list.c:116:
>> 139937913001640:error:2606906E:engine routines:ENGINE_add:internal
>> list error:eng_list.c:288:
>> 139937913001640:error:260B6067:engine
>> routines:DYNAMIC_LOAD:conflicting engine id:eng_dyn.c:540:
>> 139937913001640:error:260BC066:engine
>> routines:INT_ENGINE_CONFIGURE:engine configuration
>> error:eng_cnf.c:204:section=pkcs11_section, name=dynamic_path,
>> value=/home/janjust/src/engine_pkcs11-0.1.5/src/.libs/engine_pkcs11.so
>> 139937913001640:error:0E07606D:configuration file
>> routines:MODULE_RUN:module initialization
>> error:conf_mod.c:235:module=engines, value=engine_section,
>> retcode=-1 it seems like the openssl engine code is calling the
>> engine_pkcs11 bind_helper function *twice*, possibly as the shared
>> libraries that are loaded when the engine is loaded themselves depend
>> on openssl...
>>
>> Has anybody else experienced this? it seems like an openssl bug but I
>> like to confirm that before I proceed...
>>
>> Side-remarks:
>> - recently I obtained 2 Feitian cards ; they show the exact same
>> problem so at least it is not a hardware driver issue...
>> - I also use etokens using Aladdin's pkiclient software and they work
>> without problems on fc12 .
>>
>>
>> thanks in advance,
>>
>> JJK
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
