Hello, I think I've found a bug in the OpenSSL engine_pkcs11.
The slot_index supplied from the command line to OpenSSL and actually directed to engine_pkcs11, is incorrectly parsed by the latter which treats it as if it were the slot_id. Most pkcs#11 implementations assume slot_index = slot_id, so there're no issues in these cases. However some implementations (for example the nCipher Hardware Security Modules product line I'm working with) do not follow such convention (the pkcs#11 does not require that). For example to access slot#0 with such devices, I need to issue something like: openssl req -config ./openssl.cnf -new -out ncipher.pem -days 365 -engine pkcs11 -keyform engine -key slot_761406613 because nCipher's C_GetSlotList adds a constant before filling the array returned by C_GetSlotList: i.e.: slot_id[index] = 761406613 + index. That could be easily corrected in engine_pkcs11 by checking the slot_index supplied against the array index rather than the array value returned by C_GetSlotList. Consider that in no way, the user is supposed to know the slot_ids. They're internal values to be treated as opaque pointers that the library gives to the driving application and that the application is supposed to later return as they are: (i.e. typically for accessing slots with C_OpenSession or C_GetSlotInfo) Kind Regards, Giuliano Bertoletti -- Giuliano Bertoletti Pre-Sales Engineer - Technological Dept. Symbolic S.p.A. Viale Mentana, 29 I-43121 - Parma Tel. +39 0521 708811 Mob. +39 346 8749890 Fax +39 0521 776190 g...@symbolic.it www.symbolic.it _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
