Hello! Has anybody been able to use engine_pkcs11 with the recently released FIPS approved version of openssl? I failed to do so.
I was trying to sign a certificate with a FIPS enabled build of openssl (1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet eToken). Opensc and engine_pkcs11 are the most recent versions (0.12.2 and 0.1.8) I did this procedure before (with the non-fips version) using an openssl config file: openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = libeTPkcs11.so PIN = topsecret VERBOSE = EMPTY init = 0 [ca] ... and the command openssl ca -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj "/C=AT/CN=Test" -days 30 This worked like charm, but with the fips-build (engine_pkcs11 and the PKCS#11 client library are the same), I get a segmentation fault: Using configuration from /tmp/testConf initializing engine engine "pkcs11" set. Looking in slot 2 for key: 74 Found 6 slots [0] Cherry SmartBoard XX44 00 no tok [1] AKS ifdh 00 00 login (eToken) [2] AKS ifdh 01 00 login (INTERN) [3] no tok [4] no tok [5] no tok Found slot: AKS ifdh 01 00 Found token: INTERN Found 2 certificates: 1 INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at) 2 INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at) Found 2 keys: 1 P INTERN 2 P INTERN SUB Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'AT' commonName :PRINTABLE:'Test' Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days) Segmentation fault All this is happening with the FIPS-capable build but without actually enabling FIPS-mode. I am quite lost here. Any ideas? cheers Mathias _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel