[opensc-devel] Unsing engine_pks11 with openssl-fips 2.0

Fri, 10 Aug 2012 02:05:09 -0700 

Hello!

Has anybody been able to use engine_pkcs11 with the recently released
FIPS approved version of openssl? I failed to do so.

I was trying to sign a certificate with a FIPS enabled build of openssl
(1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet
eToken). Opensc and engine_pkcs11 are the most recent versions (0.12.2
and 0.1.8)

I did this procedure before (with the non-fips version) using an openssl
config file:

openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = libeTPkcs11.so
PIN = topsecret
VERBOSE = EMPTY
init = 0
[ca]
...

and the command
openssl ca  -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform
engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj
"/C=AT/CN=Test" -days 30

This worked like charm, but with the fips-build (engine_pkcs11 and the
PKCS#11 client library are the same), I get a segmentation fault:

Using configuration from /tmp/testConf
initializing engine
engine "pkcs11" set.
Looking in slot 2 for key: 74
Found 6 slots
[0] Cherry SmartBoard XX44 00  no tok
[1] AKS ifdh 00 00             login             (eToken)
[2] AKS ifdh 01 00             login             (INTERN)
[3]                            no tok
[4]                            no tok
[5]                            no tok
Found slot:  AKS ifdh 01 00
Found token: INTERN
Found 2 certificates:
   1    INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at)
   2    INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at)
Found 2 keys:
   1 P  INTERN
   2 P  INTERN SUB
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'AT'
commonName            :PRINTABLE:'Test'
Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days)
Segmentation fault

All this is happening with the FIPS-capable build but without actually
enabling FIPS-mode.

I am quite lost here. Any ideas?

cheers
Mathias
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to