Not much to go on below. Is there a core file produced? Can you get a stack trace? Can the fips version be complied with debugging? Can you run this under a debugger?
If not, can you turn on the debugging in opensc.conf (Note: PINS and other sensitive data are traced) Or run it with opensc pkcs11-spy to get PKCS#11 trace? On 8/10/2012 3:33 AM, Mathias Tausig wrote: > Hello! > > Has anybody been able to use engine_pkcs11 with the recently released > FIPS approved version of openssl? I failed to do so. > > I was trying to sign a certificate with a FIPS enabled build of openssl > (1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet > eToken). Opensc and engine_pkcs11 are the most recent versions (0.12.2 > and 0.1.8) > > I did this procedure before (with the non-fips version) using an openssl > config file: > > openssl_conf = openssl_def > [openssl_def] > engines = engine_section > [engine_section] > pkcs11 = pkcs11_section > [pkcs11_section] > engine_id = pkcs11 > dynamic_path = /usr/lib/engines/engine_pkcs11.so > MODULE_PATH = libeTPkcs11.so > PIN = topsecret > VERBOSE = EMPTY > init = 0 > [ca] > ... > > and the command > openssl ca -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform > engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj > "/C=AT/CN=Test" -days 30 > > This worked like charm, but with the fips-build (engine_pkcs11 and the > PKCS#11 client library are the same), I get a segmentation fault: > > Using configuration from /tmp/testConf > initializing engine > engine "pkcs11" set. > Looking in slot 2 for key: 74 > Found 6 slots > [0] Cherry SmartBoard XX44 00 no tok > [1] AKS ifdh 00 00 login (eToken) > [2] AKS ifdh 01 00 login (INTERN) > [3] no tok > [4] no tok > [5] no tok > Found slot: AKS ifdh 01 00 > Found token: INTERN > Found 2 certificates: > 1 INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at) > 2 INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at) > Found 2 keys: > 1 P INTERN > 2 P INTERN SUB > Check that the request matches the signature > Signature ok > The Subject's Distinguished Name is as follows > countryName :PRINTABLE:'AT' > commonName :PRINTABLE:'Test' > Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days) > Segmentation fault > > All this is happening with the FIPS-capable build but without actually > enabling FIPS-mode. > > I am quite lost here. Any ideas? > > cheers > Mathias > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
