On 08/10/2012 03:41 PM, Douglas E. Engert wrote: > Not much to go on below.
Sorry. I will provide more information below. > Is there a core file produced? No. > Can you get a stack trace? > Can the fips version be complied with debugging? > Can you run this under a debugger? Three times yes. Here is the stacktrace from gdb: Program received signal SIGSEGV, Segmentation fault. 0x00000001 in ?? () (gdb) bt #0 0x00000001 in ?? () #1 0x0822ff8a in ASN1_item_sign_ctx (it=0x829e674, algor1=0xb03aeff8, algor2=0xb02fcff8, signature=0xb0306ff0, asn=0xb05ccfcc, ctx=0xbfffe074) at a_sign.c:257 #2 0x081c77d9 in X509_sign_ctx (x=0xb04dbf98, ctx=0xbfffe074) at x_all.c:100 #3 0x080a2caa in do_X509_sign (err=0xb7d28fc0, x=0xb04dbf98, pkey=0xb0cbafe0, md=0x8302840, sigopts=0x0) at req.c:1802 #4 0x080ae993 in do_body (xret=0xbfffe62c, pkey=0xb0cbafe0, x509=0xb0b02f98, dgst=0x8302840, sigopts=0x0, policy=0xb27e7fec, db=0xb05f2ff8, serial=0xb0600fec, subj=0xbffff0cb "/C=AT/CN=Test", chtype=4097, multirdn=0, email_dn=1, startdate=0x825f5f6 "today", enddate=0x0, days=30, batch=1, verbose=0, req=0xb062aff0, ext_sect=0xb2563ff0 "usr_cert", lconf=0xb29f6ff0, certopt=0, nameopt=0, default_op=1, ext_copy=1, selfsign=0) at ca.c:2172 #5 0x080ad712 in certify (xret=0xbfffe62c, infile=0xbffff04c "/home/ad60095910/tmp/testcsr", pkey=0xb0cbafe0, x509=0xb0b02f98, dgst=0x8302840, sigopts=0x0, policy=0xb27e7fec, db=0xb05f2ff8, serial=0xb0600fec, subj=0xbffff0cb "/C=AT/CN=Test", chtype=4097, multirdn=0, email_dn=1, startdate=0x825f5f6 "today", enddate=0x0, days=30, batch=1, ext_sect=0xb2563ff0 "usr_cert", lconf=0xb29f6ff0, verbose=0, certopt=0, nameopt=0, default_op=1, ext_copy=1, selfsign=0) at ca.c:1633 #6 0x080ac2cc in ca_main (argc=0, argv=0xbfffed98) at ca.c:1233 #7 0x0809c815 in do_cmd (prog=0xb36a9fa0, argc=20, argv=0xbfffed48) at openssl.c:489 #8 0x0809c436 in main (Argc=20, Argv=0xbfffed48) at openssl.c:381 (gdb) > > If not, can you turn on the debugging in opensc.conf > (Note: PINS and other sensitive data are traced) I tried that, but no debug file was produced. I set "debug=99" and "debug_file = /tmp/opensc-debug.log;" > Or run it with opensc pkcs11-spy to get PKCS#11 trac I don't know about pkcs11-spy, but I assume that it is a pkcs#11 tracer. I already did create a log with the debug facility of the eToken driver (reading and exporting it with Safenet's proprietary log viewer). Here is the final part of the log: 0xb7e276c0 16:16:59.271 C_GetAttributeValue [4] ( pTemplate={ CKA_SENSITIVE=1 } ) 0xb7e276c0 16:16:59.271 + C_GetAttributeValue( hSession=0x08730004 hObject=0x08ec0008 pTemplate={ CKA_EXTRACTABLE=1 } ) 0xb7e276c0 16:16:59.274 C_GetAttributeValue [3] ( pTemplate={ CKA_EXTRACTABLE=0 } ) 0xb7e276c0 16:16:59.274 + C_GetAttributeValue( hSession=0x08730004 hObject=0x08ec0008 pTemplate={ CKA_MODULUS=524 } ) 0xb7e276c0 16:16:59.281 C_GetAttributeValue [7] ( pTemplate={ CKA_MODULUS=[256](9d f5 ef 5c b8 1d 15 cb 01 e7 bf ab fc 89 d0 52 cc 94 c2 6d dc 60 d9 b5 c8 12 06 a1 eb eb 4b 0d 92 76 f0 25 a5 96 44 cf 51 92 28 b4 fe 81 79 b4 e9 6a cc c4 87 73 1a 5e 32 f1 5c e4 1f e8 c2 78 25 fa 9a 88 ab 3f dd e9 78 e8 1a f6 5a 16 fa 29 05 e5 a3 1d 13 37 86 71 09 11 fa 5d 5c 1c b9 83 65 8c 83 5c b9 3e cc 01 4a de 8b db fb a2 ad 3c 56 0b d5 16 d9 ca 88 b9 7f 4c df 3b f7 9a 7a 52 b1 74 79 c0 62 14 3c 64 30 f8 db c1 1d 33 ac 67 91 5f 63 ca 79 75 4d 48 76 b1 95 f7 7b f1 22 b3 8d f1 ca 9b 74 43 06 a6 70 4d 2f 1c 55 26 a2 fc 29 f1 0f 7e 3b e6 c6 53 30 1c a4 21 10 3b dc 21 9e 1e df 78 35 d2 e4 48 e2 86 79 59 d0 85 e7 60 0e 3e 49 8e fc c1 9b 59 29 3d 0c ab 42 d9 a0 db ca 7b cf 26 ba 7c 63 31 42 ee 5a 49 28 7e f3 71 a4 e0 11 87 b5 7d 32 dd b0 bb b1 c4 63 cf d1 77) } ) 0xb7e276c0 16:16:59.281 + C_GetAttributeValue( hSession=0x08730004 hObject=0x08ec0008 pTemplate={ CKA_PUBLIC_EXPONENT=524 } ) 0xb7e276c0 16:16:59.286 C_GetAttributeValue [5] ( pTemplate={ CKA_PUBLIC_EXPONENT=[3](01 00 01) } ) 0xb7e276c0 16:16:59.286 <stop Z:\home\ad60095910\tmp\etokenLog.fipsabsturz-20120808\Aug 10 [08-41]\openssl D502517D9 P24552 T-1209895232.trc> 0xb37ffb70 16:16:59.559 - IFDHTransmitToICC( Lun=0x00000000 TxLength=0x00000005 *RxLength=0x00000140 ) 0xb37ffb70 16:16:59.559 TxBuffer(Send)=: TxBuffer=[5](00 a4 00 00 00) 0xb37ffb70 16:16:59.559 + eTSC_TransmitApdu( context=0xb6da2714 request=0xb37df364 requestLen=5 reply=0xb37ef370 replyLen=0xb37df19a ) 0xb37ffb70 16:16:59.584 eTSC_TransmitApdu [25] ( ) 0xb37ffb70 16:16:59.584 IFDHTransmitToICC [25] ( ) 0xb37ffb70 16:17:07.653 - IFDHGetCapabilities( Lun=0x00000000 Tag=0x00000fb2 ) 0xb37ffb70 16:17:07.653 Unknown Tag: 0xb37ffb70 16:17:07.653 rv=00000266 IFDHGetCapabilities [0] ( ) I sent this trace to the Safenet support as well, they meant that it didn't look peculiar to them. I hope these informations help. cheers Mathias > > On 8/10/2012 3:33 AM, Mathias Tausig wrote: >> Hello! >> >> Has anybody been able to use engine_pkcs11 with the recently released >> FIPS approved version of openssl? I failed to do so. >> >> I was trying to sign a certificate with a FIPS enabled build of openssl >> (1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet >> eToken). Opensc and engine_pkcs11 are the most recent versions (0.12.2 >> and 0.1.8) >> >> I did this procedure before (with the non-fips version) using an openssl >> config file: >> >> openssl_conf = openssl_def >> [openssl_def] >> engines = engine_section >> [engine_section] >> pkcs11 = pkcs11_section >> [pkcs11_section] >> engine_id = pkcs11 >> dynamic_path = /usr/lib/engines/engine_pkcs11.so >> MODULE_PATH = libeTPkcs11.so >> PIN = topsecret >> VERBOSE = EMPTY >> init = 0 >> [ca] >> ... >> >> and the command >> openssl ca -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform >> engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj >> "/C=AT/CN=Test" -days 30 >> >> This worked like charm, but with the fips-build (engine_pkcs11 and the >> PKCS#11 client library are the same), I get a segmentation fault: >> >> Using configuration from /tmp/testConf >> initializing engine >> engine "pkcs11" set. >> Looking in slot 2 for key: 74 >> Found 6 slots >> [0] Cherry SmartBoard XX44 00 no tok >> [1] AKS ifdh 00 00 login (eToken) >> [2] AKS ifdh 01 00 login (INTERN) >> [3] no tok >> [4] no tok >> [5] no tok >> Found slot: AKS ifdh 01 00 >> Found token: INTERN >> Found 2 certificates: >> 1 INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at) >> 2 INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at) >> Found 2 keys: >> 1 P INTERN >> 2 P INTERN SUB >> Check that the request matches the signature >> Signature ok >> The Subject's Distinguished Name is as follows >> countryName :PRINTABLE:'AT' >> commonName :PRINTABLE:'Test' >> Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days) >> Segmentation fault >> >> All this is happening with the FIPS-capable build but without actually >> enabling FIPS-mode. >> >> I am quite lost here. Any ideas? >> >> cheers >> Mathias >> _______________________________________________ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> >> > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel