Re: [opensc-devel] Unsing engine_pks11 with openssl-fips 2.0

Fri, 10 Aug 2012 07:32:15 -0700 

On 08/10/2012 03:41 PM, Douglas E. Engert wrote:
> Not much to go on below.

Sorry. I will provide more information below.

> Is there a core file produced?

No.

> Can you get a stack trace?
> Can the fips version be complied with debugging?
> Can you run this under a debugger?

Three times yes. Here is the stacktrace from gdb:

Program received signal SIGSEGV, Segmentation fault.
0x00000001 in ?? ()
(gdb) bt
#0  0x00000001 in ?? ()
#1  0x0822ff8a in ASN1_item_sign_ctx (it=0x829e674, algor1=0xb03aeff8,
algor2=0xb02fcff8,
    signature=0xb0306ff0, asn=0xb05ccfcc, ctx=0xbfffe074) at a_sign.c:257
#2  0x081c77d9 in X509_sign_ctx (x=0xb04dbf98, ctx=0xbfffe074) at
x_all.c:100
#3  0x080a2caa in do_X509_sign (err=0xb7d28fc0, x=0xb04dbf98,
pkey=0xb0cbafe0, md=0x8302840,
    sigopts=0x0) at req.c:1802
#4  0x080ae993 in do_body (xret=0xbfffe62c, pkey=0xb0cbafe0,
x509=0xb0b02f98, dgst=0x8302840,
    sigopts=0x0, policy=0xb27e7fec, db=0xb05f2ff8, serial=0xb0600fec,
    subj=0xbffff0cb "/C=AT/CN=Test", chtype=4097, multirdn=0, email_dn=1,
    startdate=0x825f5f6 "today", enddate=0x0, days=30, batch=1,
verbose=0, req=0xb062aff0,
    ext_sect=0xb2563ff0 "usr_cert", lconf=0xb29f6ff0, certopt=0,
nameopt=0, default_op=1,
    ext_copy=1, selfsign=0) at ca.c:2172
#5  0x080ad712 in certify (xret=0xbfffe62c, infile=0xbffff04c
"/home/ad60095910/tmp/testcsr",
    pkey=0xb0cbafe0, x509=0xb0b02f98, dgst=0x8302840, sigopts=0x0,
policy=0xb27e7fec,
    db=0xb05f2ff8, serial=0xb0600fec, subj=0xbffff0cb "/C=AT/CN=Test",
chtype=4097, multirdn=0,
    email_dn=1, startdate=0x825f5f6 "today", enddate=0x0, days=30, batch=1,
    ext_sect=0xb2563ff0 "usr_cert", lconf=0xb29f6ff0, verbose=0,
certopt=0, nameopt=0,
    default_op=1, ext_copy=1, selfsign=0) at ca.c:1633
#6  0x080ac2cc in ca_main (argc=0, argv=0xbfffed98) at ca.c:1233
#7  0x0809c815 in do_cmd (prog=0xb36a9fa0, argc=20, argv=0xbfffed48) at
openssl.c:489
#8  0x0809c436 in main (Argc=20, Argv=0xbfffed48) at openssl.c:381
(gdb)


> 
> If not, can you turn on the debugging in opensc.conf
> (Note: PINS and other sensitive data are traced)

I tried that, but no debug file was produced. I set "debug=99" and
"debug_file = /tmp/opensc-debug.log;"

> Or run it with opensc pkcs11-spy to get PKCS#11 trac

I don't know about pkcs11-spy, but I assume that it is a pkcs#11 tracer.
I already did create a log with the debug facility of the eToken driver
(reading and exporting it with Safenet's proprietary log viewer). Here
is the final part of the log:

0xb7e276c0 16:16:59.271       C_GetAttributeValue [4] ( pTemplate={
CKA_SENSITIVE=1 } )
0xb7e276c0 16:16:59.271     + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_EXTRACTABLE=1 } )
0xb7e276c0 16:16:59.274       C_GetAttributeValue [3] ( pTemplate={
CKA_EXTRACTABLE=0 } )
0xb7e276c0 16:16:59.274     + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_MODULUS=524 } )
0xb7e276c0 16:16:59.281       C_GetAttributeValue [7] ( pTemplate={
CKA_MODULUS=[256](9d f5 ef 5c b8 1d 15 cb 01 e7 bf ab fc 89 d0 52 cc 94
c2 6d dc 60 d9 b5 c8 12 06 a1 eb eb 4b 0d 92 76 f0 25 a5 96 44 cf 51 92
28 b4 fe 81 79 b4 e9 6a cc c4 87 73 1a 5e 32 f1 5c e4 1f e8 c2 78 25 fa
9a 88 ab 3f dd e9 78 e8 1a f6 5a 16 fa 29 05 e5 a3 1d 13 37 86 71 09 11
fa 5d 5c 1c b9 83 65 8c 83 5c b9 3e cc 01 4a de 8b db fb a2 ad 3c 56 0b
d5 16 d9 ca 88 b9 7f 4c df 3b f7 9a 7a 52 b1 74 79 c0 62 14 3c 64 30 f8
db c1 1d 33 ac 67 91 5f 63 ca 79 75 4d 48 76 b1 95 f7 7b f1 22 b3 8d f1
ca 9b 74 43 06 a6 70 4d 2f 1c 55 26 a2 fc 29 f1 0f 7e 3b e6 c6 53 30 1c
a4 21 10 3b dc 21 9e 1e df 78 35 d2 e4 48 e2 86 79 59 d0 85 e7 60 0e 3e
49 8e fc c1 9b 59 29 3d 0c ab 42 d9 a0 db ca 7b cf 26 ba 7c 63 31 42 ee
5a 49 28 7e f3 71 a4 e0 11 87 b5 7d 32 dd b0 bb b1 c4 63 cf d1 77) } )
0xb7e276c0 16:16:59.281     + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_PUBLIC_EXPONENT=524 } )
0xb7e276c0 16:16:59.286       C_GetAttributeValue [5] ( pTemplate={
CKA_PUBLIC_EXPONENT=[3](01 00 01) } )
0xb7e276c0 16:16:59.286   <stop
Z:\home\ad60095910\tmp\etokenLog.fipsabsturz-20120808\Aug 10
[08-41]\openssl D502517D9 P24552 T-1209895232.trc>
0xb37ffb70 16:16:59.559     - IFDHTransmitToICC( Lun=0x00000000
TxLength=0x00000005 *RxLength=0x00000140 )
0xb37ffb70 16:16:59.559         TxBuffer(Send)=: TxBuffer=[5](00 a4 00
00 00)
0xb37ffb70 16:16:59.559         + eTSC_TransmitApdu( context=0xb6da2714
request=0xb37df364 requestLen=5 reply=0xb37ef370 replyLen=0xb37df19a )
0xb37ffb70 16:16:59.584           eTSC_TransmitApdu [25] ( )
0xb37ffb70 16:16:59.584       IFDHTransmitToICC [25] ( )
0xb37ffb70 16:17:07.653     - IFDHGetCapabilities( Lun=0x00000000
Tag=0x00000fb2 )
0xb37ffb70 16:17:07.653         Unknown Tag:
0xb37ffb70 16:17:07.653       rv=00000266 IFDHGetCapabilities [0] ( )

I sent this trace to the Safenet support as well, they meant that it
didn't look peculiar to them.

I hope these informations help.

cheers
Mathias

> 
> On 8/10/2012 3:33 AM, Mathias Tausig wrote:
>> Hello!
>>
>> Has anybody been able to use engine_pkcs11 with the recently released
>> FIPS approved version of openssl? I failed to do so.
>>
>> I was trying to sign a certificate with a FIPS enabled build of openssl
>> (1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet
>> eToken). Opensc and engine_pkcs11 are the most recent versions (0.12.2
>> and 0.1.8)
>>
>> I did this procedure before (with the non-fips version) using an openssl
>> config file:
>>
>> openssl_conf = openssl_def
>> [openssl_def]
>> engines = engine_section
>> [engine_section]
>> pkcs11 = pkcs11_section
>> [pkcs11_section]
>> engine_id = pkcs11
>> dynamic_path = /usr/lib/engines/engine_pkcs11.so
>> MODULE_PATH = libeTPkcs11.so
>> PIN = topsecret
>> VERBOSE = EMPTY
>> init = 0
>> [ca]
>> ...
>>
>> and the command
>> openssl ca  -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform
>> engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj
>> "/C=AT/CN=Test" -days 30
>>
>> This worked like charm, but with the fips-build (engine_pkcs11 and the
>> PKCS#11 client library are the same), I get a segmentation fault:
>>
>> Using configuration from /tmp/testConf
>> initializing engine
>> engine "pkcs11" set.
>> Looking in slot 2 for key: 74
>> Found 6 slots
>> [0] Cherry SmartBoard XX44 00  no tok
>> [1] AKS ifdh 00 00             login             (eToken)
>> [2] AKS ifdh 01 00             login             (INTERN)
>> [3]                            no tok
>> [4]                            no tok
>> [5]                            no tok
>> Found slot:  AKS ifdh 01 00
>> Found token: INTERN
>> Found 2 certificates:
>>     1    INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at)
>>     2    INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at)
>> Found 2 keys:
>>     1 P  INTERN
>>     2 P  INTERN SUB
>> Check that the request matches the signature
>> Signature ok
>> The Subject's Distinguished Name is as follows
>> countryName           :PRINTABLE:'AT'
>> commonName            :PRINTABLE:'Test'
>> Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days)
>> Segmentation fault
>>
>> All this is happening with the FIPS-capable build but without actually
>> enabling FIPS-mode.
>>
>> I am quite lost here. Any ideas?
>>
>> cheers
>> Mathias
>> _______________________________________________
>> opensc-devel mailing list
>> opensc-devel@lists.opensc-project.org
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
>>
> 

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to