I don't anything in this, other then it looks like it never called
OpenSC.
OpenSC is compiled with OpenSSL, and it could be conflicts
with two different versions of OpenSSL.
ldd /usr/lib/engines/engine_pkcs11.so
would show what version it wants to use.
You may have to recompile OpenSC and use the FIPS version
of OPenSSL.
On 8/10/2012 9:32 AM, Mathias Tausig wrote:
> On 08/10/2012 03:41 PM, Douglas E. Engert wrote:
>> Not much to go on below.
>
> Sorry. I will provide more information below.
>
>> Is there a core file produced?
>
> No.
>
>> Can you get a stack trace?
>> Can the fips version be complied with debugging?
>> Can you run this under a debugger?
>
> Three times yes. Here is the stacktrace from gdb:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00000001 in ?? ()
> (gdb) bt
> #0 0x00000001 in ?? ()
> #1 0x0822ff8a in ASN1_item_sign_ctx (it=0x829e674, algor1=0xb03aeff8,
> algor2=0xb02fcff8,
> signature=0xb0306ff0, asn=0xb05ccfcc, ctx=0xbfffe074) at a_sign.c:257
> #2 0x081c77d9 in X509_sign_ctx (x=0xb04dbf98, ctx=0xbfffe074) at
> x_all.c:100
> #3 0x080a2caa in do_X509_sign (err=0xb7d28fc0, x=0xb04dbf98,
> pkey=0xb0cbafe0, md=0x8302840,
> sigopts=0x0) at req.c:1802
> #4 0x080ae993 in do_body (xret=0xbfffe62c, pkey=0xb0cbafe0,
> x509=0xb0b02f98, dgst=0x8302840,
> sigopts=0x0, policy=0xb27e7fec, db=0xb05f2ff8, serial=0xb0600fec,
> subj=0xbffff0cb "/C=AT/CN=Test", chtype=4097, multirdn=0, email_dn=1,
> startdate=0x825f5f6 "today", enddate=0x0, days=30, batch=1,
> verbose=0, req=0xb062aff0,
> ext_sect=0xb2563ff0 "usr_cert", lconf=0xb29f6ff0, certopt=0,
> nameopt=0, default_op=1,
> ext_copy=1, selfsign=0) at ca.c:2172
> #5 0x080ad712 in certify (xret=0xbfffe62c, infile=0xbffff04c
> "/home/ad60095910/tmp/testcsr",
> pkey=0xb0cbafe0, x509=0xb0b02f98, dgst=0x8302840, sigopts=0x0,
> policy=0xb27e7fec,
> db=0xb05f2ff8, serial=0xb0600fec, subj=0xbffff0cb "/C=AT/CN=Test",
> chtype=4097, multirdn=0,
> email_dn=1, startdate=0x825f5f6 "today", enddate=0x0, days=30, batch=1,
> ext_sect=0xb2563ff0 "usr_cert", lconf=0xb29f6ff0, verbose=0,
> certopt=0, nameopt=0,
> default_op=1, ext_copy=1, selfsign=0) at ca.c:1633
> #6 0x080ac2cc in ca_main (argc=0, argv=0xbfffed98) at ca.c:1233
> #7 0x0809c815 in do_cmd (prog=0xb36a9fa0, argc=20, argv=0xbfffed48) at
> openssl.c:489
> #8 0x0809c436 in main (Argc=20, Argv=0xbfffed48) at openssl.c:381
> (gdb)
>
>
>>
>> If not, can you turn on the debugging in opensc.conf
>> (Note: PINS and other sensitive data are traced)
>
> I tried that, but no debug file was produced. I set "debug=99" and
> "debug_file = /tmp/opensc-debug.log;"
>
>> Or run it with opensc pkcs11-spy to get PKCS#11 trac
>
> I don't know about pkcs11-spy, but I assume that it is a pkcs#11 tracer.
> I already did create a log with the debug facility of the eToken driver
> (reading and exporting it with Safenet's proprietary log viewer). Here
> is the final part of the log:
>
> 0xb7e276c0 16:16:59.271 C_GetAttributeValue [4] ( pTemplate={
> CKA_SENSITIVE=1 } )
> 0xb7e276c0 16:16:59.271 + C_GetAttributeValue( hSession=0x08730004
> hObject=0x08ec0008 pTemplate={ CKA_EXTRACTABLE=1 } )
> 0xb7e276c0 16:16:59.274 C_GetAttributeValue [3] ( pTemplate={
> CKA_EXTRACTABLE=0 } )
> 0xb7e276c0 16:16:59.274 + C_GetAttributeValue( hSession=0x08730004
> hObject=0x08ec0008 pTemplate={ CKA_MODULUS=524 } )
> 0xb7e276c0 16:16:59.281 C_GetAttributeValue [7] ( pTemplate={
> CKA_MODULUS=[256](9d f5 ef 5c b8 1d 15 cb 01 e7 bf ab fc 89 d0 52 cc 94
> c2 6d dc 60 d9 b5 c8 12 06 a1 eb eb 4b 0d 92 76 f0 25 a5 96 44 cf 51 92
> 28 b4 fe 81 79 b4 e9 6a cc c4 87 73 1a 5e 32 f1 5c e4 1f e8 c2 78 25 fa
> 9a 88 ab 3f dd e9 78 e8 1a f6 5a 16 fa 29 05 e5 a3 1d 13 37 86 71 09 11
> fa 5d 5c 1c b9 83 65 8c 83 5c b9 3e cc 01 4a de 8b db fb a2 ad 3c 56 0b
> d5 16 d9 ca 88 b9 7f 4c df 3b f7 9a 7a 52 b1 74 79 c0 62 14 3c 64 30 f8
> db c1 1d 33 ac 67 91 5f 63 ca 79 75 4d 48 76 b1 95 f7 7b f1 22 b3 8d f1
> ca 9b 74 43 06 a6 70 4d 2f 1c 55 26 a2 fc 29 f1 0f 7e 3b e6 c6 53 30 1c
> a4 21 10 3b dc 21 9e 1e df 78 35 d2 e4 48 e2 86 79 59 d0 85 e7 60 0e 3e
> 49 8e fc c1 9b 59 29 3d 0c ab 42 d9 a0 db ca 7b cf 26 ba 7c 63 31 42 ee
> 5a 49 28 7e f3 71 a4 e0 11 87 b5 7d 32 dd b0 bb b1 c4 63 cf d1 77) } )
> 0xb7e276c0 16:16:59.281 + C_GetAttributeValue( hSession=0x08730004
> hObject=0x08ec0008 pTemplate={ CKA_PUBLIC_EXPONENT=524 } )
> 0xb7e276c0 16:16:59.286 C_GetAttributeValue [5] ( pTemplate={
> CKA_PUBLIC_EXPONENT=[3](01 00 01) } )
> 0xb7e276c0 16:16:59.286 <stop
> Z:\home\ad60095910\tmp\etokenLog.fipsabsturz-20120808\Aug 10
> [08-41]\openssl D502517D9 P24552 T-1209895232.trc>
> 0xb37ffb70 16:16:59.559 - IFDHTransmitToICC( Lun=0x00000000
> TxLength=0x00000005 *RxLength=0x00000140 )
> 0xb37ffb70 16:16:59.559 TxBuffer(Send)=: TxBuffer=[5](00 a4 00
> 00 00)
> 0xb37ffb70 16:16:59.559 + eTSC_TransmitApdu( context=0xb6da2714
> request=0xb37df364 requestLen=5 reply=0xb37ef370 replyLen=0xb37df19a )
> 0xb37ffb70 16:16:59.584 eTSC_TransmitApdu [25] ( )
> 0xb37ffb70 16:16:59.584 IFDHTransmitToICC [25] ( )
> 0xb37ffb70 16:17:07.653 - IFDHGetCapabilities( Lun=0x00000000
> Tag=0x00000fb2 )
> 0xb37ffb70 16:17:07.653 Unknown Tag:
> 0xb37ffb70 16:17:07.653 rv=00000266 IFDHGetCapabilities [0] ( )
>
> I sent this trace to the Safenet support as well, they meant that it
> didn't look peculiar to them.
>
> I hope these informations help.
>
> cheers
> Mathias
>
>>
>> On 8/10/2012 3:33 AM, Mathias Tausig wrote:
>>> Hello!
>>>
>>> Has anybody been able to use engine_pkcs11 with the recently released
>>> FIPS approved version of openssl? I failed to do so.
>>>
>>> I was trying to sign a certificate with a FIPS enabled build of openssl
>>> (1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet
>>> eToken). Opensc and engine_pkcs11 are the most recent versions (0.12.2
>>> and 0.1.8)
>>>
>>> I did this procedure before (with the non-fips version) using an openssl
>>> config file:
>>>
>>> openssl_conf = openssl_def
>>> [openssl_def]
>>> engines = engine_section
>>> [engine_section]
>>> pkcs11 = pkcs11_section
>>> [pkcs11_section]
>>> engine_id = pkcs11
>>> dynamic_path = /usr/lib/engines/engine_pkcs11.so
>>> MODULE_PATH = libeTPkcs11.so
>>> PIN = topsecret
>>> VERBOSE = EMPTY
>>> init = 0
>>> [ca]
>>> ...
>>>
>>> and the command
>>> openssl ca -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform
>>> engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj
>>> "/C=AT/CN=Test" -days 30
>>>
>>> This worked like charm, but with the fips-build (engine_pkcs11 and the
>>> PKCS#11 client library are the same), I get a segmentation fault:
>>>
>>> Using configuration from /tmp/testConf
>>> initializing engine
>>> engine "pkcs11" set.
>>> Looking in slot 2 for key: 74
>>> Found 6 slots
>>> [0] Cherry SmartBoard XX44 00 no tok
>>> [1] AKS ifdh 00 00 login (eToken)
>>> [2] AKS ifdh 01 00 login (INTERN)
>>> [3] no tok
>>> [4] no tok
>>> [5] no tok
>>> Found slot: AKS ifdh 01 00
>>> Found token: INTERN
>>> Found 2 certificates:
>>> 1 INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at)
>>> 2 INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at)
>>> Found 2 keys:
>>> 1 P INTERN
>>> 2 P INTERN SUB
>>> Check that the request matches the signature
>>> Signature ok
>>> The Subject's Distinguished Name is as follows
>>> countryName :PRINTABLE:'AT'
>>> commonName :PRINTABLE:'Test'
>>> Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days)
>>> Segmentation fault
>>>
>>> All this is happening with the FIPS-capable build but without actually
>>> enabling FIPS-mode.
>>>
>>> I am quite lost here. Any ideas?
>>>
>>> cheers
>>> Mathias
>>> _______________________________________________
>>> opensc-devel mailing list
>>> opensc-devel@lists.opensc-project.org
>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>
>>>
>>
>
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
