Hi, I'm trying to build the engine version of openssl-engine 0.9.6c. After solving the problem of unistd.h
I'm getting linking problems. This the output I get : Building OpenSSL link /nologo /subsystem:console /machine:I386 /opt:ref /dll /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~1\ERIK~1.HEV\LOCALS~1\Temp\nmA5.tmp ms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION statement not supported for the target platform; ignored Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp b_print.obj : error LNK2019: unresolved external symbol __ftol2 referenced in function _roundv b_print.obj : error LNK2019: unresolved external symbol __aulldvrm referenced in function _fmtint out32dll\libeay32.dll : fatal error LNK1120: 2 unresolved externals NMAKE : fatal error U1077: 'link' : return code '0x460' Stop. Can somebody please help me out. Thank you, Ulrichts Erik Hypertrust NV Belgium [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of William James Hymas Sent: donderdag 25 april 2002 16:31 To: [EMAIL PROTECTED] Subject: Re: PKCS11 engine support Hi Zoran, Is there a set of patches for 0.9.6c? Bill "Zoran Radenkovic" <[EMAIL PROTECTED]>@openssl.org on 30-07-2001 03:31:17 AM Please respond to [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject: PKCS11 engine support Hi, As announced before few months Eracom decided to share pkcs11 engine code with Openssl community. Finally we got green light and here we are. The code is eracom pkcs11 engine implementation. We tried to do everything via engine API, avoiding changing rest of openssl code base. In lack of documentation and guide lines for future of engine API, some decision we made maybe are not good but we gave the best. We hope that with OpenSSL community we will get the best answer on those issues. PKCS11 engine implementation is in ERACopenssl-engine-0.9.6a.patch.gz (tested on 0.9.6b as well) ModSSL patch for entering user PIN in Apache is in patch ERACmod_ssl-2.8.2-1.3.19.patch and ERACmod_ssl-2.8.4-1.3.20.patch. Issues we are not 100% happy with: ****** Keys stored on adaptor (hwkeys as we call them) *** Our goal was to support application like Apache/ModSSL, which use keys stored disk, without need to make change in applications' code base. There is no separate PEM format for hwkeys, getting a key is done by PEM_read_PrivateKey() which doesn't handle hwkeys. To avoid making our own PEM format and change code base around PEM_read_PrivateKey() function, we decided to use "dummy" PEM link-keys for hwkeys. We change genrsa and gendsa on the way to put constant 1 in all "private" key fields except one where we embedded "info" about correspond hwkey. Utilities genrsa and gendsa are changed to have one more parameter "-hwkey <id>", eg. : % openssl genrsa -engine ERACOM -hwkey <slot>/<keyname> -out rsa.pem 512 The command above produces rsa.pem file with real values of prime and public key copied from hw key on adapter, and all other values will be 1 except iqmp which will be "ERACOM/<slot>/<keyname>" hex. Default value for slot is 0, if is not specified. When OpenSSL read key from disk and pass to engine, ERACOM engine check values and find iqmp="ERACOM/<slot>/<keyname>". Keyname and slot get extracted and used for cryptographic operation. (PIN for login will be supplied as mention bellow ...) On simmilar way it works for DSA and DH. ****** User PIN for h/w keys ****** Engine API is missing functionality to passing PIN for login to the token. We implemented three ways how PIN can be passed to engine for login for keys stored on adaptor. a) engine prompt user to enter PIN if is not supplied by b) or c) way b) via call ENGINE_load_privkey using passphrase as PIN c) via enviroment variable PKCS_SLOT_<n>_PIN Second option requires changing application source. We implemented third option because applications like Apache in the time of OpenSSL initialisation already have detached from terminal, eg. it's to late to enter PIN. This is the reason we have a patch for mod_ssl which use b) way to get PIN in Apache (ERACmod_ssl-xxx-xxx.patch). ***** How to install it ****** Apply ERACopenssl-xxx.xxx.patch and build it. Default name for PKCS#11 library is cryptoki. That could be change buy environment variable PKCS11_LIB. The library path should be defined by LD_LIBRARY_PATH variable. We tested it only on Linux and Solaris with csa8000 and csa7000 adaptors. ***** How to use it with Apache ***** If you are happy to supply PIN by environment variable then "install" mod_ssl and build Apache. Alternatively applying ERACmod_ssl-xxx.patch before you "install" it will make ModSSL to prompt you for the PIN. ModSSL install call should be: ./configure \ --with-apache=../$APACHE \ --with-ssl=../$OPENSSL \ --prefix=/opt/$APACHE \ --enable-shared=ssl \ --enable-rule=SSL_EXPERIMENTAL After that build Apache. On that Web server private keys will be stored on disk. If you want them secured on adaptor this is one of the ways you can do that (using Eracom ctcert tool): Generating an Apache Cert ------------------------- 1. Create a self-signed CA certificate % ctcert c -lMyCA -k -u0000 Cprov Certificate Management Tool $Revision: 1.7 $ Copyright (c) ERACOM Pty. Ltd. 2001 Please enter the Subject Distinguished Name for the key pair. Common Name: CA Organisation: Eracom-Techology Organisal Unit: Test State: BW Country: DE Generating new key pair, please wait... Creating certificate for 'MyCA' Issuer: 'CN=CA,OU=Eracom-Techology,O=Test,ST=BW,C=DE' Subject: 'CN=CA,OU=Eracom-Techology,O=Test,ST=BW,C=DE' Serial No: 0 ctcert: Certificate generated 2. Create a certification request % ctcert r -lServerCert -k -u0000 Cprov Certificate Management Tool $Revision: 1.7 $ Copyright (c) ERACOM Pty. Ltd. 2001 Please enter the Subject Distinguished Name for the key pair. Common Name: stern.concord-eracom.de Organisation: Eracom-Technology Organisal Unit: Test State: BW Country: DE Generating new key pair, please wait... Creating certificate request for 'ServerCert' Subject: 'CN=stern.concord-eracom.de,OU=Eracom-Technology,O=Test,ST=BW,C=DE' ctcert: Certificate request generated 3. Sign the certificatation request % ctcert c -c'MyCA (Pri)' -lServerCert -u0000 Cprov Certificate Management Tool $Revision: 1.7 $ Copyright (c) ERACOM Pty. Ltd. 2001 Creating certificate for 'ServerCert' Issuer: 'CN=CA,OU=Eracom-Techology,O=Test,ST=BW,C=DE' Subject: 'CN=stern.concord-eracom.de,OU=Eracom-Technology,O=Test,ST=BW,C=DE' Serial No: 1 ctcert: Certificate generated 4. Export the certificate into the apache configuration % ctcert x -lServerCert > conf/ssl.crt/ServerCert.crt -u0000 5. Create a dummy keyfile for the apache configuration % openssl genrsa -engine ERACOM -hwkey 'ServerCert (Pri)' > /opt/apache/conf/ssl.key/ServerCert.key 6. Modify the apache configuration to use new certificate and key % vi conf/http.conf and change: SSLCryptoDevice ERACOM SSLCertificateFile /opt/apache/conf/ssl.crt/ServerCert.crt SSLCertificateKeyFile /opt/apache/conf/ssl.key/ServerCert.key 7. start apache % /opt/apache/bin/apachectl startssl ***** Known Problems ***** a) When an application forks the C_Initialize call is no longer valid (all key/session handles become invalid). Currently if an open session fails we just re-init b) limited testing: not DH cross test, ... c) ephemeral DH key negotiation is not supported (WebBench/Apache tests preferred) d) Linux SMP not supported by e8k driver (Eracom driver for CSA8000) ***** Wish List ****** a) having separate PEM for hwkeys b) Hwkey generation on adaptor via genrsa/gendsa c) Better user PIN handling Best regards and enjoy! Zoran. (See attached file: ERACopenssl-engine-0.9.6b.patch.gz)(See attached file: ERACmod_ssl-2.8.4-1.3.20.patch.gz)(See attached file: ERACopenssl-engine-0.9.6a.patch.gz)(See attached file: ERACmod_ssl-2.8.2-1.3.19.patch.gz) ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
