Hello again. I implemented this "temporary fix" in OpenSSL dynamically linked library and engine_pkcs11.dll (with statically linked OpenSSL) and libp11-2.dll (with statically linked OpenSSL), all compiled by mingw. Unfortunatelly OpenSSL started crashing during my test key operations:
openssl req -engine pkcs11 -new -key slot_0-id_d7f4b99792cc4dd708e408d3eb91b566e0a06c02 -keyform engine -x509 -out req.pem -text -days 365 -subj "/C=PL/ST=woj./L=miejscowosc/O=firma/OU=dzial/CN=nazwisko/emailAddress= k...@domena.pl" openssl x509 -engine pkcs11 -signkey slot_0-id_d7f4b99792cc4dd708e408d3eb91b566e0a06c02 -keyform engine -in req.pem -out test.pem When I reverted this fix, OpenSSL stopped crashing and above operations succeeded. So this fix is unacceptable for me. Regards Pawel On Thu, Dec 10, 2015 at 6:32 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote: > > > Much better now - but at this time I hit ???unsupported algorithm???. > The key > > in question is RSA-2048, with SHA256. > > > > $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign > > -keyform engine -inkey > > "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -out > > config.status.sig -in config.status.hash > > engine "pkcs11" set. > > Error initializing context > > 140735296230224:error:260C0065:engine > > routines:ENGINE_get_pkey_meth:unimplemented public key > > method:tb_pkmeth.c:128: > > 140735296230224:error:0609D09C:digital envelope > > routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164: > > The reason for that is because the -engine option sets the ENGINE to use > for > everything and the PKCS#11 ENGINE doesn't support that public key method. > > What we need is a way to load the private key from an ENGINE but not > attempt > to use that for the actual operations. Temporary fix is to set the second > argument in EVP_PKEY_CTX_new to NULL in pkeyutl.c > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > _______________________________________________ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
