Hi all,
a follow-up, see comments inline below
Jan Just Keijser wrote:
Hi all,
positive news this time: I've managed to upload my certificate to the
Feitian ePAss and sign a certificate request with it (i.e no more
annoying openssl error:
15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General
Error:p11_ops.c:131:
15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP
lib:a_sign.c:276:
here's what I did:
- svn checkout of the pcsc code
- build the pcsc code
- svn checkout of the opensc code
- patch the opensc code so that the openssl 1.0 thing does not bite me
(it's still broken in svn)
it is almost fixed in svn 4396 : when starting openssl I get two warnings
openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:284
openssl (lock_dbg_cb): not locked (mode=10, type=30) at eng_table.c:186
but with this patch those are gone as well:
--- opensc/src/pkcs11/openssl.c 2010-06-02 17:34:05.317163916 +0200
+++ opensc-svn-4396/src/pkcs11/openssl.c2010-06-02
17:33:02.238259385 +0200
@@ -191,6 +191,11 @@
#if OPENSSL_VERSION_NUMBER = 0x1000L !defined(OPENSSL_NO_ENGINE)
ENGINE *e = NULL;
+typedef void (*locking_cb_fn)(int mode,int type, const char
*file,int line);
+
+locking_cb_fn locking_cb = CRYPTO_get_locking_callback();
+if (locking_cb) CRYPTO_set_locking_callback( NULL );
+
#if !defined(OPENSSL_NO_STATIC_ENGINE) !defined(OPENSSL_NO_GOST)
ENGINE_load_gost();
e = ENGINE_by_id(gost);
@@ -208,6 +213,9 @@
ENGINE_set_default(e, ENGINE_METHOD_ALL);
ENGINE_free(e);
}
+
+if (locking_cb) CRYPTO_set_locking_callback( locking_cb );
+
#endif /* OPENSSL_VERSION_NUMBER = 0x1000L
!defined(OPENSSL_NO_ENGINE) */
openssl_sha1_mech.mech_data = EVP_sha1();
- build the opensc code (with --enable-pcsc)
- grab the latest engine_pkcs11 code and build it
then
- run the new pcscd
- modify opensc.conf to point to the new libpcsclite libs and a new
profile directory (/usr/local/share/opensc)
- re-initialize the card
- install the cert + userkey
- run my script to sign a cert request
and this finally worked!
I then switched back to the older opensc 0.11.13 code and that also
worked for signing a certificate request!
However, if I re-initialize the card using the opensc 0.11.13 codebase
the cert signing failed using both the old and the new version of
opensc : this leads me to believe that the card initialisation code
has changed between 0.11.13 and 0.12 (svn) ...
Now I have to test if all of this also works for the Feitian SCR301
card reader ...
The SCR301 works but is MUCH slower than the Omnikey reader - perhaps
the Feitian folks can explain this?
Other than that it is now working quite nicely. My next test will be to
see how it interoperates with openvpn .
cheers,
JJK
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel