Re: [opensc-devel] new versions

2010-06-02 Thread Aleksey Samsonov 
Hello,

Martin Paljak wrote:
 * what happend to opensc 0.11.*? I thought the problem with
  gost / engine_pkcs11 is so big, it should be fixed in
  the 0.11 line to help normal users, and so distributions
  can backport that fix if they want.
 Apparently Jean-Michel has some specific bugfixes in the Entersafe driver 
 (can you pinpoint the changesets/bugs?) that also should be incorporated in 
 addition to the OpenSSL/GOST issue.
 
 martin, do you want to create new releases?
 Need to test 0.11 branch with the openssl engine fix.

Could you wait a few days? I'm try to find more clean solution. We have 
problem under the stipulation that load gost engine before loading 
engine_pkcs11 (which loading gost engine).

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Success with Omnikey

2010-06-02 Thread Jan Just Keijser 
Hi all,

a follow-up, see comments inline below
Jan Just Keijser wrote:
 Hi all,

 positive news this time: I've managed to upload my certificate to the 
 Feitian ePAss and sign a certificate request with it (i.e no more 
 annoying openssl error:
 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General 
 Error:p11_ops.c:131:
 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP 
 lib:a_sign.c:276:

 here's what I did:

 - svn checkout of the pcsc code
 - build the pcsc code
 - svn checkout of the opensc code
 - patch the opensc code so that the openssl 1.0 thing does not bite me 
 (it's still broken in svn)
it is almost fixed in svn 4396 : when starting openssl I get two warnings

openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:284
openssl (lock_dbg_cb): not locked (mode=10, type=30) at eng_table.c:186

but with this patch those are gone as well:

--- opensc/src/pkcs11/openssl.c 2010-06-02 17:34:05.317163916 +0200
+++ opensc-svn-4396/src/pkcs11/openssl.c2010-06-02 
17:33:02.238259385 +0200
@@ -191,6 +191,11 @@
 #if OPENSSL_VERSION_NUMBER = 0x1000L  !defined(OPENSSL_NO_ENGINE)
ENGINE *e = NULL;
 
+typedef void (*locking_cb_fn)(int mode,int type, const char 
*file,int line);
+
+locking_cb_fn locking_cb = CRYPTO_get_locking_callback();
+if (locking_cb) CRYPTO_set_locking_callback( NULL );
+
 #if !defined(OPENSSL_NO_STATIC_ENGINE)  !defined(OPENSSL_NO_GOST)
ENGINE_load_gost();
e = ENGINE_by_id(gost);
@@ -208,6 +213,9 @@
ENGINE_set_default(e, ENGINE_METHOD_ALL);
ENGINE_free(e);
}
+
+if (locking_cb) CRYPTO_set_locking_callback( locking_cb );
+
 #endif /* OPENSSL_VERSION_NUMBER = 0x1000L  
!defined(OPENSSL_NO_ENGINE) */
 
openssl_sha1_mech.mech_data = EVP_sha1();


 - build the opensc code (with --enable-pcsc)
 - grab the latest engine_pkcs11 code and build it

 then
 - run the new pcscd
 - modify opensc.conf to point to the new libpcsclite libs and a new 
 profile directory (/usr/local/share/opensc)
 - re-initialize the card
 - install the cert + userkey
 - run my script to sign a cert request
 and this finally worked!

 I then switched back to the older opensc 0.11.13 code and that also 
 worked for signing a certificate request!
 However, if I re-initialize the card using the opensc 0.11.13 codebase 
 the cert signing failed using both the old and the new version of 
 opensc : this leads me to believe that the card initialisation code 
 has changed between 0.11.13 and 0.12 (svn) ...

 Now I have to test if all of this also works for the Feitian SCR301 
 card reader ...
The SCR301 works but is MUCH slower than the Omnikey reader - perhaps 
the Feitian folks can explain this?

Other than that it is now working quite nicely. My next test will be to 
see how it interoperates with openvpn .

cheers,

JJK


___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel