[opensc-devel] Bug in engine_pkcs11
Hello, I think I've found a bug in the OpenSSL engine_pkcs11. The slot_index supplied from the command line to OpenSSL and actually directed to engine_pkcs11, is incorrectly parsed by the latter which treats it as if it were the slot_id. Most pkcs#11 implementations assume slot_index = slot_id, so there're no issues in these cases. However some implementations (for example the nCipher Hardware Security Modules product line I'm working with) do not follow such convention (the pkcs#11 does not require that). For example to access slot#0 with such devices, I need to issue something like: openssl req -config ./openssl.cnf -new -out ncipher.pem -days 365 -engine pkcs11 -keyform engine -key slot_761406613 because nCipher's C_GetSlotList adds a constant before filling the array returned by C_GetSlotList: i.e.: slot_id[index] = 761406613 + index. That could be easily corrected in engine_pkcs11 by checking the slot_index supplied against the array index rather than the array value returned by C_GetSlotList. Consider that in no way, the user is supposed to know the slot_ids. They're internal values to be treated as opaque pointers that the library gives to the driving application and that the application is supposed to later return as they are: (i.e. typically for accessing slots with C_OpenSession or C_GetSlotInfo) Kind Regards, Giuliano Bertoletti -- Giuliano Bertoletti Pre-Sales Engineer - Technological Dept. Symbolic S.p.A. Viale Mentana, 29 I-43121 - Parma Tel. +39 0521 708811 Mob. +39 346 8749890 Fax +39 0521 776190 g...@symbolic.it www.symbolic.it ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] OpenSC 0.12.1 release schedule
Hello, A small status update on OpenSC 0.12.1 release, which was planned to be rolled out yesterday. Something has happened to the virtual machines that run the builders, they need to be re-started. But unfortunately I'm on a sudden trip to Beijing for the past few days (and will be a few days more) and it has been *impossible* to get a stable enough SSH connection back home to fix the issue (which requires tunneling X) Thus the 0.12.1 release is postponed until this Friday... :( But I hope I can write about good news on additional supported hardware in OpenSC when I'll be back. Best, Martin -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Bug in engine_pkcs11
This is a matter of interpretation. Either is not constant and user is not suppose to know of. Apart of the special case of having a single slot, so you expect 0 I presume. You can check which slot is what simply by using: pkcs11-tool --list-slots --module /usr/lib/pkcs11/ On Mon, May 9, 2011 at 7:51 PM, Giuliano Bertoletti g...@symbolic.it wrote: Hello, I think I've found a bug in the OpenSSL engine_pkcs11. The slot_index supplied from the command line to OpenSSL and actually directed to engine_pkcs11, is incorrectly parsed by the latter which treats it as if it were the slot_id. Most pkcs#11 implementations assume slot_index = slot_id, so there're no issues in these cases. However some implementations (for example the nCipher Hardware Security Modules product line I'm working with) do not follow such convention (the pkcs#11 does not require that). For example to access slot#0 with such devices, I need to issue something like: openssl req -config ./openssl.cnf -new -out ncipher.pem -days 365 -engine pkcs11 -keyform engine -key slot_761406613 because nCipher's C_GetSlotList adds a constant before filling the array returned by C_GetSlotList: i.e.: slot_id[index] = 761406613 + index. That could be easily corrected in engine_pkcs11 by checking the slot_index supplied against the array index rather than the array value returned by C_GetSlotList. Consider that in no way, the user is supposed to know the slot_ids. They're internal values to be treated as opaque pointers that the library gives to the driving application and that the application is supposed to later return as they are: (i.e. typically for accessing slots with C_OpenSession or C_GetSlotInfo) Kind Regards, Giuliano Bertoletti -- Giuliano Bertoletti Pre-Sales Engineer - Technological Dept. Symbolic S.p.A. Viale Mentana, 29 I-43121 - Parma Tel. +39 0521 708811 Mob. +39 346 8749890 Fax +39 0521 776190 g...@symbolic.it www.symbolic.it ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel