I'm trying to debug an SSL connection to a webserver utilizing my PIV
Authentication Certificate and the associated private key on my card
and I believe I've found a bug in mechanism.c
I *think* I'm doing everything correctly, although documentation on
the engine in openssl are *very* sparse. Here's how I'm setting up
the connection.
openssl
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE
s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -cert
pivauth.crt -certform PEM -key 1:01 -keyform engine -prexit
According to the opensc tools, my card is in slot 1 and my key is id
01. I'm fairly certain I'm using the -key and -keyform parameters
correctly but I'm not sure of -cert and -certform. Should I instead
be telling openssl how to pull the cert from my card instead of the
local file (which corresponds with the key?) How do I do that? (I've
tried a few ways.)
This will prompt me for my pin, but then segfaults on line 428 of
mechanism.c -- seemingly data is pointing to an address but has no
member buffer_len (this could be wrong, my c and gdb experience is
highly lacking)
Found slot: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
Found token: PIV_II (PIV Card Holder pin)
Found 4 certificates:
1Certificate for PIV Authentication
2Certificate for Digital Signature
3Certificate for Key Management
4Certificate for Card Authentication
PKCS#11 token PIN:
Found 4 keys:
1 P PIV AUTH key
2 P SIGN key
3 P KEY MAN key
4 P CARD AUTH key
Program received signal SIGSEGV, Segmentation fault.
0x2c155660 in sc_pkcs11_signature_final (operation=0x6cb7d0,
pSignature=0x7fffda30 "", pulSignatureLen=0x0) at mechanism.c:428
428 sc_log(context, "data length %li", data->buffer_len);
(gdb) print data
$1 = (struct signature_data *) 0x30
(gdb) print data->buffer_len
Cannot access memory at address 0x248
(gdb) backtrace
#0 0x2c155660 in sc_pkcs11_signature_final
(operation=0x6cb7d0, pSignature=0x7fffda30 "",
pulSignatureLen=0x0) at mechanism.c:428
#1 0x2b036e3d in look_str_cb () from /usr/lib/libcrypto.so.1.0.0
#2 0x2b04722c in lh_doall_arg () from /usr/lib/libcrypto.so.1.0.0
#3 0x2b03565c in engine_table_doall () from /usr/lib/libcrypto.so.1.0.0
#4 0x2b037203 in ENGINE_pkey_asn1_find_str () from
/usr/lib/libcrypto.so.1.0.0
#5 0x2b071fa3 in EVP_PKEY_asn1_find_str () from
/usr/lib/libcrypto.so.1.0.0
#6 0x2ad179d7 in ssl_create_cipher_list () from
/usr/lib/libssl.so.1.0.0
#7 0x2ad10964 in SSL_CTX_new () from /usr/lib/libssl.so.1.0.0
#8 0x0043d07e in ?? ()
#9 0x00419587 in ?? ()
#10 0x0041927d in ?? ()
#11 0x2b363725 in __libc_start_main () from /usr/lib/libc.so.6
#12 0x0041934d in ?? ()
#13 0x7fffe598 in ?? ()
#14 0x in ?? ()
Thanks for any advice/patches/help :)
Matt
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel