Re: [opensc-devel] Unsing engine_pks11 with openssl-fips 2.0
I don't anything in this, other then it looks like it never called
OpenSC.
OpenSC is compiled with OpenSSL, and it could be conflicts
with two different versions of OpenSSL.
ldd /usr/lib/engines/engine_pkcs11.so
would show what version it wants to use.
You may have to recompile OpenSC and use the FIPS version
of OPenSSL.
On 8/10/2012 9:32 AM, Mathias Tausig wrote:
On 08/10/2012 03:41 PM, Douglas E. Engert wrote:
Not much to go on below.
Sorry. I will provide more information below.
Is there a core file produced?
No.
Can you get a stack trace?
Can the fips version be complied with debugging?
Can you run this under a debugger?
Three times yes. Here is the stacktrace from gdb:
Program received signal SIGSEGV, Segmentation fault.
0x0001 in ?? ()
(gdb) bt
#0 0x0001 in ?? ()
#1 0x0822ff8a in ASN1_item_sign_ctx (it=0x829e674, algor1=0xb03aeff8,
algor2=0xb02fcff8,
signature=0xb0306ff0, asn=0xb05ccfcc, ctx=0xbfffe074) at a_sign.c:257
#2 0x081c77d9 in X509_sign_ctx (x=0xb04dbf98, ctx=0xbfffe074) at
x_all.c:100
#3 0x080a2caa in do_X509_sign (err=0xb7d28fc0, x=0xb04dbf98,
pkey=0xb0cbafe0, md=0x8302840,
sigopts=0x0) at req.c:1802
#4 0x080ae993 in do_body (xret=0xbfffe62c, pkey=0xb0cbafe0,
x509=0xb0b02f98, dgst=0x8302840,
sigopts=0x0, policy=0xb27e7fec, db=0xb05f2ff8, serial=0xb0600fec,
subj=0xb0cb /C=AT/CN=Test, chtype=4097, multirdn=0, email_dn=1,
startdate=0x825f5f6 today, enddate=0x0, days=30, batch=1,
verbose=0, req=0xb062aff0,
ext_sect=0xb2563ff0 usr_cert, lconf=0xb29f6ff0, certopt=0,
nameopt=0, default_op=1,
ext_copy=1, selfsign=0) at ca.c:2172
#5 0x080ad712 in certify (xret=0xbfffe62c, infile=0xb04c
/home/ad60095910/tmp/testcsr,
pkey=0xb0cbafe0, x509=0xb0b02f98, dgst=0x8302840, sigopts=0x0,
policy=0xb27e7fec,
db=0xb05f2ff8, serial=0xb0600fec, subj=0xb0cb /C=AT/CN=Test,
chtype=4097, multirdn=0,
email_dn=1, startdate=0x825f5f6 today, enddate=0x0, days=30, batch=1,
ext_sect=0xb2563ff0 usr_cert, lconf=0xb29f6ff0, verbose=0,
certopt=0, nameopt=0,
default_op=1, ext_copy=1, selfsign=0) at ca.c:1633
#6 0x080ac2cc in ca_main (argc=0, argv=0xbfffed98) at ca.c:1233
#7 0x0809c815 in do_cmd (prog=0xb36a9fa0, argc=20, argv=0xbfffed48) at
openssl.c:489
#8 0x0809c436 in main (Argc=20, Argv=0xbfffed48) at openssl.c:381
(gdb)
If not, can you turn on the debugging in opensc.conf
(Note: PINS and other sensitive data are traced)
I tried that, but no debug file was produced. I set debug=99 and
debug_file = /tmp/opensc-debug.log;
Or run it with opensc pkcs11-spy to get PKCS#11 trac
I don't know about pkcs11-spy, but I assume that it is a pkcs#11 tracer.
I already did create a log with the debug facility of the eToken driver
(reading and exporting it with Safenet's proprietary log viewer). Here
is the final part of the log:
0xb7e276c0 16:16:59.271 C_GetAttributeValue [4] ( pTemplate={
CKA_SENSITIVE=1 } )
0xb7e276c0 16:16:59.271 + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_EXTRACTABLE=1 } )
0xb7e276c0 16:16:59.274 C_GetAttributeValue [3] ( pTemplate={
CKA_EXTRACTABLE=0 } )
0xb7e276c0 16:16:59.274 + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_MODULUS=524 } )
0xb7e276c0 16:16:59.281 C_GetAttributeValue [7] ( pTemplate={
CKA_MODULUS=[256](9d f5 ef 5c b8 1d 15 cb 01 e7 bf ab fc 89 d0 52 cc 94
c2 6d dc 60 d9 b5 c8 12 06 a1 eb eb 4b 0d 92 76 f0 25 a5 96 44 cf 51 92
28 b4 fe 81 79 b4 e9 6a cc c4 87 73 1a 5e 32 f1 5c e4 1f e8 c2 78 25 fa
9a 88 ab 3f dd e9 78 e8 1a f6 5a 16 fa 29 05 e5 a3 1d 13 37 86 71 09 11
fa 5d 5c 1c b9 83 65 8c 83 5c b9 3e cc 01 4a de 8b db fb a2 ad 3c 56 0b
d5 16 d9 ca 88 b9 7f 4c df 3b f7 9a 7a 52 b1 74 79 c0 62 14 3c 64 30 f8
db c1 1d 33 ac 67 91 5f 63 ca 79 75 4d 48 76 b1 95 f7 7b f1 22 b3 8d f1
ca 9b 74 43 06 a6 70 4d 2f 1c 55 26 a2 fc 29 f1 0f 7e 3b e6 c6 53 30 1c
a4 21 10 3b dc 21 9e 1e df 78 35 d2 e4 48 e2 86 79 59 d0 85 e7 60 0e 3e
49 8e fc c1 9b 59 29 3d 0c ab 42 d9 a0 db ca 7b cf 26 ba 7c 63 31 42 ee
5a 49 28 7e f3 71 a4 e0 11 87 b5 7d 32 dd b0 bb b1 c4 63 cf d1 77) } )
0xb7e276c0 16:16:59.281 + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_PUBLIC_EXPONENT=524 } )
0xb7e276c0 16:16:59.286 C_GetAttributeValue [5] ( pTemplate={
CKA_PUBLIC_EXPONENT=[3](01 00 01) } )
0xb7e276c0 16:16:59.286 stop
Z:\home\ad60095910\tmp\etokenLog.fipsabsturz-20120808\Aug 10
[08-41]\openssl D502517D9 P24552 T-1209895232.trc
0xb37ffb70 16:16:59.559 - IFDHTransmitToICC( Lun=0x
TxLength=0x0005 *RxLength=0x0140 )
0xb37ffb70 16:16:59.559 TxBuffer(Send)=: TxBuffer=[5](00 a4 00
00 00)
0xb37ffb70 16:16:59.559 + eTSC_TransmitApdu( context=0xb6da2714
request=0xb37df364 requestLen=5 reply=0xb37ef370 replyLen=0xb37df19a )
0xb37ffb70 16:16:59.584 eTSC_TransmitApdu [25] ( )
[opensc-devel] Unsing engine_pks11 with openssl-fips 2.0
Hello! Has anybody been able to use engine_pkcs11 with the recently released FIPS approved version of openssl? I failed to do so. I was trying to sign a certificate with a FIPS enabled build of openssl (1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet eToken). Opensc and engine_pkcs11 are the most recent versions (0.12.2 and 0.1.8) I did this procedure before (with the non-fips version) using an openssl config file: openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = libeTPkcs11.so PIN = topsecret VERBOSE = EMPTY init = 0 [ca] ... and the command openssl ca -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj /C=AT/CN=Test -days 30 This worked like charm, but with the fips-build (engine_pkcs11 and the PKCS#11 client library are the same), I get a segmentation fault: Using configuration from /tmp/testConf initializing engine engine pkcs11 set. Looking in slot 2 for key: 74 Found 6 slots [0] Cherry SmartBoard XX44 00 no tok [1] AKS ifdh 00 00 login (eToken) [2] AKS ifdh 01 00 login (INTERN) [3]no tok [4]no tok [5]no tok Found slot: AKS ifdh 01 00 Found token: INTERN Found 2 certificates: 1INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at) 2INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at) Found 2 keys: 1 P INTERN 2 P INTERN SUB Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'AT' commonName:PRINTABLE:'Test' Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days) Segmentation fault All this is happening with the FIPS-capable build but without actually enabling FIPS-mode. I am quite lost here. Any ideas? cheers Mathias ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unsing engine_pks11 with openssl-fips 2.0
On 08/10/2012 03:41 PM, Douglas E. Engert wrote:
Not much to go on below.
Sorry. I will provide more information below.
Is there a core file produced?
No.
Can you get a stack trace?
Can the fips version be complied with debugging?
Can you run this under a debugger?
Three times yes. Here is the stacktrace from gdb:
Program received signal SIGSEGV, Segmentation fault.
0x0001 in ?? ()
(gdb) bt
#0 0x0001 in ?? ()
#1 0x0822ff8a in ASN1_item_sign_ctx (it=0x829e674, algor1=0xb03aeff8,
algor2=0xb02fcff8,
signature=0xb0306ff0, asn=0xb05ccfcc, ctx=0xbfffe074) at a_sign.c:257
#2 0x081c77d9 in X509_sign_ctx (x=0xb04dbf98, ctx=0xbfffe074) at
x_all.c:100
#3 0x080a2caa in do_X509_sign (err=0xb7d28fc0, x=0xb04dbf98,
pkey=0xb0cbafe0, md=0x8302840,
sigopts=0x0) at req.c:1802
#4 0x080ae993 in do_body (xret=0xbfffe62c, pkey=0xb0cbafe0,
x509=0xb0b02f98, dgst=0x8302840,
sigopts=0x0, policy=0xb27e7fec, db=0xb05f2ff8, serial=0xb0600fec,
subj=0xb0cb /C=AT/CN=Test, chtype=4097, multirdn=0, email_dn=1,
startdate=0x825f5f6 today, enddate=0x0, days=30, batch=1,
verbose=0, req=0xb062aff0,
ext_sect=0xb2563ff0 usr_cert, lconf=0xb29f6ff0, certopt=0,
nameopt=0, default_op=1,
ext_copy=1, selfsign=0) at ca.c:2172
#5 0x080ad712 in certify (xret=0xbfffe62c, infile=0xb04c
/home/ad60095910/tmp/testcsr,
pkey=0xb0cbafe0, x509=0xb0b02f98, dgst=0x8302840, sigopts=0x0,
policy=0xb27e7fec,
db=0xb05f2ff8, serial=0xb0600fec, subj=0xb0cb /C=AT/CN=Test,
chtype=4097, multirdn=0,
email_dn=1, startdate=0x825f5f6 today, enddate=0x0, days=30, batch=1,
ext_sect=0xb2563ff0 usr_cert, lconf=0xb29f6ff0, verbose=0,
certopt=0, nameopt=0,
default_op=1, ext_copy=1, selfsign=0) at ca.c:1633
#6 0x080ac2cc in ca_main (argc=0, argv=0xbfffed98) at ca.c:1233
#7 0x0809c815 in do_cmd (prog=0xb36a9fa0, argc=20, argv=0xbfffed48) at
openssl.c:489
#8 0x0809c436 in main (Argc=20, Argv=0xbfffed48) at openssl.c:381
(gdb)
If not, can you turn on the debugging in opensc.conf
(Note: PINS and other sensitive data are traced)
I tried that, but no debug file was produced. I set debug=99 and
debug_file = /tmp/opensc-debug.log;
Or run it with opensc pkcs11-spy to get PKCS#11 trac
I don't know about pkcs11-spy, but I assume that it is a pkcs#11 tracer.
I already did create a log with the debug facility of the eToken driver
(reading and exporting it with Safenet's proprietary log viewer). Here
is the final part of the log:
0xb7e276c0 16:16:59.271 C_GetAttributeValue [4] ( pTemplate={
CKA_SENSITIVE=1 } )
0xb7e276c0 16:16:59.271 + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_EXTRACTABLE=1 } )
0xb7e276c0 16:16:59.274 C_GetAttributeValue [3] ( pTemplate={
CKA_EXTRACTABLE=0 } )
0xb7e276c0 16:16:59.274 + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_MODULUS=524 } )
0xb7e276c0 16:16:59.281 C_GetAttributeValue [7] ( pTemplate={
CKA_MODULUS=[256](9d f5 ef 5c b8 1d 15 cb 01 e7 bf ab fc 89 d0 52 cc 94
c2 6d dc 60 d9 b5 c8 12 06 a1 eb eb 4b 0d 92 76 f0 25 a5 96 44 cf 51 92
28 b4 fe 81 79 b4 e9 6a cc c4 87 73 1a 5e 32 f1 5c e4 1f e8 c2 78 25 fa
9a 88 ab 3f dd e9 78 e8 1a f6 5a 16 fa 29 05 e5 a3 1d 13 37 86 71 09 11
fa 5d 5c 1c b9 83 65 8c 83 5c b9 3e cc 01 4a de 8b db fb a2 ad 3c 56 0b
d5 16 d9 ca 88 b9 7f 4c df 3b f7 9a 7a 52 b1 74 79 c0 62 14 3c 64 30 f8
db c1 1d 33 ac 67 91 5f 63 ca 79 75 4d 48 76 b1 95 f7 7b f1 22 b3 8d f1
ca 9b 74 43 06 a6 70 4d 2f 1c 55 26 a2 fc 29 f1 0f 7e 3b e6 c6 53 30 1c
a4 21 10 3b dc 21 9e 1e df 78 35 d2 e4 48 e2 86 79 59 d0 85 e7 60 0e 3e
49 8e fc c1 9b 59 29 3d 0c ab 42 d9 a0 db ca 7b cf 26 ba 7c 63 31 42 ee
5a 49 28 7e f3 71 a4 e0 11 87 b5 7d 32 dd b0 bb b1 c4 63 cf d1 77) } )
0xb7e276c0 16:16:59.281 + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_PUBLIC_EXPONENT=524 } )
0xb7e276c0 16:16:59.286 C_GetAttributeValue [5] ( pTemplate={
CKA_PUBLIC_EXPONENT=[3](01 00 01) } )
0xb7e276c0 16:16:59.286 stop
Z:\home\ad60095910\tmp\etokenLog.fipsabsturz-20120808\Aug 10
[08-41]\openssl D502517D9 P24552 T-1209895232.trc
0xb37ffb70 16:16:59.559 - IFDHTransmitToICC( Lun=0x
TxLength=0x0005 *RxLength=0x0140 )
0xb37ffb70 16:16:59.559 TxBuffer(Send)=: TxBuffer=[5](00 a4 00
00 00)
0xb37ffb70 16:16:59.559 + eTSC_TransmitApdu( context=0xb6da2714
request=0xb37df364 requestLen=5 reply=0xb37ef370 replyLen=0xb37df19a )
0xb37ffb70 16:16:59.584 eTSC_TransmitApdu [25] ( )
0xb37ffb70 16:16:59.584 IFDHTransmitToICC [25] ( )
0xb37ffb70 16:17:07.653 - IFDHGetCapabilities( Lun=0x
Tag=0x0fb2 )
0xb37ffb70 16:17:07.653 Unknown Tag:
0xb37ffb70 16:17:07.653 rv=0266 IFDHGetCapabilities [0] ( )
I sent this trace to the Safenet support as well, they meant that it
didn't look peculiar to them.
I hope these informations help.
cheers
Mathias
On 8/10/2012 3:33 AM, Mathias Tausig wrote:
Hello!
Has
