Hi Michael, >> while trying to get OpenCA going with my shiny nCipher module I am >> experiencing some weird problems concerning configuration. > > We don't tested 0.9.2 until now with an engine ...
so I hope my tests can help improving the software for the next release. >> In order to access the module I changed the 'openssl_engine' >> configuration value in config.xml: >> >> <!-- =========== --> >> <!-- HSM support --> >> <!-- =========== --> >> <option> >> <name>openssl_engine</name> >> <value>chil -keyform e</value> >> </option> >> <option> >> <name>hsm_utility</name> >> <value></value> >> </option> >> <option> >> <name>hsm_slot</name> >> <value></value> >> </option> >> <option> >> <name>appid</name> >> <value></value> >> </option> > > I completely removed this section from config.xml. I commit it on friday. Good, I wondered if it was redundant anyway... Currently it seems I have to modify the etc/servers/*.conf.template directly to modify settings like the location of the OpenSSL executable. This should be addressed by the xml configuration too, I suppose. >> Then I modified token.xml. In particular I added a WRAPPER (thanks, >> Michael) and changed the KEY value to reference the key name that >> already exists in the HSM module. > > Please check the example configuration for more details and see in > LunaCA3.pm how we initialize the OpenSSL module. > >> <type>OpenSSL</type> > PLEASE write your own module. Do not simply use OpenSSL. Please write a > module nFast or nCipher::nFast. You can use LunaCA3 in > modules/openca-crypto/Token/ as an example. Yeah, I did this already. In fact I started with the OpenSSL module, because using the nCipher module is less like the LunaCA but more like stock OpenSSL. Currently my OpenCA::Token::nCipher is a quick hack, I simply removed all references to Passwords and claim that the module is always online. Access to the nCipher HSM is done via the wrapper. Later I will add code to detect if the module is logged in. So far I already got the system running to create a self-signed request using the HSM which I signed by the Root CA and imported it back into OpenCA. It fails when creating RSA keys for Admin certificates, though. I have not yet figured out what is wrong. Debugging is a bit painful because command line arguments to OpenSSL are not logged anywhere. I tried to add my own debugging code but there are lots of places where this code must be inserted. I also tried using a shell script wrapper to log OpenSSL args to syslog, such as #!/bin/sh /usr/bin/looger "exec: openssl $*" exec /usr/local/ssl/bin/openssl $* But this is also not good because OpenCA frequently uses arguments not enclosed in "..." but with explicitly quoted blanks (by using "\Q$argumens\E"). This works if OpenSSL is called directly but breaks with such a wrapper. BTW: Any ideas for adding decent debugging/logging? >> ## opensslEngine "LunaCA3" >> ## opensslEngineArg "-enginearg 1:10:11" >> opensslEngine "chil -keyform e" >> opensslEngineArg "-enginearg :@hsm_appid@" >> >> HSM_LOGIN_CMD " -o -s -i @hsm_appid@" >> HSM_LOGOUT_CMD " -c -s -i @hsm_appid@" >> HSM_GENKEY_CMD " -s -i @hsm_appid@ -g @__BITS__@ -f @__OUTFILE__@" > > I removed it from ca.conf. While you are at it please remember to remove the check for the mandatory opensslEngineArg in lib/functions/initServer. I understand that the canonical place for engine definition is token.xml, then? > Simply forget this stuff. The correct way is to write your own module and > build a parameter ENGINE in this module. Like usual LunaCA3.pm is an > example. Internally we use "openssl ca -engine ENGINE ..." where ENGINE is > the stuff which you set in OpenSSL's ENGINE parameter. > > Actually I'm searching for your examples. Can you send me an example to > sign a certificate with the CA command or to create a request? See my post to openca-devel dated May 6th, 10:20h, Subject "Re: [OpenCA-Devel] nCipher HSM support" The relevant portions are: /opt/nfast/bin/with-nfast -M /usr/local/ssl/bin/openssl req -new -x509 -days $CA_VALIDITY -key $ROOTKEYNAME -keyform engine -engine chil -out $CACERT -config foo and /opt/nfast/bin/with-nfast -M /usr/local/ssl/bin/openssl ca keyfile $ROOTKEYNAME -keyform engine -engine chil -in $INFILE -out newcert.pem -outdir $CERTDIR -config foo An example for $ROOTKEYNAME might be 'rsa-rootkey'. Martin ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
