[Openca-Users] ocspd 1.5 rc1 and LunaPCI card

Lutz Mueller-Hipper Tue, 27 Feb 2007 11:29:20 -0800

Hi,

I have configured OpenOCSP a couple of time with software keys. For more
performance on a high load server I would like to use a hardware
accelerator card, Safenet LunaPCI on Redhat 4.4. Openssl is already
patched and running with the new engine. I was also able to generate the
keypair on the HSM (using sautil) and I have generated and signed a
certificate request with ocpsigning extended key usage.


openssl  verify output:
[EMAIL PROTECTED] openca-ocspd-1.5.1-rc1]# openssl ocsp -host 127.0.0.1:80
-issuer /tmp/CAtrusted/issuingca.cer -cert /tmp/test.cer -VAfile
/tmp/responder.pem
Response Verify Failure
721:error:04077077:rsa routines:RSA_verify:wrong signature
length:rsa_sign.c:154:
721:error:0D089006:asn1 encoding routines:ASN1_verify:EVP
lib:a_verify.c:168:
721:error:27069075:OCSP routines:OCSP_basic_verify:signature
failure:ocsp_vfy.c:98:
/tmp/test.cer: good
        This Update: Dec 19 13:26:27 2006 GMT
        Next Update: Feb 27 02:59:57 2007 GMT

[cut ocspd.conf]
.
[ OCSPD_default ]
ocspd_certificate = /tmp/responder.pem
ocspd_key         = /tmp/responder.key

[ HSM ]
engine_id = LunaCA3
0.engine_pre = login:1:10:11:Password
.
[cut]


output of /var/log/messages on ocspd start

Feb 27 03:24:15 ocspd182 ocspd[738]: OpenCA OCSPD v1.5.1 - starting.
Feb 27 03:24:15 ocspd182 ocspd[738]: Using Engine 'LunaCA3'
Feb 27 03:24:15 ocspd182 ocspd[738]: Added 'login:1:10:11:Password' to
PRE COMMANDS
Feb 27 03:24:15 ocspd182 ocspd[738]: Initialising HSM [LunaCA3]
Feb 27 03:24:15 ocspd182 ocspd[738]: invalid engine "LunaCA3"
Feb 27 03:24:15 ocspd182 ocspd[738]: reading certificate file
(/tmp/responder.pem).
Feb 27 03:24:15 ocspd182 ocspd[738]: Reading Private Key file
/tmp/responder.key
Feb 27 03:24:15 ocspd182 ocspd[738]: reading CA certificate file.
Feb 27 03:24:15 ocspd182 ocspd[738]: OCSP Daemon setup completed

openssl printout
openssl engine
.
(LunaCA3) Chrysalis-ITS Luna CA3 hardware engine support
.
.

- Why do I get an "RSA_verify:wrong signature length" error?
- Is "invalid engine "LunaCA3"" invar/log/messages true? And if, which
is then loaded?

btw: I did an ./configure --enable-openssl-engine and Safenet told me
the LunaPCI is using the same software interface as the original
LunaCA3. The LunaPCI is the password version, no physical keys.

If I'm switching back to software key only configuration then it is
working as expected.

Cheers
Lutz




-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] ocspd 1.5 rc1 and LunaPCI card

Reply via email to