Am Freitag 16 April 2010 17:07:49 schrieb Dimitrios Siganos: > Hi, > > I have use openssl-1.0.0 and engine_pkcs11 for storing an rsa private > key in a smartcard (feitian epass 3000). I got openssl to access the rsa > private key and used it to create a self-signed certificate like this:
ah, fine. several people tried that, but noone has analyzed the issue so far. > openssl > > OpenSSL> engine dynamic \ > > > -pre SO_PATH:/home/ds/local/lib/engines/engine_pkcs11.so \ > > -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \ > > -pre MODULE_PATH:opensc-pkcs11.so > > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/home/ds/local/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:opensc-pkcs11.so > Loaded: (pkcs11) pkcs11 engine > > OpenSSL> req -new -x509 -engine pkcs11 -keyform engine -text \ > > > -key slot_1-id_6de677f53533e28254d5890e2d7a15a8135883ca \ > > engine "pkcs11" set. > PKCS#11 token PIN: > <Certificate related prompts...> > > So far so good. great. good to see it works for you, so I think the problem in the other bug reports was a mistake by the users (often called layer 8 :) ). > Now, I would like this engine to install automatically i.e. without > having to run the engine command. I tried adding the following to > openssl.cnf > > ########################## > openssl_conf = openssl_def > > [ openssl_def ] > engines = engine_section > > [ engine_section ] > pkcs11 = pkcs11_section > > [ pkcs11_section ] > engine_id = pkcs11 > dynamic_path = /home/ds/local/lib/engines/engine_pkcs11.so > MODULE_PATH = opensc-pkcs11.so > init = 0 > ########################## > > but it doesn't work properly. hmm. it looks very much like the config file I use, and that worked for me very well for older versions of openssl. here is my file: --cut-- openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = /home/aj/opentest/lib/opensc-pkcs11.so PIN = 1234 init = 0 [req] distinguished_name = req_distinguished_name [req_distinguished_name] --cut-- so the big changes I see: * the [req] section might be necessary for some reason * I specified the whole path to opensc-pkcs11.so. please try these changes with your openssl 1.0.0, and let us know if it fixes the problem. if not we need to debug this in detail and/or talk to the openssl developers to track down and fix this issue. > Here's what I get: > $ openssl engine -t uh, not sure if all these engines are compatible. maybe several of them try to use your smart card reader, and they fight over it, or something like that? if you could disable them for testing, that would help too. > 1116888:error:260B606D:engine routines:DYNAMIC_LOAD:init > failed:eng_dyn.c:521: but my best guess is this: the code couldn't find "opensc-pkcs11.so", so you need to specify the full path. also - for testing only, or on very, very, very secure machines - you can keep the "PIN = 1234" in the config file. but usualy it is best to remove that line, and the openssl/engine_pkcs11 combo will ask you for the pin. if you have a card with normal user pin/puk and a security officier pin/puk, you can also try "opensc-pkcs11-onepin.so" instead of "opensc-pkcs11.so" which hides the security officer pin (it causes trouble with some applications like firefox). Good luck, and please let us know if it works for you. Regards, Andreas _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
