Hi Andreas, Andreas Jellinghaus wrote: > hmm. if we had only one engine doing both rsa and gost, the > problem would be gone, without this "hack" required in opensc? > > my point of view: > if so: I think that is the solution! please drop the stuff > from opensc, and work in that direction. > > engine_pkcs11.c is bsd3 / openssl license, and libp11 > is lgpl (but only 2k lines of code, and not very great code > anyway), so long term a unified engine is the way to go. > > or send patches for libp11/engine_pkcs11 to handle gost. > (no idea how much work that would be - I'm quite clueless > over there. also gost engine might be much better than the > simple and hacky engine_pkcs11). > > but maybe I missed something in the discussion or got some > parts wrong? please don't let me stay stupid :-) > > the problem is quite subtle: - some applications load engine_pkcs11 and/or opensc-pkcs11 but they themselves do not use openssl - to use the gost algorithms inside of engine_pkcs11 the openssl gost engine (an external .so file) needs to be loaded. - the current 'trick' is to simply call OPENSSL_config() and hope/make sure that the gost engine is loaded based on what is found in the system default openssl.cnf file - the problem occurs when you're calling OPENSSL_config() again, e.g. such as the 'openssl engine' command does; this causes all openssl engines to be loaded *again*, including the gost engine and the engine_pkcs11 file. at that point openssl barfs with the error as reported.
A quick and dirty hack is to only load the 'gost' section (provided there is one): OPENSSL_config( "gost" ) but that can also fail if the application loading engine_pkcs11 itself calls OPENSSL_config() again the engine would be loaded twice. I have not yet come up with a totally clean solution to this problem; perhaps there needs to be a test to see if the 'gost' engine is already loaded or not. The real problem is openssl's inability to load an engine twice (e.g. ignore the second attempt). I hope this clears things up a bit :-) cheers, JJK _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
