Hi all,
a follow-up, see comments inline below
Jan Just Keijser wrote:
> Hi all,
>
> positive news this time: I've managed to upload my certificate to the
> Feitian ePAss and sign a certificate request with it (i.e no more
> annoying openssl error:
> 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General
> Error:p11_ops.c:131:
> 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP
> lib:a_sign.c:276:
>
> here's what I did:
>
> - svn checkout of the pcsc code
> - build the pcsc code
> - svn checkout of the opensc code
> - patch the opensc code so that the openssl 1.0 thing does not bite me
> (it's still broken in svn)
it is almost fixed in svn 4396 : when starting openssl I get two warnings
openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:284
openssl (lock_dbg_cb): not locked (mode=10, type=30) at eng_table.c:186
but with this patch those are gone as well:
--- opensc/src/pkcs11/openssl.c 2010-06-02 17:34:05.317163916 +0200
+++ opensc-svn-4396/src/pkcs11/openssl.c 2010-06-02
17:33:02.238259385 +0200
@@ -191,6 +191,11 @@
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_ENGINE)
ENGINE *e = NULL;
+ typedef void (*locking_cb_fn)(int mode,int type, const char
*file,int line);
+
+ locking_cb_fn locking_cb = CRYPTO_get_locking_callback();
+ if (locking_cb) CRYPTO_set_locking_callback( NULL );
+
#if !defined(OPENSSL_NO_STATIC_ENGINE) && !defined(OPENSSL_NO_GOST)
ENGINE_load_gost();
e = ENGINE_by_id("gost");
@@ -208,6 +213,9 @@
ENGINE_set_default(e, ENGINE_METHOD_ALL);
ENGINE_free(e);
}
+
+ if (locking_cb) CRYPTO_set_locking_callback( locking_cb );
+
#endif /* OPENSSL_VERSION_NUMBER >= 0x10000000L &&
!defined(OPENSSL_NO_ENGINE) */
openssl_sha1_mech.mech_data = EVP_sha1();
> - build the opensc code (with --enable-pcsc)
> - grab the latest engine_pkcs11 code and build it
>
> then
> - run the new pcscd
> - modify opensc.conf to point to the new libpcsclite libs and a new
> profile directory (/usr/local/share/opensc)
> - re-initialize the card
> - install the cert + userkey
> - run my script to sign a cert request
> and this finally worked!
>
> I then switched back to the older opensc 0.11.13 code and that also
> worked for signing a certificate request!
> However, if I re-initialize the card using the opensc 0.11.13 codebase
> the cert signing failed using both the old and the new version of
> opensc : this leads me to believe that the card initialisation code
> has changed between 0.11.13 and 0.12 (svn) ...
>
> Now I have to test if all of this also works for the Feitian SCR301
> card reader ...
The SCR301 works but is MUCH slower than the Omnikey reader - perhaps
the Feitian folks can explain this?
Other than that it is now working quite nicely. My next test will be to
see how it interoperates with openvpn .
cheers,
JJK
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
