On 19/02/2011 10:52, Martin Paljak wrote: > Unfortunately engine_pkcs11 (and OpenSSL in general) is not the best > interface for smart cards, especially for user interaction purposes. But a > patch against engine_pkcs11 might make the prompt a bit easier to understand > [1] But it's good for scripts :)
I finally could make newest openssl load config file with pkcs11_section. It just needs to be the only engine, initialized immediately (only changed init=0 to init=1 to make it work!): -8<-- openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/openssl/engines/engine_pkcs11.so MODULE_PATH = /usr/lib/opensc-pkcs11.so init = 1 -8<-- IIUC openssl's config syntax, the first two non-empty rows could be removed, since the first just tells it to read the section defined by the second. Hope that can help others. Now I get: -8<-- $ openssl req -config openssl.cnf -new -engine pkcs11 -key 3:10 -keyform engine -extensions CA_ROOT -x509 -out root_ca/ca.pem -text -subj "/CN=csshl.org root CA" engine "pkcs11" set. PKCS#11 token PIN: 3075020424:error:8000A101:Vendor defined:PKCS11_rsa_sign:User not logged in:p11_ops.c:131: 3075020424:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:279: -8<-- Why "User not logged in"? PIN is correct and not locked (verified by opensc_explorer). BYtE, Diego. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
