I'm implementing HSM support to our OCSP Responder which uses openssl libraries to perform crypto operations.
When searching for a PKCS11 engine's implementation for OpenSSL 0.9.8c (OCSP patched already with Engine support) I found OpenSC project and their engine_pkcs11 libraries, so I've begun testing it with the OpenSSL's command line, just like this:
*Engine preparation (from openssl environment):
engine -t dynamic -pre SO_PATH:D:\openssl-0.9.8c\out32dll\engine_pkcs11.dll -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:D:\openssl-0.9.8c\out32dll\rsecpk11.dll
*OCSP client issuing a signed Request (same mechanism is used by the OCSP Server when sending a signed Response):
ocsp -host ocsp.camerfirma.com:80 -path http://ocsp.camerfirma.com/ocsp -issuer Camerfirma-RootSinPoderes.pem -serial 0x00C20FA62E42F03643257115AED64383 -nonce -CAfile VA-root.pem -VAfile CACamerfirma-ocspSign.pem -signkey jluna.cve -signer jluna.cer -reqout hsm_ocsp_req.txt -respout hsm_ocsp.txt -req_text -engine pkcs11
*Error message:
Error signing OCSP request
1640:error:80009404:Vendor defined:PKCS11_rsa_encrypt:Not supported:p11_ops.c:107:
1640:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:.\crypto\asn1\a_sign.c:276:
error in ocsp
I've tried also with a SmartCard and OpenSC's native opensc-pkcs11.dll module, but the error is still the same.
Question is, may this be an issue from OpenSSL or from the OpenSC implementation? Do you know/recommend some other open-source PKCS11 engine implementation for OpenSSL?
Thanks in advance for your help,
Jesus Luna
PKI Research
www.certiver.com
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
