On Fri, Apr 16, 2010, Dimitrios Siganos wrote: > Hi, > > I have use openssl-1.0.0 and engine_pkcs11 for storing an rsa private key > in a smartcard (feitian epass 3000). I got openssl to access the rsa > private key and used it to create a self-signed certificate like this: > > openssl > > OpenSSL> engine dynamic \ > > -pre SO_PATH:/home/ds/local/lib/engines/engine_pkcs11.so \ > > -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \ > > -pre MODULE_PATH:opensc-pkcs11.so > > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/home/ds/local/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:opensc-pkcs11.so > Loaded: (pkcs11) pkcs11 engine > > OpenSSL> req -new -x509 -engine pkcs11 -keyform engine -text \ > > -key slot_1-id_6de677f53533e28254d5890e2d7a15a8135883ca \ > > engine "pkcs11" set. > PKCS#11 token PIN: > <Certificate related prompts...> > > So far so good. > > Now, I would like this engine to install automatically i.e. without having > to run the engine command. I tried adding the following to openssl.cnf > > ########################## > openssl_conf = openssl_def > > [ openssl_def ] > engines = engine_section > > [ engine_section ] > pkcs11 = pkcs11_section > > [ pkcs11_section ] > engine_id = pkcs11 > dynamic_path = /home/ds/local/lib/engines/engine_pkcs11.so > MODULE_PATH = opensc-pkcs11.so > init = 0 > ########################## > > but it doesn't work properly. Here's what I get: > $ openssl engine -t > (dynamic) Dynamic engine loading support > [ unavailable ] > (4758cca) IBM 4758 CCA hardware engine support > [ unavailable ] > (aep) Aep hardware engine support > [ unavailable ] > (atalla) Atalla hardware engine support > [ unavailable ] > (cswift) CryptoSwift hardware engine support > [ unavailable ] > (chil) CHIL hardware engine support > [ unavailable ] > (nuron) Nuron hardware engine support > [ unavailable ] > (sureware) SureWare hardware engine support > [ unavailable ] > (ubsec) UBSEC hardware engine support > [ unavailable ] > (padlock) VIA PadLock (no-RNG, no-ACE) > [ unavailable ] > (gost) Reference implementation of GOST engine > [ available ] > (pkcs11) pkcs11 engine > Auto configuration failed > 1116888:error:260B606D:engine routines:DYNAMIC_LOAD:init > failed:eng_dyn.c:521: > 1116888:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine > configuration error:eng_cnf.c:204:section=pkcs11_section, > name=dynamic_path, value=/home/ds/local/lib/engines/engine_pkcs11.so > 1116888:error:0E07606D:configuration file routines:MODULE_RUN:module > initialization error:conf_mod.c:235:module=engines, value=engine_section, > retcode=-1 > Can someone shed some light into this? >
It's not obvious what the problem is from that. It looks like the PKCS#11 isn't initialising properly. Try using the dynamic ENGINE in the config file with exactly the same commands you used on the commmand line. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
