Hello! I am trying to sign a certificate with a FIPS enabled build of openssl (1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet eToken).
I did this procedure before (with the non-fips version) using an openssl config file: openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = libeTPkcs11.so PIN = topsecret VERBOSE = EMPTY init = 0 [ca] ... and the command openssl ca -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj "/C=AT/CN=Test" -days 30 This worked like charm, but with the fips-build (engine_pkcs11 and the PKCS#11 client library are the same), I get a segmentation fault: Using configuration from /tmp/testConf initializing engine engine "pkcs11" set. Looking in slot 2 for key: 74 Found 6 slots [0] Cherry SmartBoard XX44 00 no tok [1] AKS ifdh 00 00 login (eToken) [2] AKS ifdh 01 00 login (INTERN) [3] no tok [4] no tok [5] no tok Found slot: AKS ifdh 01 00 Found token: INTERN Found 2 certificates: 1 INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at) 2 INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at) Found 2 keys: 1 P INTERN 2 P INTERN SUB Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'AT' commonName :PRINTABLE:'Test' Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days) Segmentation fault The weird thing ist, if I configure the engine directly everything works: OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libeTPkcs11.so -pre VERBOSE (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib/libeTPkcs11.so [Success]: VERBOSE Loaded: (pkcs11) pkcs11 engine initializing engine [ available ] OpenSSL> ca -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj "/C=AT/CN=Test" -days 30 Using configuration from /tmp/testConf initializing engine engine "pkcs11" set. Looking in slot 2 for key: 74 Found 6 slots [0] Cherry SmartBoard XX44 00 no tok [1] AKS ifdh 00 00 login (eToken) [2] AKS ifdh 01 00 login (INTERN) [3] no tok [4] no tok [5] no tok Found slot: AKS ifdh 01 00 Found token: INTERN Found 2 certificates: 1 INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at) 2 INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at) PKCS#11 token PIN: Found 2 keys: 1 P INTERN 2 P INTERN SUB Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'AT' commonName :PRINTABLE:'Test' Certificate is to be certified until Aug 10 10:19:13 2012 GMT (30 days) Write out database with 1 new entries Data Base Updated OpenSSL> quit All this is happening with the FIPS-capable build but without actually enabling FIPS-mode. I am quite lost here. Any ideas? cheers Mathias ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org