Hello!
I am trying to sign a certificate with a FIPS enabled build of openssl
(1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet
eToken).
I did this procedure before (with the non-fips version) using an openssl
config file:
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = libeTPkcs11.so
PIN = topsecret
VERBOSE = EMPTY
init = 0
[ca]
...
and the command
openssl ca -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform
engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj
"/C=AT/CN=Test" -days 30
This worked like charm, but with the fips-build (engine_pkcs11 and the
PKCS#11 client library are the same), I get a segmentation fault:
Using configuration from /tmp/testConf
initializing engine
engine "pkcs11" set.
Looking in slot 2 for key: 74
Found 6 slots
[0] Cherry SmartBoard XX44 00 no tok
[1] AKS ifdh 00 00 login (eToken)
[2] AKS ifdh 01 00 login (INTERN)
[3] no tok
[4] no tok
[5] no tok
Found slot: AKS ifdh 01 00
Found token: INTERN
Found 2 certificates:
1 INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at)
2 INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at)
Found 2 keys:
1 P INTERN
2 P INTERN SUB
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'AT'
commonName :PRINTABLE:'Test'
Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days)
Segmentation fault
The weird thing ist, if I configure the engine directly everything works:
OpenSSL> engine -t dynamic -pre
SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1
-pre LOAD -pre MODULE_PATH:/usr/lib/libeTPkcs11.so -pre VERBOSE
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/libeTPkcs11.so
[Success]: VERBOSE
Loaded: (pkcs11) pkcs11 engine
initializing engine
[ available ]
OpenSSL> ca -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform
engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj
"/C=AT/CN=Test" -days 30
Using configuration from /tmp/testConf
initializing engine
engine "pkcs11" set.
Looking in slot 2 for key: 74
Found 6 slots
[0] Cherry SmartBoard XX44 00 no tok
[1] AKS ifdh 00 00 login (eToken)
[2] AKS ifdh 01 00 login (INTERN)
[3] no tok
[4] no tok
[5] no tok
Found slot: AKS ifdh 01 00
Found token: INTERN
Found 2 certificates:
1 INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at)
2 INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at)
PKCS#11 token PIN:
Found 2 keys:
1 P INTERN
2 P INTERN SUB
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'AT'
commonName :PRINTABLE:'Test'
Certificate is to be certified until Aug 10 10:19:13 2012 GMT (30 days)
Write out database with 1 new entries
Data Base Updated
OpenSSL> quit
All this is happening with the FIPS-capable build but without actually
enabling FIPS-mode.
I am quite lost here. Any ideas?
cheers
Mathias
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
