In order to track down this error: Is there somebody out there, who has been able to use a fips-capable openssl with engine_pkcs11 succesfully?
regards Mathias On 07/11/2012 12:32 PM, Mathias Tausig wrote: > Hello! > > I am trying to sign a certificate with a FIPS enabled build of openssl > (1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet > eToken). > > I did this procedure before (with the non-fips version) using an openssl > config file: > > openssl_conf = openssl_def > [openssl_def] > engines = engine_section > [engine_section] > pkcs11 = pkcs11_section > [pkcs11_section] > engine_id = pkcs11 > dynamic_path = /usr/lib/engines/engine_pkcs11.so > MODULE_PATH = libeTPkcs11.so > PIN = topsecret > VERBOSE = EMPTY > init = 0 > [ca] > ... > > and the command > openssl ca -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform > engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj > "/C=AT/CN=Test" -days 30 > > This worked like charm, but with the fips-build (engine_pkcs11 and the > PKCS#11 client library are the same), I get a segmentation fault: > > Using configuration from /tmp/testConf > initializing engine > engine "pkcs11" set. > Looking in slot 2 for key: 74 > Found 6 slots > [0] Cherry SmartBoard XX44 00 no tok > [1] AKS ifdh 00 00 login (eToken) > [2] AKS ifdh 01 00 login (INTERN) > [3] no tok > [4] no tok > [5] no tok > Found slot: AKS ifdh 01 00 > Found token: INTERN > Found 2 certificates: > 1 INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at) > 2 INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at) > Found 2 keys: > 1 P INTERN > 2 P INTERN SUB > Check that the request matches the signature > Signature ok > The Subject's Distinguished Name is as follows > countryName :PRINTABLE:'AT' > commonName :PRINTABLE:'Test' > Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days) > Segmentation fault > > The weird thing ist, if I configure the engine directly everything works: > > OpenSSL> engine -t dynamic -pre > SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 > -pre LOAD -pre MODULE_PATH:/usr/lib/libeTPkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/libeTPkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> ca -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform > engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj > "/C=AT/CN=Test" -days 30 > Using configuration from /tmp/testConf > initializing engine > engine "pkcs11" set. > Looking in slot 2 for key: 74 > Found 6 slots > [0] Cherry SmartBoard XX44 00 no tok > [1] AKS ifdh 00 00 login (eToken) > [2] AKS ifdh 01 00 login (INTERN) > [3] no tok > [4] no tok > [5] no tok > Found slot: AKS ifdh 01 00 > Found token: INTERN > Found 2 certificates: > 1 INTERN (/C=AT/CN=INTERN/emailAddress=int...@test.at) > 2 INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=int...@test.at) > PKCS#11 token PIN: > Found 2 keys: > 1 P INTERN > 2 P INTERN SUB > Check that the request matches the signature > Signature ok > The Subject's Distinguished Name is as follows > countryName :PRINTABLE:'AT' > commonName :PRINTABLE:'Test' > Certificate is to be certified until Aug 10 10:19:13 2012 GMT (30 days) > > Write out database with 1 new entries > Data Base Updated > OpenSSL> quit > > > All this is happening with the FIPS-capable build but without actually > enabling FIPS-mode. > > I am quite lost here. Any ideas? > > cheers > Mathias > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org