Re: e-gate and openssh

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: e-gate and openssh

jari.heikkinen
Hi,

I tried that, this does not work. The most propable problem is that it is
missing the MODULE_PATH part, but I do not know how to add it.

The following shell script works:
#### start script ####
openssl<<EOF
engine dynamic -pre SO_PATH:/usr/local/lib/opensc/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:/usr/local/lib/pkcs11/opensc-pkcs11.so
req -engine pkcs11 -new -key id_45 -keyform engine -out jari.pem -x509
-days 9999 -sha1
FI
FI
Helsinki
Modirum

Jari




EOF
#### end script ####

I tried
        openssl req -engine pkcs11 - new -key id_45 -keyform engine -out
jari.pem -x509 -days 9999 -sha1 -subj /CN=Jari/C=FI/L=Helsinki/O=Modirum
-config openssl.conf
with this in openssl.conf:
#### start openssl.conf ####
[openssl_def]
engines = engine_section

[engine_section]
foo = pkcs11_section

[pkcs11_section]
dynamic_path = /usr/local/lib/opensc/engine_pkcs11.so
engine_id = pkcs11
#### end openssl.conf ####

The result was
invalid engine "pkcs11"
4569:error:2606A074:engine routines:ENGINE_by_id:no such
engine:eng_list.c:379:id=pkcs11
4569:error:2506406A:DSO support routines:DLFCN_BIND_FUNC:could not bind to
the requested symbol name:dso_dlfcn.c:252:symname(bind_engine):
/usr/lib/i686/cmov/libcrypto.so.0.9.7: undefined symbol: bind_engine
4569:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to
the requested symbol name:dso_lib.c:294:
4569:error:260B6068:engine routines:DYNAMIC_LOAD:DSO
failure:eng_dyn.c:376:
no engine specified
unable to load Private Key



Best Regards,

JARI HEIKKINEN

MODIRUM
Mobile +358 40 555 0125 Fax +358 9 251 66100
Tel. +358 9 25123737, +372 644 4205,
+1 650 557 2064, +44 20 7871 3122, +852 8199 0064
Mannerheimintie 12 B, FIN-00100 Helsinki, FINLAND
[hidden email] www.modirum.com




Nils Larsch <[hidden email]>
21.05.2005 16:44

To
Andreas Jellinghaus <[hidden email]>
cc
[hidden email], [hidden email]
Subject
Re: [opensc-user] e-gate and openssh






Andreas Jellinghaus wrote:
> Hi Nils,
>
> maybe you have an idea what the right way is to make openssl load our
engine?
> I tried with this config file:
> [engine_section]
>
> pkcs11 = pkcs11_section
>
> [pkcs11_section]
> dynamic_path = /home/aj/lib/opensc/engine_pkcs11.so
> engine_id = pkcs11

my config file entries (relevant for the engine stuff) are:

                 [openssl_def]
                 engines = engine_section

                 [engine_section]

                 foo = pkcs11_section

                 [pkcs11_section]
                 dynamic_path = /home/nils/lib/opensc/engine_pkcs11.so
                 engine_id = pkcs11

note: the "openssl_def" section with the "engines" entry is necessary
otherwise openssl can't find/ignores the other engine entries.

Btw: in case someone uses openssl 0.9.8 (well it's not released yet
but hopefully soon) there's an even simpler alternative: create a link
from the engine .so to the /lib/engines/ directory ,i.e. something like
  ln -s /home/nils/lib/opensc/engine_pkcs11.so \
                 /home/nils/lib/engines/libpkcs11.so
as openssl automatically tries to load a dynamic engine named
lib<type>.so from the engines directory when the engine <type> is
used, for example via "openssl req ... -engine <type> ..".

Cheers,
Nils


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: e-gate and openssh

Nils Larsch
[hidden email] wrote:
...

> I tried
>         openssl req -engine pkcs11 - new -key id_45 -keyform engine -out
> jari.pem -x509 -days 9999 -sha1 -subj /CN=Jari/C=FI/L=Helsinki/O=Modirum
> -config openssl.conf
> with this in openssl.conf:
> #### start openssl.conf ####
> [openssl_def]
> engines = engine_section
>
> [engine_section]
> foo = pkcs11_section
>
> [pkcs11_section]
> dynamic_path = /usr/local/lib/opensc/engine_pkcs11.so
> engine_id = pkcs11
> #### end openssl.conf ####
>
> The result was
> invalid engine "pkcs11"
> 4569:error:2606A074:engine routines:ENGINE_by_id:no such
> engine:eng_list.c:379:id=pkcs11
> 4569:error:2506406A:DSO support routines:DLFCN_BIND_FUNC:could not bind to
> the requested symbol name:dso_dlfcn.c:252:symname(bind_engine):
> /usr/lib/i686/cmov/libcrypto.so.0.9.7: undefined symbol: bind_engine
> 4569:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to
> the requested symbol name:dso_lib.c:294:
> 4569:error:260B6068:engine routines:DYNAMIC_LOAD:DSO
> failure:eng_dyn.c:376:
> no engine specified
> unable to load Private Key

could you send me the strace output of this command ?  btw: which
openssl version do you use ?

Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user