Relation between engine_pkcs11 and openssl

classic Classic list List threaded Threaded
38 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Relation between engine_pkcs11 and openssl

sarat

Hi,

I have few questions on engine_pkcs11, can anyone please clarify them.

1)      Why is engine_pkcs11? How it related with openssl?

2)      I can do card personalization using pkcs15-tool init commands, so why should I need to install engine_pkcs11?

3)      Is anywhere engine_pkcs11 is related to OpenSC or it is specific to Openssl?

4)      Is there anyway engine_pkcs11 is related to pkcs15-init?

 

Please help me in clarifying my doubts.

Thank you.

Regards,

Sarat G


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

Petr Pisar
On Thu, Jan 01, 2015 at 02:26:02PM +0530, sarat wrote:
> 1)      Why is engine_pkcs11? How it related with openssl?
>
> 2)      I can do card personalization using pkcs15-tool init commands, so
> why should I need to install engine_pkcs11?
>
> 3)      Is anywhere engine_pkcs11 is related to OpenSC or it is specific to
> Openssl?
>
engine_pkcs11 is a plug-in for the OpenSSL.

OpenSSL implements various cipher, digest, and signing features and it can
consume and produce keys. However plenty of people think that these features
should be implemented in a separate hardware, like USB tokens, smart cards or
hardware security modules. Therefore OpenSSL has an abstraction layer called
engine which can delegate some of these features to different piece of
software or hardware.

OpenSSL comes with a few engines for some hardware or software security
modules, like for IBM RSA module or Windows CryptoAPI. (See OpenSSL sources
and "openssl engine -t" command output). The engines can be built statically
into the OpenSSL library or they can be built as separate plug-in. Third party
engines has to be always built as plug-ins.

One of these plug-ins is the engine_pkcs11. The engine_pkcs11 is an OpenSSL
engine which provides a gateway between PKCS#11 modules and the OpenSSL engine
API. One has to register the engine into the OpenSSL and one has to provide
path to a PKCS#11 module which should be gatewayed to. (This can be done in the OpenSSL configuration file.)

PKCS#11 module is again a plug-in which implements PKCS#11 API and the purpose
of the API is to provide some cryptograpic features like key storage, key
generation, signing, digesting, encyphering etc. The PKCS#11 API is something
like the OpenSSL engine API.

PKCS#11 API is a standard and it's supported by various hardware and software
vendors. Usually, hardware vendor provides a propriatary PKCS#11 module for
his cryptographic device and a cryptogrographic library, like NSS or GnuTLS,
can use it to access the hardware.

Now comes OpenSC which aims to replace the proprietary PKCS#11 modules by
accessing the hardware directly (or indirectly via other software like
pscs-lite). Thefore OpenSC provides an PKCS#11 module called opensc-pkcs11
which encapsulted OpenSC into PKCS#11 API which allows to plug the OpenSC into
into any software supporting PKCS#11.

Unfortunatelly, OpenSSL does not support PKSC#11 (yet). OpenSSL has the engine
API only (like Windows have CryproAPI). Therefore the engine_pkcs11 exists
which encapsulated PKCS#11 into the OpenSSL engine API.

> 4)      Is there anyway engine_pkcs11 is related to pkcs15-init?
>
PKCS#15 is a storage format for smart cards. While it provides more features
than PKCS#11 can do, it's still possible to use majority of the features of
a PKCS#15 card via PKCS#11 API. So OpenSC allows that.

-- Petr

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (220 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

sarat
Hi Petr Pisar,

That was a great explanation , thank you very much.
>From Github(https://github.com/OpenSC/engine_pkcs11) I cloned the project
into my desktop, but I couldn't find any Readme file to start with.
Can you please help me in letting know
1)How to compile engine_pkcs11 and how can I link this to #pkcs11?

Regards,
Sarat G

-----Original Message-----
From: Petr Pisar [mailto:[hidden email]]
Sent: Thursday, January 01, 2015 3:55 PM
To: [hidden email]
Subject: Re: [Opensc-devel] Relation between engine_pkcs11 and openssl

On Thu, Jan 01, 2015 at 02:26:02PM +0530, sarat wrote:
> 1)      Why is engine_pkcs11? How it related with openssl?
>
> 2)      I can do card personalization using pkcs15-tool init commands, so
> why should I need to install engine_pkcs11?
>
> 3)      Is anywhere engine_pkcs11 is related to OpenSC or it is specific
to
> Openssl?
>
engine_pkcs11 is a plug-in for the OpenSSL.

OpenSSL implements various cipher, digest, and signing features and it can
consume and produce keys. However plenty of people think that these features
should be implemented in a separate hardware, like USB tokens, smart cards
or hardware security modules. Therefore OpenSSL has an abstraction layer
called engine which can delegate some of these features to different piece
of software or hardware.

OpenSSL comes with a few engines for some hardware or software security
modules, like for IBM RSA module or Windows CryptoAPI. (See OpenSSL sources
and "openssl engine -t" command output). The engines can be built statically
into the OpenSSL library or they can be built as separate plug-in. Third
party engines has to be always built as plug-ins.

One of these plug-ins is the engine_pkcs11. The engine_pkcs11 is an OpenSSL
engine which provides a gateway between PKCS#11 modules and the OpenSSL
engine API. One has to register the engine into the OpenSSL and one has to
provide path to a PKCS#11 module which should be gatewayed to. (This can be
done in the OpenSSL configuration file.)

PKCS#11 module is again a plug-in which implements PKCS#11 API and the
purpose of the API is to provide some cryptograpic features like key
storage, key generation, signing, digesting, encyphering etc. The PKCS#11
API is something like the OpenSSL engine API.

PKCS#11 API is a standard and it's supported by various hardware and
software vendors. Usually, hardware vendor provides a propriatary PKCS#11
module for his cryptographic device and a cryptogrographic library, like NSS
or GnuTLS, can use it to access the hardware.

Now comes OpenSC which aims to replace the proprietary PKCS#11 modules by
accessing the hardware directly (or indirectly via other software like
pscs-lite). Thefore OpenSC provides an PKCS#11 module called opensc-pkcs11
which encapsulted OpenSC into PKCS#11 API which allows to plug the OpenSC
into into any software supporting PKCS#11.

Unfortunatelly, OpenSSL does not support PKSC#11 (yet). OpenSSL has the
engine API only (like Windows have CryproAPI). Therefore the engine_pkcs11
exists which encapsulated PKCS#11 into the OpenSSL engine API.

> 4)      Is there anyway engine_pkcs11 is related to pkcs15-init?
>
PKCS#15 is a storage format for smart cards. While it provides more features
than PKCS#11 can do, it's still possible to use majority of the features of
a PKCS#15 card via PKCS#11 API. So OpenSC allows that.

-- Petr


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

Petr Pisar
On Thu, Jan 01, 2015 at 05:16:55PM +0530, sarat wrote:
> From Github(https://github.com/OpenSC/engine_pkcs11) I cloned the project
> into my desktop, but I couldn't find any Readme file to start with.
> Can you please help me in letting know
> 1)How to compile engine_pkcs11

It uses autotools-based build script. Run "autoreconf --install" to create
a configure script (or there is ./bootstrap which does almost the same), then
run the script (probably as "./configure --disable-static --enable-shared
--disable-doc --prefix=/usr") and then run the "make". The resulting file is
src/.libs/engine_pkcs11.so. You can run "make install" as root to install it
into your system.

Don't forget to install OpenSSL and libp11 librariaries and header files
before.

If your desktop is a sane Linux distribution, I'm pretty sure you can read
instruction which dependencies are needed and how to build the code in your
distribution's engine_pkcs11 source package.

> and how can I link this to #pkcs11?
>
To configure OpenSSL to know about the engine and to use OpenSC PKCS#11 module
by the engine_pkcs11, you add something like this into your global OpenSSL
configuration file (/etc/ssl/openssl.cnf probably):

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
init = 0

The dynamic_path value is the engine_pkcs11 plug-in, the MODULE_PATH value is
the OpenSC PKCS#11 plug-in. The engine_id value is an arbitrary identifier for
OpenSSL applications to select the engine by the identifier.

-- Petr

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (220 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

David Woodhouse
On Thu, 2015-01-01 at 14:43 +0100, Petr Pisar wrote:

> On Thu, Jan 01, 2015 at 05:16:55PM +0530, sarat wrote:
> > From Github(https://github.com/OpenSC/engine_pkcs11) I cloned the project
> > into my desktop, but I couldn't find any Readme file to start with.
> > Can you please help me in letting know
> > 1)How to compile engine_pkcs11
>
> It uses autotools-based build script. Run "autoreconf --install" to create
> a configure script (or there is ./bootstrap which does almost the same), then
> run the script (probably as "./configure --disable-static --enable-shared
> --disable-doc --prefix=/usr") and then run the "make". The resulting file is
> src/.libs/engine_pkcs11.so. You can run "make install" as root to install it
> into your system.
>
> Don't forget to install OpenSSL and libp11 librariaries and header files
> before.
>
> If your desktop is a sane Linux distribution, I'm pretty sure you can read
> instruction which dependencies are needed and how to build the code in your
> distribution's engine_pkcs11 source package.
Sarat, it would be useful to know precisely what you're trying to do.

If your desktop is a sane Linux distribution, and you install the
prepackaged version of OpenSC (and it supports your device), your token
should automatically show up in various well-behaved applications.

It might be worth ensuring that much is working, before you try anything
more complicated like actually *using* it. And anything involving
OpenSSL is *definitely* in the "more complicated" category for now.

I'd start with just installing OpenSC and running
'p11-kit list-modules' or 'p11tool --list-tokens' to see if your device
shows up at all. You can set OPENSC_DEBUG=9 to get debug output from
OpenSC while it tries.

--
dwmw2

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

Ludovic Rousseau
In reply to this post by Petr Pisar
2015-01-01 14:43 GMT+01:00 Petr Pisar <[hidden email]>:

> On Thu, Jan 01, 2015 at 05:16:55PM +0530, sarat wrote:
>> From Github(https://github.com/OpenSC/engine_pkcs11) I cloned the project
>> into my desktop, but I couldn't find any Readme file to start with.
>> Can you please help me in letting know
>> 1)How to compile engine_pkcs11
>
> It uses autotools-based build script. Run "autoreconf --install" to create
> a configure script (or there is ./bootstrap which does almost the same), then
> run the script (probably as "./configure --disable-static --enable-shared
> --disable-doc --prefix=/usr") and then run the "make". The resulting file is
> src/.libs/engine_pkcs11.so. You can run "make install" as root to install it
> into your system.
>
> Don't forget to install OpenSSL and libp11 librariaries and header files
> before.
>
> If your desktop is a sane Linux distribution, I'm pretty sure you can read
> instruction which dependencies are needed and how to build the code in your
> distribution's engine_pkcs11 source package.
>
>> and how can I link this to #pkcs11?
>>
> To configure OpenSSL to know about the engine and to use OpenSC PKCS#11 module
> by the engine_pkcs11, you add something like this into your global OpenSSL
> configuration file (/etc/ssl/openssl.cnf probably):
>
> [engine_section]
> pkcs11 = pkcs11_section
>
> [pkcs11_section]
> engine_id = pkcs11
> dynamic_path = /usr/lib/engines/engine_pkcs11.so
> MODULE_PATH = /usr/lib/opensc-pkcs11.so
> init = 0
>
> The dynamic_path value is the engine_pkcs11 plug-in, the MODULE_PATH value is
> the OpenSC PKCS#11 plug-in. The engine_id value is an arbitrary identifier for
> OpenSSL applications to select the engine by the identifier.

Petr, thanks a lot for your 2 emails.

I copy-paste them in a new README.md file so the github project now
has some documentation
https://github.com/OpenSC/engine_pkcs11

Feel free to add/correct it.

The OpenSC project provides a wiki page
https://github.com/OpenSC/engine_pkcs11/wiki that is mostly empty.

Bye

--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

David Woodhouse
On Thu, 2015-01-01 at 16:13 +0100, Ludovic Rousseau wrote:
>
> I copy-paste them in a new README.md file so the github project now
> has some documentation
> https://github.com/OpenSC/engine_pkcs11
>
> Feel free to add/correct it.

I'd love to delete it and make everything Just Work™. If you could pull
from https://github.com/OpenSC/engine_pkcs11/pull/9 then we can make
significant steps towards that goal.

For example, patches have just been merged into wpa_supplicant¹ which
take away all the special engine configuration magic and turn it into
simply "put a PKCS#11 URI into the client_cert and/or private_key
fields".

--
David Woodhouse                            Open Source Technology Centre
[hidden email]                              Intel Corporation

¹ http://w1.fi/cgit/hostap/commit/?id=a642a52b17 and parent commits.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

Ludovic Rousseau
2015-01-01 16:38 GMT+01:00 David Woodhouse <[hidden email]>:

> On Thu, 2015-01-01 at 16:13 +0100, Ludovic Rousseau wrote:
>>
>> I copy-paste them in a new README.md file so the github project now
>> has some documentation
>> https://github.com/OpenSC/engine_pkcs11
>>
>> Feel free to add/correct it.
>
> I'd love to delete it and make everything Just Work™. If you could pull
> from https://github.com/OpenSC/engine_pkcs11/pull/9 then we can make
> significant steps towards that goal.

I do not maintain or even use engine_pkcs11. So I prefer not to touch
the source code myself.

> For example, patches have just been merged into wpa_supplicant¹ which
> take away all the special engine configuration magic and turn it into
> simply "put a PKCS#11 URI into the client_cert and/or private_key
> fields".

engine_pkcs11 has 4 pull requests waiting [1]. At least 3 looks
correct and got no comment.
Maybe engine_pkcs11 needs an new active maintainer? Any volunteer? David?

Bye

[1] https://github.com/OpenSC/engine_pkcs11/pulls

--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

David Woodhouse
On Thu, 2015-01-01 at 18:25 +0100, Ludovic Rousseau wrote:
>
> engine_pkcs11 has 4 pull requests waiting [1]. At least 3 looks
> correct and got no comment.
> Maybe engine_pkcs11 needs an new active maintainer? Any volunteer?
> David?

Yeah, why not.

--
David Woodhouse                            Open Source Technology Centre
[hidden email]                              Intel Corporation

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

sarat
In reply to this post by Petr Pisar
Hi Petr Pisar,
I followed the same steps as you mentioned, but still my engine_pkcs11 is
not up. Please find the below logs. I attached the same, please let me know
if more info is needed.
root@nilotpal:~/libp11-0.2.8# ./bootstrap
+ test -f Makefile
+ make distclean
Making distclean in src
make[1]: Entering directory `/home/sarat/libp11-0.2.8/src'
test -z "libp11.pc" || rm -f libp11.pc
test -z "libp11.la" || rm -f libp11.la
rm -f ./so_locations
rm -rf .libs _libs
rm -f *.o
rm -f *.lo
rm -f *.tab.c
test -z "libp11.pc versioninfo.rc" || rm -f libp11.pc versioninfo.rc
test . = "." || test -z "" || rm -f
rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
rm -rf ./.deps
rm -f Makefile
make[1]: Leaving directory `/home/sarat/libp11-0.2.8/src'
Making distclean in doc
make[1]: Entering directory `/home/sarat/libp11-0.2.8/doc'
Making distclean in nonpersistent
make[2]: Entering directory `/home/sarat/libp11-0.2.8/doc/nonpersistent'
rm -rf .libs _libs
rm -f *.lo
test -z "" || rm -f
test . = "." || test -z "" || rm -f
rm -rf wiki.tmp
if test -L wiki.out; then \
                rm -fr wiki.out; \
        fi
rm -fr ChangeLog.tmp
if test -L ChangeLog; then \
                rm -fr ChangeLog; \
        fi
rm -f Makefile
make[2]: Leaving directory `/home/sarat/libp11-0.2.8/doc/nonpersistent'
make[2]: Entering directory `/home/sarat/libp11-0.2.8/doc'
rm -rf .libs _libs
rm -fr api.out
rm -f *.lo
test -z "doxygen.conf" || rm -f doxygen.conf
test . = "." || test -z "" || rm -f
rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
make[2]: Leaving directory `/home/sarat/libp11-0.2.8/doc'
rm -f Makefile
make[1]: Leaving directory `/home/sarat/libp11-0.2.8/doc'
make[1]: Entering directory `/home/sarat/libp11-0.2.8'
rm -rf .libs _libs
rm -f *.lo
test -z "" || rm -f
test . = "." || test -z "" || rm -f
rm -f config.h stamp-h1
rm -f libtool config.lt
rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
rm -f cscope.out cscope.in.out cscope.po.out cscope.files
make[1]: Leaving directory `/home/sarat/libp11-0.2.8'
rm -f config.status config.cache config.log configure.lineno
config.status.lineno
rm -f Makefile
+ rm -rf config.h.in~ autom4te.cache aclocal.m4 config.guess config.log
config.status config.sub depcomp ltmain.sh
+ autoreconf --verbose --install --force
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:14: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms
are deprecated.  For more info, see:
configure.ac:14:
http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fI
NIT_005fAUTOMAKE-invocation
configure.ac:31: installing './config.guess'
configure.ac:31: installing './config.sub'
src/Makefile.am: installing './depcomp'
autoreconf: Leaving directory `.'
root@nilotpal:~/libp11-0.2.8# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking whether byte ordering is bigendian... no
checking svn checkout... no
checking how to run the C preprocessor... gcc -E
checking whether ln -s works... yes
checking for a sed that does not truncate output... /bin/sed
checking whether make sets $(MAKE)... (cached) yes
checking how to print strings... printf
checking for a sed that does not truncate output... (cached) /bin/sed
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert i686-pc-linux-gnu file names to i686-pc-linux-gnu
format... func_convert_file_noop
checking how to convert i686-pc-linux-gnu file names to toolchain format...
func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... mt
checking if mt is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld) supports shared libraries...
yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for windres... no
checking for ANSI C header files... (cached) yes
checking for sys/wait.h that is POSIX.1 compatible... yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking malloc.h usability... yes
checking malloc.h presence... yes
checking for malloc.h... yes
checking for stdlib.h... (cached) yes
checking for inttypes.h... (cached) yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking locale.h usability... yes
checking locale.h presence... yes
checking for locale.h... yes
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking for dlfcn.h... (cached) yes
checking utmp.h usability... yes
checking utmp.h presence... yes
checking for utmp.h... yes
checking for doxygen... no
checking for xsltproc... xsltproc
checking for svn... no
checking for wget... wget
checking for tr... tr
checking for lt_dlopen in -lltdl... yes
checking ltdl.h usability... yes
checking ltdl.h presence... yes
checking for ltdl.h... yes
checking for OPENSSL... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating src/libp11.pc
config.status: creating src/versioninfo.rc
config.status: creating doc/Makefile
config.status: creating doc/doxygen.conf
config.status: creating doc/nonpersistent/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands

libp11 has been configured with the following options:


Version:                 0.2.8
Libraries:               /usr/local/lib

doc support:             no
api doc support:         no

Host:                    i686-pc-linux-gnu
Compiler:                gcc
Preprocessor flags:
Compiler flags:          -g -O2
Linker flags:
Libraries:

LTLIB_CFLAGS:
LTLIB_LIBS:              -lltdl
OPENSSL_CFLAGS:
OPENSSL_LIBS:            -lcrypto

root@nilotpal:~/libp11-0.2.8#



root@nilotpal:~/projects/engine_pkcs11# ./bootstrap
+ test -f Makefile
+ make distclean
Making distclean in src
make[1]: Entering directory `/home/sarat/projects/engine_pkcs11/src'
test -z "engine_pkcs11.la" || rm -f engine_pkcs11.la
rm -f ./so_locations
rm -rf .libs _libs
rm -f *.o
rm -f *.lo
rm -f *.tab.c
test -z "versioninfo.rc" || rm -f versioninfo.rc
test . = "." || test -z "" || rm -f
rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
rm -rf ./.deps
rm -f Makefile
make[1]: Leaving directory `/home/sarat/projects/engine_pkcs11/src'
make[1]: Entering directory `/home/sarat/projects/engine_pkcs11'
rm -rf .libs _libs
rm -f *.lo
test -z "" || rm -f
test . = "." || test -z "" || rm -f
rm -f config.h stamp-h1
rm -f libtool config.lt
rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
rm -f cscope.out cscope.in.out cscope.po.out cscope.files
make[1]: Leaving directory `/home/sarat/projects/engine_pkcs11'
rm -f config.status config.cache config.log configure.lineno
config.status.lineno
rm -f Makefile
+ rm -rf config.h.in~ autom4te.cache aclocal.m4 config.guess config.log
config.status config.sub depcomp ltmain.sh
+ autoreconf --verbose --install --force
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:21: installing './config.guess'
configure.ac:21: installing './config.sub'
src/Makefile.am: installing './depcomp'
autoreconf: Leaving directory `.'
root@nilotpal:~/projects/engine_pkcs11# ./configure --disable-static
--enable-shared --prefix=/usr
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking whether byte ordering is bigendian... no
checking how to run the C preprocessor... gcc -E
checking whether ln -s works... yes
checking for a sed that does not truncate output... /bin/sed
checking whether make sets $(MAKE)... (cached) yes
checking how to print strings... printf
checking for a sed that does not truncate output... (cached) /bin/sed
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert i686-pc-linux-gnu file names to i686-pc-linux-gnu
format... func_convert_file_noop
checking how to convert i686-pc-linux-gnu file names to toolchain format...
func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... mt
checking if mt is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld) supports shared libraries...
yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for windres... no
checking for ANSI C header files... (cached) yes
checking for sys/wait.h that is POSIX.1 compatible... yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking malloc.h usability... yes
checking malloc.h presence... yes
checking for malloc.h... yes
checking for stdlib.h... (cached) yes
checking for inttypes.h... (cached) yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking locale.h usability... yes
checking locale.h presence... yes
checking for locale.h... yes
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking for dlfcn.h... (cached) yes
checking utmp.h usability... yes
checking utmp.h presence... yes
checking for utmp.h... yes
checking for LIBP11... yes
checking for OPENSSL... yes
checking for openssl version... good, 0.9.7d or later
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating src/versioninfo.rc
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands

engine_pkcs11 has been configured with the following options:


Version:                 0.1.9_git
Libraries:               /usr/lib

Host:                    i686-pc-linux-gnu
Compiler:                gcc
Preprocessor flags:
Compiler flags:          -g -O2
Linker flags:
Libraries:

enginesdir               $(libdir)/engines

LIBP11_CFLAGS:           -I/usr/local/include
LIBP11_LIBS:             -L/usr/local/lib -lp11
OPENSSL_CFLAGS:
OPENSSL_LIBS:            -lcrypto
OPENSSL_EXTRA_LDFLAGS:
ENGINE_LINK:

root@nilotpal:~/projects/engine_pkcs11#


I added the below lines at the end of /etc/ss/openssl.cnf
######################################################################
openssl_conf            = openssl_def


[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
init = 0

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]

After that when I ran the below commands:
root@nilotpal:~/projects/engine_pkcs11# openssl
OpenSSL> engine
(dynamic) Dynamic engine loading support
OpenSSL>

I done everything exactly that is there in the manual, but still I'm not
getting the engine_pkcs11 is up and running.
Can you please help me in resolving this.

Regards,
Sarat G

-----Original Message-----
From: Petr Pisar [mailto:[hidden email]]
Sent: Thursday, January 01, 2015 7:13 PM
To: [hidden email]
Subject: Re: [Opensc-devel] Relation between engine_pkcs11 and openssl

On Thu, Jan 01, 2015 at 05:16:55PM +0530, sarat wrote:
> From Github(https://github.com/OpenSC/engine_pkcs11) I cloned the
> project into my desktop, but I couldn't find any Readme file to start
with.
> Can you please help me in letting know 1)How to compile engine_pkcs11

It uses autotools-based build script. Run "autoreconf --install" to create a
configure script (or there is ./bootstrap which does almost the same), then
run the script (probably as "./configure --disable-static --enable-shared
--disable-doc --prefix=/usr") and then run the "make". The resulting file is
src/.libs/engine_pkcs11.so. You can run "make install" as root to install it
into your system.

Don't forget to install OpenSSL and libp11 librariaries and header files
before.

If your desktop is a sane Linux distribution, I'm pretty sure you can read
instruction which dependencies are needed and how to build the code in your
distribution's engine_pkcs11 source package.

> and how can I link this to #pkcs11?
>
To configure OpenSSL to know about the engine and to use OpenSC PKCS#11
module by the engine_pkcs11, you add something like this into your global
OpenSSL configuration file (/etc/ssl/openssl.cnf probably):

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH =
/usr/lib/opensc-pkcs11.so init = 0

The dynamic_path value is the engine_pkcs11 plug-in, the MODULE_PATH value
is the OpenSC PKCS#11 plug-in. The engine_id value is an arbitrary
identifier for OpenSSL applications to select the engine by the identifier.

-- Petr

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

engine_pkcs11_log.txt (18K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

sarat
In reply to this post by sarat
Samsung Enterprise Portal mySingle

Hi David,

I'm working on smartcard authentication implementation to the printers. I done masters in Information Security and I'm very well aware cryptographic algorithm and interested to get involve in this smartcard authentication project.

Regards,

Sarat G

------- Original Message -------

Sender : David Woodhouse<[hidden email]>

Date : Jan 01, 2015 23:25 (GMT+09:00)

Title : Re: [Opensc-devel] Relation between engine_pkcs11 and openssl

 


On Thu, 2015-01-01 at 14:43 +0100, Petr Pisar wrote:

> On Thu, Jan 01, 2015 at 05:16:55PM +0530, sarat wrote:
> > From Github(https://github.com/OpenSC/engine_pkcs11) I cloned the project
> > into my desktop, but I couldn't find any Readme file to start with.
> > Can you please help me in letting know
> > 1)How to compile engine_pkcs11
>
> It uses autotools-based build script. Run "autoreconf --install" to create
> a configure script (or there is ./bootstrap which does almost the same), then
> run the script (probably as "./configure --disable-static --enable-shared
> --disable-doc --prefix=/usr") and then run the "make". The resulting file is
> src/.libs/engine_pkcs11.so. You can run "make install" as root to install it
> into your system.
>
> Don't forget to install OpenSSL and libp11 librariaries and header files
> before.
>
> If your desktop is a sane Linux distribution, I'm pretty sure you can read
> instruction which dependencies are needed and how to build the code in your
> distribution's engine_pkcs11 source package.

Sarat, it would be useful to know precisely what you're trying to do.

If your desktop is a sane Linux distribution, and you install the
prepackaged version of OpenSC (and it supports your device), your token
should automatically show up in various well-behaved applications.

It might be worth ensuring that much is working, before you try anything
more complicated like actually *using* it. And anything involving
OpenSSL is *definitely* in the "more complicated" category for now.

I'd start with just installing OpenSC and running
'p11-kit list-modules' or 'p11tool --list-tokens' to see if your device
shows up at all. You can set OPENSC_DEBUG=9 to get debug output from
OpenSC while it tries.

--
dwmw2

 

 


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

Douglas E Engert
In reply to this post by sarat


On 1/1/2015 10:45 PM, sarat wrote:
> Hi Petr Pisar,
> I followed the same steps as you mentioned, but still my engine_pkcs11 is
> not up. Please find the below logs. I attached the same, please let me know
> if more info is needed.

If you are going to build the engine from the git master from github, you will need to build
libp11 from the git source from github first and install it.


Pick a location where you want these programs, libraries and header files will be installed.
This is then used as --prefix=/usr/local in all the configure commands.
Use /usr/local or some other location, but not /usr while you are testing, as an install into /usr
will overwrite the system versions.



> root@nilotpal:~/libp11-0.2.8# ./bootstrap
> + test -f Makefile
> + make distclean
> Making distclean in src
> make[1]: Entering directory `/home/sarat/libp11-0.2.8/src'
> test -z "libp11.pc" || rm -f libp11.pc
> test -z "libp11.la" || rm -f libp11.la
> rm -f ./so_locations
> rm -rf .libs _libs
> rm -f *.o
> rm -f *.lo
> rm -f *.tab.c
> test -z "libp11.pc versioninfo.rc" || rm -f libp11.pc versioninfo.rc
> test . = "." || test -z "" || rm -f
> rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
> rm -rf ./.deps
> rm -f Makefile
> make[1]: Leaving directory `/home/sarat/libp11-0.2.8/src'
> Making distclean in doc
> make[1]: Entering directory `/home/sarat/libp11-0.2.8/doc'
> Making distclean in nonpersistent
> make[2]: Entering directory `/home/sarat/libp11-0.2.8/doc/nonpersistent'
> rm -rf .libs _libs
> rm -f *.lo
> test -z "" || rm -f
> test . = "." || test -z "" || rm -f
> rm -rf wiki.tmp
> if test -L wiki.out; then \
>                  rm -fr wiki.out; \
>          fi
> rm -fr ChangeLog.tmp
> if test -L ChangeLog; then \
>                  rm -fr ChangeLog; \
>          fi
> rm -f Makefile
> make[2]: Leaving directory `/home/sarat/libp11-0.2.8/doc/nonpersistent'
> make[2]: Entering directory `/home/sarat/libp11-0.2.8/doc'
> rm -rf .libs _libs
> rm -fr api.out
> rm -f *.lo
> test -z "doxygen.conf" || rm -f doxygen.conf
> test . = "." || test -z "" || rm -f
> rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
> make[2]: Leaving directory `/home/sarat/libp11-0.2.8/doc'
> rm -f Makefile
> make[1]: Leaving directory `/home/sarat/libp11-0.2.8/doc'
> make[1]: Entering directory `/home/sarat/libp11-0.2.8'
> rm -rf .libs _libs
> rm -f *.lo
> test -z "" || rm -f
> test . = "." || test -z "" || rm -f
> rm -f config.h stamp-h1
> rm -f libtool config.lt
> rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
> rm -f cscope.out cscope.in.out cscope.po.out cscope.files
> make[1]: Leaving directory `/home/sarat/libp11-0.2.8'
> rm -f config.status config.cache config.log configure.lineno
> config.status.lineno
> rm -f Makefile
> + rm -rf config.h.in~ autom4te.cache aclocal.m4 config.guess config.log
> config.status config.sub depcomp ltmain.sh
> + autoreconf --verbose --install --force
> autoreconf: Entering directory `.'
> autoreconf: configure.ac: not using Gettext
> autoreconf: running: aclocal --force -I m4
> autoreconf: configure.ac: tracing
> autoreconf: running: libtoolize --copy --force
> libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `.'.
> libtoolize: copying file `./ltmain.sh'
> libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
> libtoolize: copying file `m4/libtool.m4'
> libtoolize: copying file `m4/ltoptions.m4'
> libtoolize: copying file `m4/ltsugar.m4'
> libtoolize: copying file `m4/ltversion.m4'
> libtoolize: copying file `m4/lt~obsolete.m4'
> autoreconf: running: /usr/bin/autoconf --force
> autoreconf: running: /usr/bin/autoheader --force
> autoreconf: running: automake --add-missing --copy --force-missing
> configure.ac:14: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms
> are deprecated.  For more info, see:
> configure.ac:14:
> http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fI
> NIT_005fAUTOMAKE-invocation
> configure.ac:31: installing './config.guess'
> configure.ac:31: installing './config.sub'
> src/Makefile.am: installing './depcomp'
> autoreconf: Leaving directory `.'


You will need to add to configure at least:
  --prefix=/usr/local


> root@nilotpal:~/libp11-0.2.8# ./configure
> checking for a BSD-compatible install... /usr/bin/install -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... /bin/mkdir -p
> checking for gawk... gawk
> checking whether make sets $(MAKE)... yes
> checking whether make supports nested variables... yes
> checking build system type... i686-pc-linux-gnu
> checking host system type... i686-pc-linux-gnu
> checking for gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking whether gcc understands -c and -o together... yes
> checking for style of include used by make... GNU
> checking dependency style of gcc... gcc3
> checking for pkg-config... /usr/bin/pkg-config
> checking pkg-config is at least version 0.9.0... yes
> checking how to run the C preprocessor... gcc -E
> checking for grep that handles long lines and -e... /bin/grep
> checking for egrep... /bin/grep -E
> checking for ANSI C header files... yes
> checking for sys/types.h... yes
> checking for sys/stat.h... yes
> checking for stdlib.h... yes
> checking for string.h... yes
> checking for memory.h... yes
> checking for strings.h... yes
> checking for inttypes.h... yes
> checking for stdint.h... yes
> checking for unistd.h... yes
> checking whether byte ordering is bigendian... no
> checking svn checkout... no
> checking how to run the C preprocessor... gcc -E
> checking whether ln -s works... yes
> checking for a sed that does not truncate output... /bin/sed
> checking whether make sets $(MAKE)... (cached) yes
> checking how to print strings... printf
> checking for a sed that does not truncate output... (cached) /bin/sed
> checking for fgrep... /bin/grep -F
> checking for ld used by gcc... /usr/bin/ld
> checking if the linker (/usr/bin/ld) is GNU ld... yes
> checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
> checking the name lister (/usr/bin/nm -B) interface... BSD nm
> checking the maximum length of command line arguments... 1572864
> checking whether the shell understands some XSI constructs... yes
> checking whether the shell understands "+="... yes
> checking how to convert i686-pc-linux-gnu file names to i686-pc-linux-gnu
> format... func_convert_file_noop
> checking how to convert i686-pc-linux-gnu file names to toolchain format...
> func_convert_file_noop
> checking for /usr/bin/ld option to reload object files... -r
> checking for objdump... objdump
> checking how to recognize dependent libraries... pass_all
> checking for dlltool... no
> checking how to associate runtime and link libraries... printf %s\n
> checking for ar... ar
> checking for archiver @FILE support... @
> checking for strip... strip
> checking for ranlib... ranlib
> checking command to parse /usr/bin/nm -B output from gcc object... ok
> checking for sysroot... no
> checking for mt... mt
> checking if mt is a manifest tool... no
> checking for dlfcn.h... yes
> checking for objdir... .libs
> checking if gcc supports -fno-rtti -fno-exceptions... no
> checking for gcc option to produce PIC... -fPIC -DPIC
> checking if gcc PIC flag -fPIC -DPIC works... yes
> checking if gcc static flag -static works... yes
> checking if gcc supports -c -o file.o... yes
> checking if gcc supports -c -o file.o... (cached) yes
> checking whether the gcc linker (/usr/bin/ld) supports shared libraries...
> yes
> checking whether -lc should be explicitly linked in... no
> checking dynamic linker characteristics... GNU/Linux ld.so
> checking how to hardcode library paths into programs... immediate
> checking whether stripping libraries is possible... yes
> checking if libtool supports shared libraries... yes
> checking whether to build shared libraries... yes
> checking whether to build static libraries... yes
> checking for windres... no
> checking for ANSI C header files... (cached) yes
> checking for sys/wait.h that is POSIX.1 compatible... yes
> checking errno.h usability... yes
> checking errno.h presence... yes
> checking for errno.h... yes
> checking fcntl.h usability... yes
> checking fcntl.h presence... yes
> checking for fcntl.h... yes
> checking malloc.h usability... yes
> checking malloc.h presence... yes
> checking for malloc.h... yes
> checking for stdlib.h... (cached) yes
> checking for inttypes.h... (cached) yes
> checking for string.h... (cached) yes
> checking for strings.h... (cached) yes
> checking sys/time.h usability... yes
> checking sys/time.h presence... yes
> checking for sys/time.h... yes
> checking for unistd.h... (cached) yes
> checking locale.h usability... yes
> checking locale.h presence... yes
> checking for locale.h... yes
> checking getopt.h usability... yes
> checking getopt.h presence... yes
> checking for getopt.h... yes
> checking for dlfcn.h... (cached) yes
> checking utmp.h usability... yes
> checking utmp.h presence... yes
> checking for utmp.h... yes
> checking for doxygen... no
> checking for xsltproc... xsltproc
> checking for svn... no
> checking for wget... wget
> checking for tr... tr
> checking for lt_dlopen in -lltdl... yes
> checking ltdl.h usability... yes
> checking ltdl.h presence... yes
> checking for ltdl.h... yes
> checking for OPENSSL... yes
> checking that generated files are newer than configure... done
> configure: creating ./config.status
> config.status: creating Makefile
> config.status: creating src/Makefile
> config.status: creating src/libp11.pc
> config.status: creating src/versioninfo.rc
> config.status: creating doc/Makefile
> config.status: creating doc/doxygen.conf
> config.status: creating doc/nonpersistent/Makefile
> config.status: creating config.h
> config.status: executing depfiles commands
> config.status: executing libtool commands
>
> libp11 has been configured with the following options:
>
>
> Version:                 0.2.8
> Libraries:               /usr/local/lib
>
> doc support:             no
> api doc support:         no
>
> Host:                    i686-pc-linux-gnu
> Compiler:                gcc
> Preprocessor flags:
> Compiler flags:          -g -O2
> Linker flags:
> Libraries:
>
> LTLIB_CFLAGS:
> LTLIB_LIBS:              -lltdl
> OPENSSL_CFLAGS:
> OPENSSL_LIBS:            -lcrypto
>
> root@nilotpal:~/libp11-0.2.8#
>
>


You need to do:
make
make install

Then look at /usr/include/lib to see if libp11.so is there.
Use ldd and nm to look at it.




For the engine, I assume based on your previous messages this if the git source.

>
> root@nilotpal:~/projects/engine_pkcs11# ./bootstrap
> + test -f Makefile
> + make distclean
> Making distclean in src
> make[1]: Entering directory `/home/sarat/projects/engine_pkcs11/src'
> test -z "engine_pkcs11.la" || rm -f engine_pkcs11.la
> rm -f ./so_locations
> rm -rf .libs _libs
> rm -f *.o
> rm -f *.lo
> rm -f *.tab.c
> test -z "versioninfo.rc" || rm -f versioninfo.rc
> test . = "." || test -z "" || rm -f
> rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
> rm -rf ./.deps
> rm -f Makefile
> make[1]: Leaving directory `/home/sarat/projects/engine_pkcs11/src'
> make[1]: Entering directory `/home/sarat/projects/engine_pkcs11'
> rm -rf .libs _libs
> rm -f *.lo
> test -z "" || rm -f
> test . = "." || test -z "" || rm -f
> rm -f config.h stamp-h1
> rm -f libtool config.lt
> rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
> rm -f cscope.out cscope.in.out cscope.po.out cscope.files
> make[1]: Leaving directory `/home/sarat/projects/engine_pkcs11'
> rm -f config.status config.cache config.log configure.lineno
> config.status.lineno
> rm -f Makefile
> + rm -rf config.h.in~ autom4te.cache aclocal.m4 config.guess config.log
> config.status config.sub depcomp ltmain.sh
> + autoreconf --verbose --install --force
> autoreconf: Entering directory `.'
> autoreconf: configure.ac: not using Gettext
> autoreconf: running: aclocal --force -I m4
> autoreconf: configure.ac: tracing
> autoreconf: running: libtoolize --copy --force
> libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `.'.
> libtoolize: copying file `./ltmain.sh'
> libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
> libtoolize: copying file `m4/libtool.m4'
> libtoolize: copying file `m4/ltoptions.m4'
> libtoolize: copying file `m4/ltsugar.m4'
> libtoolize: copying file `m4/ltversion.m4'
> libtoolize: copying file `m4/lt~obsolete.m4'
> autoreconf: running: /usr/bin/autoconf --force
> autoreconf: running: /usr/bin/autoheader --force
> autoreconf: running: automake --add-missing --copy --force-missing
> configure.ac:21: installing './config.guess'
> configure.ac:21: installing './config.sub'
> src/Makefile.am: installing './depcomp'
> autoreconf: Leaving directory `.'
> root@nilotpal:~/projects/engine_pkcs11# ./configure --disable-static
> --enable-shared --prefix=/usr

Be careful, setting prefix-/usr will overwrite the system version when you do make insrtall
You should try with /usr/local See above comments.

> checking for a BSD-compatible install... /usr/bin/install -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... /bin/mkdir -p
> checking for gawk... gawk
> checking whether make sets $(MAKE)... yes
> checking whether make supports nested variables... yes
> checking build system type... i686-pc-linux-gnu
> checking host system type... i686-pc-linux-gnu
> checking for gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking whether gcc understands -c and -o together... yes
> checking for style of include used by make... GNU
> checking dependency style of gcc... gcc3
> checking for pkg-config... /usr/bin/pkg-config
> checking pkg-config is at least version 0.9.0... yes
> checking how to run the C preprocessor... gcc -E
> checking for grep that handles long lines and -e... /bin/grep
> checking for egrep... /bin/grep -E
> checking for ANSI C header files... yes
> checking for sys/types.h... yes
> checking for sys/stat.h... yes
> checking for stdlib.h... yes
> checking for string.h... yes
> checking for memory.h... yes
> checking for strings.h... yes
> checking for inttypes.h... yes
> checking for stdint.h... yes
> checking for unistd.h... yes
> checking whether byte ordering is bigendian... no
> checking how to run the C preprocessor... gcc -E
> checking whether ln -s works... yes
> checking for a sed that does not truncate output... /bin/sed
> checking whether make sets $(MAKE)... (cached) yes
> checking how to print strings... printf
> checking for a sed that does not truncate output... (cached) /bin/sed
> checking for fgrep... /bin/grep -F
> checking for ld used by gcc... /usr/bin/ld
> checking if the linker (/usr/bin/ld) is GNU ld... yes
> checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
> checking the name lister (/usr/bin/nm -B) interface... BSD nm
> checking the maximum length of command line arguments... 1572864
> checking whether the shell understands some XSI constructs... yes
> checking whether the shell understands "+="... yes
> checking how to convert i686-pc-linux-gnu file names to i686-pc-linux-gnu
> format... func_convert_file_noop
> checking how to convert i686-pc-linux-gnu file names to toolchain format...
> func_convert_file_noop
> checking for /usr/bin/ld option to reload object files... -r
> checking for objdump... objdump
> checking how to recognize dependent libraries... pass_all
> checking for dlltool... no
> checking how to associate runtime and link libraries... printf %s\n
> checking for ar... ar
> checking for archiver @FILE support... @
> checking for strip... strip
> checking for ranlib... ranlib
> checking command to parse /usr/bin/nm -B output from gcc object... ok
> checking for sysroot... no
> checking for mt... mt
> checking if mt is a manifest tool... no
> checking for dlfcn.h... yes
> checking for objdir... .libs
> checking if gcc supports -fno-rtti -fno-exceptions... no
> checking for gcc option to produce PIC... -fPIC -DPIC
> checking if gcc PIC flag -fPIC -DPIC works... yes
> checking if gcc static flag -static works... yes
> checking if gcc supports -c -o file.o... yes
> checking if gcc supports -c -o file.o... (cached) yes
> checking whether the gcc linker (/usr/bin/ld) supports shared libraries...
> yes
> checking whether -lc should be explicitly linked in... no
> checking dynamic linker characteristics... GNU/Linux ld.so
> checking how to hardcode library paths into programs... immediate
> checking whether stripping libraries is possible... yes
> checking if libtool supports shared libraries... yes
> checking whether to build shared libraries... yes
> checking whether to build static libraries... no
> checking for windres... no
> checking for ANSI C header files... (cached) yes
> checking for sys/wait.h that is POSIX.1 compatible... yes
> checking errno.h usability... yes
> checking errno.h presence... yes
> checking for errno.h... yes
> checking fcntl.h usability... yes
> checking fcntl.h presence... yes
> checking for fcntl.h... yes
> checking malloc.h usability... yes
> checking malloc.h presence... yes
> checking for malloc.h... yes
> checking for stdlib.h... (cached) yes
> checking for inttypes.h... (cached) yes
> checking for string.h... (cached) yes
> checking for strings.h... (cached) yes
> checking sys/time.h usability... yes
> checking sys/time.h presence... yes
> checking for sys/time.h... yes
> checking for unistd.h... (cached) yes
> checking locale.h usability... yes
> checking locale.h presence... yes
> checking for locale.h... yes
> checking getopt.h usability... yes
> checking getopt.h presence... yes
> checking for getopt.h... yes
> checking for dlfcn.h... (cached) yes
> checking utmp.h usability... yes
> checking utmp.h presence... yes
> checking for utmp.h... yes
> checking for LIBP11... yes
> checking for OPENSSL... yes
> checking for openssl version... good, 0.9.7d or later
> checking that generated files are newer than configure... done
> configure: creating ./config.status
> config.status: creating Makefile
> config.status: creating src/Makefile
> config.status: creating src/versioninfo.rc
> config.status: creating config.h
> config.status: executing depfiles commands
> config.status: executing libtool commands
>
> engine_pkcs11 has been configured with the following options:
>
>
> Version:                 0.1.9_git
> Libraries:               /usr/lib
>
> Host:                    i686-pc-linux-gnu
> Compiler:                gcc
> Preprocessor flags:
> Compiler flags:          -g -O2
> Linker flags:
> Libraries:
>
> enginesdir               $(libdir)/engines
>
> LIBP11_CFLAGS:           -I/usr/local/include
> LIBP11_LIBS:             -L/usr/local/lib -lp11
> OPENSSL_CFLAGS:
> OPENSSL_LIBS:            -lcrypto
> OPENSSL_EXTRA_LDFLAGS:
> ENGINE_LINK:
>

You need to do:
make
make install

/usr/local/lib/engine should have the engine after the install
Use ldd and nm to look at it to see what libs it is going to use.


> root@nilotpal:~/projects/engine_pkcs11#
>
>
> I added the below lines at the end of /etc/ss/openssl.cnf
> ######################################################################
> openssl_conf            = openssl_def
>
>
> [openssl_def]
> engines = engine_section
>
> [engine_section]
> pkcs11 = pkcs11_section
>
> [pkcs11_section]
> engine_id = pkcs11
> dynamic_path = /usr/lib/engines/engine_pkcs11.so

Again you ar mixing /usr and /usr/local

> MODULE_PATH = /usr/lib/opensc-pkcs11.so

If you were to build opensc into /usr/local, you wopuld need to change the above.

Also see the command line version of these parameters I sent you in a private note.


> init = 0
>
> [req]
> distinguished_name = req_distinguished_name
>
> [req_distinguished_name]
>
> After that when I ran the below commands:
> root@nilotpal:~/projects/engine_pkcs11# openssl
> OpenSSL> engine
> (dynamic) Dynamic engine loading support
> OpenSSL>
>
> I done everything exactly that is there in the manual, but still I'm not
> getting the engine_pkcs11 is up and running.
> Can you please help me in resolving this.
>
> Regards,
> Sarat G
>
> -----Original Message-----
> From: Petr Pisar [mailto:[hidden email]]
> Sent: Thursday, January 01, 2015 7:13 PM
> To: [hidden email]
> Subject: Re: [Opensc-devel] Relation between engine_pkcs11 and openssl
>
> On Thu, Jan 01, 2015 at 05:16:55PM +0530, sarat wrote:
>>  From Github(https://github.com/OpenSC/engine_pkcs11) I cloned the
>> project into my desktop, but I couldn't find any Readme file to start
> with.
>> Can you please help me in letting know 1)How to compile engine_pkcs11
>
> It uses autotools-based build script. Run "autoreconf --install" to create a
> configure script (or there is ./bootstrap which does almost the same), then
> run the script (probably as "./configure --disable-static --enable-shared
> --disable-doc --prefix=/usr") and then run the "make". The resulting file is
> src/.libs/engine_pkcs11.so. You can run "make install" as root to install it
> into your system.
>
> Don't forget to install OpenSSL and libp11 librariaries and header files
> before.
>
> If your desktop is a sane Linux distribution, I'm pretty sure you can read
> instruction which dependencies are needed and how to build the code in your
> distribution's engine_pkcs11 source package.
>
>> and how can I link this to #pkcs11?
>>
> To configure OpenSSL to know about the engine and to use OpenSC PKCS#11
> module by the engine_pkcs11, you add something like this into your global
> OpenSSL configuration file (/etc/ssl/openssl.cnf probably):
>
> [engine_section]
> pkcs11 = pkcs11_section
>
> [pkcs11_section]
> engine_id = pkcs11
> dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH =
> /usr/lib/opensc-pkcs11.so init = 0
>
> The dynamic_path value is the engine_pkcs11 plug-in, the MODULE_PATH value
> is the OpenSC PKCS#11 plug-in. The engine_id value is an arbitrary
> identifier for OpenSSL applications to select the engine by the identifier.
>
> -- Petr
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

Douglas E Engert
In reply to this post by sarat


On 1/1/2015 10:52 PM, Sarat Chandra Prasad Gingupalli wrote:
> Hi David,
>
> I'm working on smartcard authentication implementation to the printers.

Do you mean if a user walks up to a printer, and inserts the card?
Or if a user on some workstation wants to print over the network to a printer?

Smart cards are normally used with existing protocols, like TLS, PKINIT (Kerberos and AD)
or SSH, so the server does not do anything directly with the smart card and does not need OpenSC.

There is also Remote Desktop Protocol (Windows and some Linux veriosn or rdesktop) that can transmit pcsc packets
over the network, and the server would need to have the OpenSC or similar code to access the smart card.


  I done masters in Information Security and I'm very well aware cryptographic algorithm and interested to get involve in this

> smartcard authentication project.
>
> Regards,
>
> Sarat G
>
> ------- *Original Message* -------
>
> *Sender* : David Woodhouse<[hidden email]>
>
> *Date* : Jan 01, 2015 23:25 (GMT+09:00)
>
> *Title* : Re: [Opensc-devel] Relation between engine_pkcs11 and openssl
>
>
> On Thu, 2015-01-01 at 14:43 +0100, Petr Pisar wrote:
>  > On Thu, Jan 01, 2015 at 05:16:55PM +0530, sarat wrote:
>  > > From Github(https://github.com/OpenSC/engine_pkcs11) I cloned the project
>  > > into my desktop, but I couldn't find any Readme file to start with.
>  > > Can you please help me in letting know
>  > > 1)How to compile engine_pkcs11
>  >
>  > It uses autotools-based build script. Run "autoreconf --install" to create
>  > a configure script (or there is ./bootstrap which does almost the same), then
>  > run the script (probably as "./configure --disable-static --enable-shared
>  > --disable-doc --prefix=/usr") and then run the "make". The resulting file is
>  > src/.libs/engine_pkcs11.so. You can run "make install" as root to install it
>  > into your system.
>  >
>  > Don't forget to install OpenSSL and libp11 librariaries and header files
>  > before.
>  >
>  > If your desktop is a sane Linux distribution, I'm pretty sure you can read
>  > instruction which dependencies are needed and how to build the code in your
>  > distribution's engine_pkcs11 source package.
>
> Sarat, it would be useful to know precisely what you're trying to do.
>
> If your desktop is a sane Linux distribution, and you install the
> prepackaged version of OpenSC (and it supports your device), your token
> should automatically show up in various well-behaved applications.
>
> It might be worth ensuring that much is working, before you try anything
> more complicated like actually *using* it. And anything involving
> OpenSSL is *definitely* in the "more complicated" category for now.
>
> I'd start with just installing OpenSC and running
> 'p11-kit list-modules' or 'p11tool --list-tokens' to see if your device
> shows up at all. You can set OPENSC_DEBUG=9 to get debug output from
> OpenSC while it tries.
>
> --
> dwmw2
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

Sarat G
Hi Engert,
My aim is to prevent the leakage of information in the organizations through printer. In this case the user walks to the printer and if wants to print something he must verify it's identity. i.e
1)When he inserts the card in the printer it pops up for pin verification.
2)Once if the verification is successful, the certificates in the card are read and verify with OCSP server(the pre condition is printer must be in the network of OCSP server for certificate verification is to happen).

Regards,
Sarat G


Regards,
Sarat G



On Fri, Jan 2, 2015 at 8:01 PM, Douglas E Engert <[hidden email]> wrote:


On 1/1/2015 10:52 PM, Sarat Chandra Prasad Gingupalli wrote:
> Hi David,
>
> I'm working on smartcard authentication implementation to the printers.

Do you mean if a user walks up to a printer, and inserts the card?
Or if a user on some workstation wants to print over the network to a printer?

Smart cards are normally used with existing protocols, like TLS, PKINIT (Kerberos and AD)
or SSH, so the server does not do anything directly with the smart card and does not need OpenSC.

There is also Remote Desktop Protocol (Windows and some Linux veriosn or rdesktop) that can transmit pcsc packets
over the network, and the server would need to have the OpenSC or similar code to access the smart card.


  I done masters in Information Security and I'm very well aware cryptographic algorithm and interested to get involve in this
> smartcard authentication project.
>
> Regards,
>
> Sarat G
>
> ------- *Original Message* -------
>
> *Sender* : David Woodhouse<[hidden email]>
>
> *Date* : Jan 01, 2015 23:25 (GMT+09:00)
>
> *Title* : Re: [Opensc-devel] Relation between engine_pkcs11 and openssl
>
>
> On Thu, 2015-01-01 at 14:43 +0100, Petr Pisar wrote:
>  > On Thu, Jan 01, 2015 at 05:16:55PM +0530, sarat wrote:
>  > > From Github(https://github.com/OpenSC/engine_pkcs11) I cloned the project
>  > > into my desktop, but I couldn't find any Readme file to start with.
>  > > Can you please help me in letting know
>  > > 1)How to compile engine_pkcs11
>  >
>  > It uses autotools-based build script. Run "autoreconf --install" to create
>  > a configure script (or there is ./bootstrap which does almost the same), then
>  > run the script (probably as "./configure --disable-static --enable-shared
>  > --disable-doc --prefix=/usr") and then run the "make". The resulting file is
>  > src/.libs/engine_pkcs11.so. You can run "make install" as root to install it
>  > into your system.
>  >
>  > Don't forget to install OpenSSL and libp11 librariaries and header files
>  > before.
>  >
>  > If your desktop is a sane Linux distribution, I'm pretty sure you can read
>  > instruction which dependencies are needed and how to build the code in your
>  > distribution's engine_pkcs11 source package.
>
> Sarat, it would be useful to know precisely what you're trying to do.
>
> If your desktop is a sane Linux distribution, and you install the
> prepackaged version of OpenSC (and it supports your device), your token
> should automatically show up in various well-behaved applications.
>
> It might be worth ensuring that much is working, before you try anything
> more complicated like actually *using* it. And anything involving
> OpenSSL is *definitely* in the "more complicated" category for now.
>
> I'd start with just installing OpenSC and running
> 'p11-kit list-modules' or 'p11tool --list-tokens' to see if your device
> shows up at all. You can set OPENSC_DEBUG=9 to get debug output from
> OpenSC while it tries.
>
> --
> dwmw2
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

Petr Pisar
In reply to this post by sarat
On Fri, Jan 02, 2015 at 10:15:59AM +0530, sarat wrote:
> I followed the same steps as you mentioned, but still my engine_pkcs11 is
> not up. Please find the below logs. I attached the same, please let me know
> if more info is needed.
>
The logs look good.

> After that when I ran the below commands:
> root@nilotpal:~/projects/engine_pkcs11# openssl
> OpenSSL> engine
> (dynamic) Dynamic engine loading support
> OpenSSL>
>
> I done everything exactly that is there in the manual, but still I'm not
> getting the engine_pkcs11 is up and running.
>
The openssl tool would complain if it could not load the engine_pkcs11.so.

First, I would recommend to make sure the configuration is read at all. You
can use "strace" tool to do that:

$ strace -e open -- openssl engine
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libssl.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ssl/openssl.cnf", O_RDONLY)  = 3
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/engines/engine_pkcs11.so", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libp11.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libltdl.so.7", O_RDONLY|O_CLOEXEC) = 3
(rsax) RSAX engine support
(dynamic) Dynamic engine loading support
(pkcs11) pkcs11 engine
+++ exited with 0 +++

Here you can see the "/etc/ssl/openssl.cnf" file is opened successfully, and
then the "/usr/lib/engines/engine_pkcs11.so" engine is read.

You can also try to break the dynamic_path value to nonexisting file to see
how the error looks like:

$ openssl engine
Error configuring OpenSSL
139933497808528:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(/XXX/usr/lib/engines/engine_pkcs11.so): /XXX/usr/lib/engines/engine_pkcs11.so: cannot open shared object file: No such file or directory
139933497808528:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
139933497808528:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
139933497808528:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:204:section=pkcs11_section, name=dynamic_path, value=/XXX/usr/lib/engines/engine_pkcs11.so
139933497808528:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=engine_section, retcode=-1      

Here I prepended "/XXX" to the value, so the OpenSSL library could not load it.

Then, as others advised, make sure the libp11 library as well as all the other
needes ones are resolvable by the dynamic linker. E.g. on Linux with glibc,
you can try:

$ ldd /usr/lib/engines/engine_pkcs11.so
        linux-vdso.so.1 (0x00007fff571ea000)
        libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 (0x00007f13e33e0000)
        libp11.so.2 => /usr/lib64/libp11.so.2 (0x00007f13e31d0000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f13e2e20000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f13e2c18000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f13e2a00000)
        libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f13e27f0000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f13e39f0000)

Make sure the resolved paths points to the libraires you have compiled and
installed.

-- Petr

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (220 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

Douglas E Engert
In reply to this post by Sarat G


On 1/2/2015 9:02 AM, Sarat G wrote:
> Hi Engert,
> My aim is to prevent the leakage of information in the organizations through printer. In this case the user walks to the printer and if wants to print something he must verify it's identity. i.e
> 1)When he inserts the card in the printer it pops up for pin verification.
> 2)Once if the verification is successful, the certificates in the card are read and verify with OCSP server(the pre condition is printer must be in the network of OCSP server for certificate
> verification is to happen).

If "verification is successful" means "pin verification"  (as you have not read the certificate to verify the certificate)
then you have some security problems.

The steps verify the PIN to the card, and that the card has a certificate that may be valid, but it does not
verify that the card contains the key associated to the certificate, and does not verifiy the certificate's signature
is valid, and it is signed by a trusted CA.

With only steps (1) and (2) a Hacker could create a card with pin and a copy of a valid certificate, and put it on the card.

OSCP provides information that a certificate is revoked, but does not verify the certificate.
It is expected that the certificate has been verified by some other method, involving the use of the private key,
and OSCP is used to check if the certificate has been revoked recently.

http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

Note that the OSCP protocol
   http://tools.ietf.org/html/rfc2560
does not send the certificate itself, but only:

CertID          ::=     SEQUENCE {
        hashAlgorithm       AlgorithmIdentifier,
        issuerNameHash      OCTET STRING, -- Hash of Issuer's DN
        issuerKeyHash       OCTET STRING, -- Hash of Issuers public key
        serialNumber        CertificateSerialNumber }


TLS with Client Authentication has the server verify the client's certificate, and the server can use OSCP to see
if the certificate has bee revoked.


And the above does not do any authorization that the holder of the card is allowed to use the printer.


> Regards,
> Sarat G
>
>
> Regards,
> Sarat G
>
>
>
> On Fri, Jan 2, 2015 at 8:01 PM, Douglas E Engert <[hidden email] <mailto:[hidden email]>> wrote:
>
>
>
>     On 1/1/2015 10:52 PM, Sarat Chandra Prasad Gingupalli wrote:
>     > Hi David,
>     >
>     > I'm working on smartcard authentication implementation to the printers.
>
>     Do you mean if a user walks up to a printer, and inserts the card?
>     Or if a user on some workstation wants to print over the network to a printer?
>
>     Smart cards are normally used with existing protocols, like TLS, PKINIT (Kerberos and AD)
>     or SSH, so the server does not do anything directly with the smart card and does not need OpenSC.
>
>     There is also Remote Desktop Protocol (Windows and some Linux veriosn or rdesktop) that can transmit pcsc packets
>     over the network, and the server would need to have the OpenSC or similar code to access the smart card.
>
>
>        I done masters in Information Security and I'm very well aware cryptographic algorithm and interested to get involve in this
>     > smartcard authentication project.
>     >
>     > Regards,
>     >
>     > Sarat G
>     >
>      > ------- *Original Message* -------
>      >
>      > *Sender* : David Woodhouse<[hidden email] <mailto:[hidden email]>>
>      >
>      > *Date* : Jan 01, 2015 23:25 (GMT+09:00)
>      >
>      > *Title* : Re: [Opensc-devel] Relation between engine_pkcs11 and openssl
>      >
>      >
>      > On Thu, 2015-01-01 at 14:43 +0100, Petr Pisar wrote:
>      >  > On Thu, Jan 01, 2015 at 05:16:55PM +0530, sarat wrote:
>      >  > > From Github(https://github.com/OpenSC/engine_pkcs11) I cloned the project
>      >  > > into my desktop, but I couldn't find any Readme file to start with.
>      >  > > Can you please help me in letting know
>      >  > > 1)How to compile engine_pkcs11
>      >  >
>      >  > It uses autotools-based build script. Run "autoreconf --install" to create
>      >  > a configure script (or there is ./bootstrap which does almost the same), then
>      >  > run the script (probably as "./configure --disable-static --enable-shared
>      >  > --disable-doc --prefix=/usr") and then run the "make". The resulting file is
>      >  > src/.libs/engine_pkcs11.so. You can run "make install" as root to install it
>      >  > into your system.
>      >  >
>      >  > Don't forget to install OpenSSL and libp11 librariaries and header files
>      >  > before.
>      >  >
>      >  > If your desktop is a sane Linux distribution, I'm pretty sure you can read
>      >  > instruction which dependencies are needed and how to build the code in your
>      >  > distribution's engine_pkcs11 source package.
>      >
>      > Sarat, it would be useful to know precisely what you're trying to do.
>      >
>      > If your desktop is a sane Linux distribution, and you install the
>      > prepackaged version of OpenSC (and it supports your device), your token
>      > should automatically show up in various well-behaved applications.
>      >
>      > It might be worth ensuring that much is working, before you try anything
>      > more complicated like actually *using* it. And anything involving
>      > OpenSSL is *definitely* in the "more complicated" category for now.
>      >
>      > I'd start with just installing OpenSC and running
>      > 'p11-kit list-modules' or 'p11tool --list-tokens' to see if your device
>      > shows up at all. You can set OPENSC_DEBUG=9 to get debug output from
>      > OpenSC while it tries.
>      >
>      > --
>      > dwmw2
>      >
>      >
>      >
>      > ------------------------------------------------------------------------------
>      > Dive into the World of Parallel Programming! The Go Parallel Website,
>      > sponsored by Intel and developed in partnership with Slashdot Media, is your
>      > hub for all things parallel software development, from weekly thought
>      > leadership blogs to news, videos, case studies, tutorials and more. Take a
>      > look and join the conversation now. http://goparallel.sourceforge.net
>      >
>      >
>      >
>      > _______________________________________________
>      > Opensc-devel mailing list
>      > [hidden email] <mailto:[hidden email]>
>      > https://lists.sourceforge.net/lists/listinfo/opensc-devel
>      >
>
>     --
>
>        Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>
>
>     ------------------------------------------------------------------------------
>     Dive into the World of Parallel Programming! The Go Parallel Website,
>     sponsored by Intel and developed in partnership with Slashdot Media, is your
>     hub for all things parallel software development, from weekly thought
>     leadership blogs to news, videos, case studies, tutorials and more. Take a
>     look and join the conversation now. http://goparallel.sourceforge.net
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

Douglas E Engert
In reply to this post by Petr Pisar


On 1/2/2015 12:41 PM, Petr Pisar wrote:

> On Fri, Jan 02, 2015 at 10:15:59AM +0530, sarat wrote:
>> I followed the same steps as you mentioned, but still my engine_pkcs11 is
>> not up. Please find the below logs. I attached the same, please let me know
>> if more info is needed.
>>
> The logs look good.
>
>> After that when I ran the below commands:
>> root@nilotpal:~/projects/engine_pkcs11# openssl
>> OpenSSL> engine
>> (dynamic) Dynamic engine loading support
>> OpenSSL>
>>
>> I done everything exactly that is there in the manual, but still I'm not
>> getting the engine_pkcs11 is up and running.

It is running, but to use it you need an OpenSSL command and tell it to use the engine
using -keyform engine



>>
> The openssl tool would complain if it could not load the engine_pkcs11.so.
>
> First, I would recommend to make sure the configuration is read at all. You
> can use "strace" tool to do that:
>
> $ strace -e open -- openssl engine
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib64/libssl.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib64/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
> open("/etc/ssl/openssl.cnf", O_RDONLY)  = 3
> open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib/engines/engine_pkcs11.so", O_RDONLY|O_CLOEXEC) = 3
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib64/libp11.so.2", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib64/libltdl.so.7", O_RDONLY|O_CLOEXEC) = 3
> (rsax) RSAX engine support
> (dynamic) Dynamic engine loading support
> (pkcs11) pkcs11 engine
> +++ exited with 0 +++
>
> Here you can see the "/etc/ssl/openssl.cnf" file is opened successfully, and
> then the "/usr/lib/engines/engine_pkcs11.so" engine is read.
>
> You can also try to break the dynamic_path value to nonexisting file to see
> how the error looks like:
>
> $ openssl engine
> Error configuring OpenSSL
> 139933497808528:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(/XXX/usr/lib/engines/engine_pkcs11.so): /XXX/usr/lib/engines/engine_pkcs11.so: cannot open shared object file: No such file or directory
> 139933497808528:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
> 139933497808528:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
> 139933497808528:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:204:section=pkcs11_section, name=dynamic_path, value=/XXX/usr/lib/engines/engine_pkcs11.so
> 139933497808528:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=engine_section, retcode=-1
>
> Here I prepended "/XXX" to the value, so the OpenSSL library could not load it.
>
> Then, as others advised, make sure the libp11 library as well as all the other
> needes ones are resolvable by the dynamic linker. E.g. on Linux with glibc,
> you can try:
>
> $ ldd /usr/lib/engines/engine_pkcs11.so
>          linux-vdso.so.1 (0x00007fff571ea000)
>          libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 (0x00007f13e33e0000)
>          libp11.so.2 => /usr/lib64/libp11.so.2 (0x00007f13e31d0000)
>          libc.so.6 => /lib64/libc.so.6 (0x00007f13e2e20000)
>          libdl.so.2 => /lib64/libdl.so.2 (0x00007f13e2c18000)
>          libz.so.1 => /lib64/libz.so.1 (0x00007f13e2a00000)
>          libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f13e27f0000)
>          /lib64/ld-linux-x86-64.so.2 (0x00007f13e39f0000)
>
> Make sure the resolved paths points to the libraires you have compiled and
> installed.
>
> -- Petr
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

Petr Pisar
On Fri, Jan 02, 2015 at 02:55:01PM -0600, Douglas E Engert wrote:

> On 1/2/2015 12:41 PM, Petr Pisar wrote:
> > On Fri, Jan 02, 2015 at 10:15:59AM +0530, sarat wrote:
> >> After that when I ran the below commands:
> >> root@nilotpal:~/projects/engine_pkcs11# openssl
> >> OpenSSL> engine
> >> (dynamic) Dynamic engine loading support
> >> OpenSSL>
> >>
> >> I done everything exactly that is there in the manual, but still I'm not
> >> getting the engine_pkcs11 is up and running.
>
> It is running, but to use it you need an OpenSSL command and tell it to use
> the engine using -keyform engine
>
The -keyform is needed to select an engine for cryptographic operation.
However, for enumerating engines, you don't have to. At least with my OpenSSL
version 1.0.1j.

-- Petr


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (220 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

sarat
Hi Petr Pisar,
What is -keyform? How could I tell Openssl to link my engine_pkcs11? If you
don't mind can you provide me the commands for setting up.
Hi Engert,
Now I installed everything(opensc,libp11,engine_pkcs11) in /usr/local. The
only thing left with me is to link this to openssl.

Can you please help me in resolving this too.

Thank you.
Regards,
Sarat G

-----Original Message-----
From: Petr Pisar [mailto:[hidden email]]
Sent: Saturday, January 03, 2015 1:00 PM
To: [hidden email]
Subject: Re: [Opensc-devel] Relation between engine_pkcs11 and openssl

On Fri, Jan 02, 2015 at 02:55:01PM -0600, Douglas E Engert wrote:

> On 1/2/2015 12:41 PM, Petr Pisar wrote:
> > On Fri, Jan 02, 2015 at 10:15:59AM +0530, sarat wrote:
> >> After that when I ran the below commands:
> >> root@nilotpal:~/projects/engine_pkcs11# openssl
> >> OpenSSL> engine
> >> (dynamic) Dynamic engine loading support
> >> OpenSSL>
> >>
> >> I done everything exactly that is there in the manual, but still
> >> I'm not getting the engine_pkcs11 is up and running.
>
> It is running, but to use it you need an OpenSSL command and tell it
> to use the engine using -keyform engine
>
The -keyform is needed to select an engine for cryptographic operation.
However, for enumerating engines, you don't have to. At least with my
OpenSSL version 1.0.1j.

-- Petr



------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Relation between engine_pkcs11 and openssl

sarat
In reply to this post by Petr Pisar
Hi Petr Pisar,
Here is the output of " strace -e open -- openssl engine"
root@nilotpal:~# strace -e open -- openssl engine
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib/i386-linux-gnu/libssl.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib/i386-linux-gnu/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib/i386-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/lib/i386-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
(dynamic) Dynamic engine loading support
+++ exited with 0 +++
root@nilotpal:~#
I'm attaching openssl.cnf also, can you please have a look into it and can
you check whether I'm adding them properly or not.

Thank you.
Regards,
Sarat G

-----Original Message-----
From: Petr Pisar [mailto:[hidden email]]
Sent: Saturday, January 03, 2015 12:11 AM
To: [hidden email]
Subject: Re: [Opensc-devel] Relation between engine_pkcs11 and openssl

On Fri, Jan 02, 2015 at 10:15:59AM +0530, sarat wrote:
> I followed the same steps as you mentioned, but still my engine_pkcs11
> is not up. Please find the below logs. I attached the same, please let
> me know if more info is needed.
>
The logs look good.

> After that when I ran the below commands:
> root@nilotpal:~/projects/engine_pkcs11# openssl
> OpenSSL> engine
> (dynamic) Dynamic engine loading support
> OpenSSL>
>
> I done everything exactly that is there in the manual, but still I'm
> not getting the engine_pkcs11 is up and running.
>
The openssl tool would complain if it could not load the engine_pkcs11.so.

First, I would recommend to make sure the configuration is read at all. You
can use "strace" tool to do that:

$ strace -e open -- openssl engine
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libssl.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libdl.so.2",
O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ssl/openssl.cnf", O_RDONLY)  = 3 open("/proc/meminfo",
O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib/engines/engine_pkcs11.so",
O_RDONLY|O_CLOEXEC) = 3 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libp11.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libltdl.so.7", O_RDONLY|O_CLOEXEC) = 3
(rsax) RSAX engine support
(dynamic) Dynamic engine loading support
(pkcs11) pkcs11 engine
+++ exited with 0 +++

Here you can see the "/etc/ssl/openssl.cnf" file is opened successfully, and
then the "/usr/lib/engines/engine_pkcs11.so" engine is read.

You can also try to break the dynamic_path value to nonexisting file to see
how the error looks like:

$ openssl engine
Error configuring OpenSSL
139933497808528:error:25066067:DSO support routines:DLFCN_LOAD:could not
load the shared
library:dso_dlfcn.c:187:filename(/XXX/usr/lib/engines/engine_pkcs11.so):
/XXX/usr/lib/engines/engine_pkcs11.so: cannot open shared object file: No
such file or directory 139933497808528:error:25070067:DSO support
routines:DSO_load:could not load the shared library:dso_lib.c:244:
139933497808528:error:260B6084:engine routines:DYNAMIC_LOAD:dso not
found:eng_dyn.c:450:
139933497808528:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine
configuration error:eng_cnf.c:204:section=pkcs11_section, name=dynamic_path,
value=/XXX/usr/lib/engines/engine_pkcs11.so
139933497808528:error:0E07606D:configuration file routines:MODULE_RUN:module
initialization error:conf_mod.c:235:module=engines, value=engine_section,
retcode=-1      

Here I prepended "/XXX" to the value, so the OpenSSL library could not load
it.

Then, as others advised, make sure the libp11 library as well as all the
other needes ones are resolvable by the dynamic linker. E.g. on Linux with
glibc, you can try:

$ ldd /usr/lib/engines/engine_pkcs11.so
        linux-vdso.so.1 (0x00007fff571ea000)
        libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0
(0x00007f13e33e0000)
        libp11.so.2 => /usr/lib64/libp11.so.2 (0x00007f13e31d0000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f13e2e20000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f13e2c18000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f13e2a00000)
        libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f13e27f0000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f13e39f0000)

Make sure the resolved paths points to the libraires you have compiled and
installed.

-- Petr

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

openssl.cnf (13K) Download Attachment
12