Unsing engine_pks11 with openssl-fips 2.0

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Unsing engine_pks11 with openssl-fips 2.0

Bugzilla from mathias.tausig@a-cert.at
Hello!

Has anybody been able to use engine_pkcs11 with the recently released
FIPS approved version of openssl? I failed to do so.

I was trying to sign a certificate with a FIPS enabled build of openssl
(1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet
eToken). Opensc and engine_pkcs11 are the most recent versions (0.12.2
and 0.1.8)

I did this procedure before (with the non-fips version) using an openssl
config file:

openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = libeTPkcs11.so
PIN = topsecret
VERBOSE = EMPTY
init = 0
[ca]
...

and the command
openssl ca  -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform
engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj
"/C=AT/CN=Test" -days 30

This worked like charm, but with the fips-build (engine_pkcs11 and the
PKCS#11 client library are the same), I get a segmentation fault:

Using configuration from /tmp/testConf
initializing engine
engine "pkcs11" set.
Looking in slot 2 for key: 74
Found 6 slots
[0] Cherry SmartBoard XX44 00  no tok
[1] AKS ifdh 00 00             login             (eToken)
[2] AKS ifdh 01 00             login             (INTERN)
[3]                            no tok
[4]                            no tok
[5]                            no tok
Found slot:  AKS ifdh 01 00
Found token: INTERN
Found 2 certificates:
   1    INTERN (/C=AT/CN=INTERN/emailAddress=[hidden email])
   2    INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=[hidden email])
Found 2 keys:
   1 P  INTERN
   2 P  INTERN SUB
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'AT'
commonName            :PRINTABLE:'Test'
Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days)
Segmentation fault

All this is happening with the FIPS-capable build but without actually
enabling FIPS-mode.

I am quite lost here. Any ideas?

cheers
Mathias
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unsing engine_pks11 with openssl-fips 2.0

Douglas E. Engert
Not much to go on below.

Is there a core file produced?
Can you get a stack trace?
Can the fips version be complied with debugging?
Can you run this under a debugger?

If not, can you turn on the debugging in opensc.conf
(Note: PINS and other sensitive data are traced)
Or run it with opensc pkcs11-spy to get PKCS#11 trace?

On 8/10/2012 3:33 AM, Mathias Tausig wrote:

> Hello!
>
> Has anybody been able to use engine_pkcs11 with the recently released
> FIPS approved version of openssl? I failed to do so.
>
> I was trying to sign a certificate with a FIPS enabled build of openssl
> (1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet
> eToken). Opensc and engine_pkcs11 are the most recent versions (0.12.2
> and 0.1.8)
>
> I did this procedure before (with the non-fips version) using an openssl
> config file:
>
> openssl_conf = openssl_def
> [openssl_def]
> engines = engine_section
> [engine_section]
> pkcs11 = pkcs11_section
> [pkcs11_section]
> engine_id = pkcs11
> dynamic_path = /usr/lib/engines/engine_pkcs11.so
> MODULE_PATH = libeTPkcs11.so
> PIN = topsecret
> VERBOSE = EMPTY
> init = 0
> [ca]
> ...
>
> and the command
> openssl ca  -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform
> engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj
> "/C=AT/CN=Test" -days 30
>
> This worked like charm, but with the fips-build (engine_pkcs11 and the
> PKCS#11 client library are the same), I get a segmentation fault:
>
> Using configuration from /tmp/testConf
> initializing engine
> engine "pkcs11" set.
> Looking in slot 2 for key: 74
> Found 6 slots
> [0] Cherry SmartBoard XX44 00  no tok
> [1] AKS ifdh 00 00             login             (eToken)
> [2] AKS ifdh 01 00             login             (INTERN)
> [3]                            no tok
> [4]                            no tok
> [5]                            no tok
> Found slot:  AKS ifdh 01 00
> Found token: INTERN
> Found 2 certificates:
>     1    INTERN (/C=AT/CN=INTERN/emailAddress=[hidden email])
>     2    INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=[hidden email])
> Found 2 keys:
>     1 P  INTERN
>     2 P  INTERN SUB
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> countryName           :PRINTABLE:'AT'
> commonName            :PRINTABLE:'Test'
> Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days)
> Segmentation fault
>
> All this is happening with the FIPS-capable build but without actually
> enabling FIPS-mode.
>
> I am quite lost here. Any ideas?
>
> cheers
> Mathias
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unsing engine_pks11 with openssl-fips 2.0

Bugzilla from mathias.tausig@a-cert.at
On 08/10/2012 03:41 PM, Douglas E. Engert wrote:
> Not much to go on below.

Sorry. I will provide more information below.

> Is there a core file produced?

No.

> Can you get a stack trace?
> Can the fips version be complied with debugging?
> Can you run this under a debugger?

Three times yes. Here is the stacktrace from gdb:

Program received signal SIGSEGV, Segmentation fault.
0x00000001 in ?? ()
(gdb) bt
#0  0x00000001 in ?? ()
#1  0x0822ff8a in ASN1_item_sign_ctx (it=0x829e674, algor1=0xb03aeff8,
algor2=0xb02fcff8,
    signature=0xb0306ff0, asn=0xb05ccfcc, ctx=0xbfffe074) at a_sign.c:257
#2  0x081c77d9 in X509_sign_ctx (x=0xb04dbf98, ctx=0xbfffe074) at
x_all.c:100
#3  0x080a2caa in do_X509_sign (err=0xb7d28fc0, x=0xb04dbf98,
pkey=0xb0cbafe0, md=0x8302840,
    sigopts=0x0) at req.c:1802
#4  0x080ae993 in do_body (xret=0xbfffe62c, pkey=0xb0cbafe0,
x509=0xb0b02f98, dgst=0x8302840,
    sigopts=0x0, policy=0xb27e7fec, db=0xb05f2ff8, serial=0xb0600fec,
    subj=0xbffff0cb "/C=AT/CN=Test", chtype=4097, multirdn=0, email_dn=1,
    startdate=0x825f5f6 "today", enddate=0x0, days=30, batch=1,
verbose=0, req=0xb062aff0,
    ext_sect=0xb2563ff0 "usr_cert", lconf=0xb29f6ff0, certopt=0,
nameopt=0, default_op=1,
    ext_copy=1, selfsign=0) at ca.c:2172
#5  0x080ad712 in certify (xret=0xbfffe62c, infile=0xbffff04c
"/home/ad60095910/tmp/testcsr",
    pkey=0xb0cbafe0, x509=0xb0b02f98, dgst=0x8302840, sigopts=0x0,
policy=0xb27e7fec,
    db=0xb05f2ff8, serial=0xb0600fec, subj=0xbffff0cb "/C=AT/CN=Test",
chtype=4097, multirdn=0,
    email_dn=1, startdate=0x825f5f6 "today", enddate=0x0, days=30, batch=1,
    ext_sect=0xb2563ff0 "usr_cert", lconf=0xb29f6ff0, verbose=0,
certopt=0, nameopt=0,
    default_op=1, ext_copy=1, selfsign=0) at ca.c:1633
#6  0x080ac2cc in ca_main (argc=0, argv=0xbfffed98) at ca.c:1233
#7  0x0809c815 in do_cmd (prog=0xb36a9fa0, argc=20, argv=0xbfffed48) at
openssl.c:489
#8  0x0809c436 in main (Argc=20, Argv=0xbfffed48) at openssl.c:381
(gdb)


>
> If not, can you turn on the debugging in opensc.conf
> (Note: PINS and other sensitive data are traced)

I tried that, but no debug file was produced. I set "debug=99" and
"debug_file = /tmp/opensc-debug.log;"

> Or run it with opensc pkcs11-spy to get PKCS#11 trac

I don't know about pkcs11-spy, but I assume that it is a pkcs#11 tracer.
I already did create a log with the debug facility of the eToken driver
(reading and exporting it with Safenet's proprietary log viewer). Here
is the final part of the log:

0xb7e276c0 16:16:59.271       C_GetAttributeValue [4] ( pTemplate={
CKA_SENSITIVE=1 } )
0xb7e276c0 16:16:59.271     + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_EXTRACTABLE=1 } )
0xb7e276c0 16:16:59.274       C_GetAttributeValue [3] ( pTemplate={
CKA_EXTRACTABLE=0 } )
0xb7e276c0 16:16:59.274     + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_MODULUS=524 } )
0xb7e276c0 16:16:59.281       C_GetAttributeValue [7] ( pTemplate={
CKA_MODULUS=[256](9d f5 ef 5c b8 1d 15 cb 01 e7 bf ab fc 89 d0 52 cc 94
c2 6d dc 60 d9 b5 c8 12 06 a1 eb eb 4b 0d 92 76 f0 25 a5 96 44 cf 51 92
28 b4 fe 81 79 b4 e9 6a cc c4 87 73 1a 5e 32 f1 5c e4 1f e8 c2 78 25 fa
9a 88 ab 3f dd e9 78 e8 1a f6 5a 16 fa 29 05 e5 a3 1d 13 37 86 71 09 11
fa 5d 5c 1c b9 83 65 8c 83 5c b9 3e cc 01 4a de 8b db fb a2 ad 3c 56 0b
d5 16 d9 ca 88 b9 7f 4c df 3b f7 9a 7a 52 b1 74 79 c0 62 14 3c 64 30 f8
db c1 1d 33 ac 67 91 5f 63 ca 79 75 4d 48 76 b1 95 f7 7b f1 22 b3 8d f1
ca 9b 74 43 06 a6 70 4d 2f 1c 55 26 a2 fc 29 f1 0f 7e 3b e6 c6 53 30 1c
a4 21 10 3b dc 21 9e 1e df 78 35 d2 e4 48 e2 86 79 59 d0 85 e7 60 0e 3e
49 8e fc c1 9b 59 29 3d 0c ab 42 d9 a0 db ca 7b cf 26 ba 7c 63 31 42 ee
5a 49 28 7e f3 71 a4 e0 11 87 b5 7d 32 dd b0 bb b1 c4 63 cf d1 77) } )
0xb7e276c0 16:16:59.281     + C_GetAttributeValue( hSession=0x08730004
hObject=0x08ec0008 pTemplate={ CKA_PUBLIC_EXPONENT=524 } )
0xb7e276c0 16:16:59.286       C_GetAttributeValue [5] ( pTemplate={
CKA_PUBLIC_EXPONENT=[3](01 00 01) } )
0xb7e276c0 16:16:59.286   <stop
Z:\home\ad60095910\tmp\etokenLog.fipsabsturz-20120808\Aug 10
[08-41]\openssl D502517D9 P24552 T-1209895232.trc>
0xb37ffb70 16:16:59.559     - IFDHTransmitToICC( Lun=0x00000000
TxLength=0x00000005 *RxLength=0x00000140 )
0xb37ffb70 16:16:59.559         TxBuffer(Send)=: TxBuffer=[5](00 a4 00
00 00)
0xb37ffb70 16:16:59.559         + eTSC_TransmitApdu( context=0xb6da2714
request=0xb37df364 requestLen=5 reply=0xb37ef370 replyLen=0xb37df19a )
0xb37ffb70 16:16:59.584           eTSC_TransmitApdu [25] ( )
0xb37ffb70 16:16:59.584       IFDHTransmitToICC [25] ( )
0xb37ffb70 16:17:07.653     - IFDHGetCapabilities( Lun=0x00000000
Tag=0x00000fb2 )
0xb37ffb70 16:17:07.653         Unknown Tag:
0xb37ffb70 16:17:07.653       rv=00000266 IFDHGetCapabilities [0] ( )

I sent this trace to the Safenet support as well, they meant that it
didn't look peculiar to them.

I hope these informations help.

cheers
Mathias

>
> On 8/10/2012 3:33 AM, Mathias Tausig wrote:
>> Hello!
>>
>> Has anybody been able to use engine_pkcs11 with the recently released
>> FIPS approved version of openssl? I failed to do so.
>>
>> I was trying to sign a certificate with a FIPS enabled build of openssl
>> (1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet
>> eToken). Opensc and engine_pkcs11 are the most recent versions (0.12.2
>> and 0.1.8)
>>
>> I did this procedure before (with the non-fips version) using an openssl
>> config file:
>>
>> openssl_conf = openssl_def
>> [openssl_def]
>> engines = engine_section
>> [engine_section]
>> pkcs11 = pkcs11_section
>> [pkcs11_section]
>> engine_id = pkcs11
>> dynamic_path = /usr/lib/engines/engine_pkcs11.so
>> MODULE_PATH = libeTPkcs11.so
>> PIN = topsecret
>> VERBOSE = EMPTY
>> init = 0
>> [ca]
>> ...
>>
>> and the command
>> openssl ca  -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform
>> engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj
>> "/C=AT/CN=Test" -days 30
>>
>> This worked like charm, but with the fips-build (engine_pkcs11 and the
>> PKCS#11 client library are the same), I get a segmentation fault:
>>
>> Using configuration from /tmp/testConf
>> initializing engine
>> engine "pkcs11" set.
>> Looking in slot 2 for key: 74
>> Found 6 slots
>> [0] Cherry SmartBoard XX44 00  no tok
>> [1] AKS ifdh 00 00             login             (eToken)
>> [2] AKS ifdh 01 00             login             (INTERN)
>> [3]                            no tok
>> [4]                            no tok
>> [5]                            no tok
>> Found slot:  AKS ifdh 01 00
>> Found token: INTERN
>> Found 2 certificates:
>>     1    INTERN (/C=AT/CN=INTERN/emailAddress=[hidden email])
>>     2    INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=[hidden email])
>> Found 2 keys:
>>     1 P  INTERN
>>     2 P  INTERN SUB
>> Check that the request matches the signature
>> Signature ok
>> The Subject's Distinguished Name is as follows
>> countryName           :PRINTABLE:'AT'
>> commonName            :PRINTABLE:'Test'
>> Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days)
>> Segmentation fault
>>
>> All this is happening with the FIPS-capable build but without actually
>> enabling FIPS-mode.
>>
>> I am quite lost here. Any ideas?
>>
>> cheers
>> Mathias
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
>>
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unsing engine_pks11 with openssl-fips 2.0

Douglas E. Engert
I don't anything in this, other then it looks like it never called
OpenSC.

OpenSC is compiled with OpenSSL, and it could be conflicts
with two different versions of OpenSSL.

ldd /usr/lib/engines/engine_pkcs11.so
would show what version it wants to use.

You may have to recompile OpenSC and use the FIPS version
of OPenSSL.


On 8/10/2012 9:32 AM, Mathias Tausig wrote:

> On 08/10/2012 03:41 PM, Douglas E. Engert wrote:
>> Not much to go on below.
>
> Sorry. I will provide more information below.
>
>> Is there a core file produced?
>
> No.
>
>> Can you get a stack trace?
>> Can the fips version be complied with debugging?
>> Can you run this under a debugger?
>
> Three times yes. Here is the stacktrace from gdb:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00000001 in ?? ()
> (gdb) bt
> #0  0x00000001 in ?? ()
> #1  0x0822ff8a in ASN1_item_sign_ctx (it=0x829e674, algor1=0xb03aeff8,
> algor2=0xb02fcff8,
>      signature=0xb0306ff0, asn=0xb05ccfcc, ctx=0xbfffe074) at a_sign.c:257
> #2  0x081c77d9 in X509_sign_ctx (x=0xb04dbf98, ctx=0xbfffe074) at
> x_all.c:100
> #3  0x080a2caa in do_X509_sign (err=0xb7d28fc0, x=0xb04dbf98,
> pkey=0xb0cbafe0, md=0x8302840,
>      sigopts=0x0) at req.c:1802
> #4  0x080ae993 in do_body (xret=0xbfffe62c, pkey=0xb0cbafe0,
> x509=0xb0b02f98, dgst=0x8302840,
>      sigopts=0x0, policy=0xb27e7fec, db=0xb05f2ff8, serial=0xb0600fec,
>      subj=0xbffff0cb "/C=AT/CN=Test", chtype=4097, multirdn=0, email_dn=1,
>      startdate=0x825f5f6 "today", enddate=0x0, days=30, batch=1,
> verbose=0, req=0xb062aff0,
>      ext_sect=0xb2563ff0 "usr_cert", lconf=0xb29f6ff0, certopt=0,
> nameopt=0, default_op=1,
>      ext_copy=1, selfsign=0) at ca.c:2172
> #5  0x080ad712 in certify (xret=0xbfffe62c, infile=0xbffff04c
> "/home/ad60095910/tmp/testcsr",
>      pkey=0xb0cbafe0, x509=0xb0b02f98, dgst=0x8302840, sigopts=0x0,
> policy=0xb27e7fec,
>      db=0xb05f2ff8, serial=0xb0600fec, subj=0xbffff0cb "/C=AT/CN=Test",
> chtype=4097, multirdn=0,
>      email_dn=1, startdate=0x825f5f6 "today", enddate=0x0, days=30, batch=1,
>      ext_sect=0xb2563ff0 "usr_cert", lconf=0xb29f6ff0, verbose=0,
> certopt=0, nameopt=0,
>      default_op=1, ext_copy=1, selfsign=0) at ca.c:1633
> #6  0x080ac2cc in ca_main (argc=0, argv=0xbfffed98) at ca.c:1233
> #7  0x0809c815 in do_cmd (prog=0xb36a9fa0, argc=20, argv=0xbfffed48) at
> openssl.c:489
> #8  0x0809c436 in main (Argc=20, Argv=0xbfffed48) at openssl.c:381
> (gdb)
>
>
>>
>> If not, can you turn on the debugging in opensc.conf
>> (Note: PINS and other sensitive data are traced)
>
> I tried that, but no debug file was produced. I set "debug=99" and
> "debug_file = /tmp/opensc-debug.log;"
>
>> Or run it with opensc pkcs11-spy to get PKCS#11 trac
>
> I don't know about pkcs11-spy, but I assume that it is a pkcs#11 tracer.
> I already did create a log with the debug facility of the eToken driver
> (reading and exporting it with Safenet's proprietary log viewer). Here
> is the final part of the log:
>
> 0xb7e276c0 16:16:59.271       C_GetAttributeValue [4] ( pTemplate={
> CKA_SENSITIVE=1 } )
> 0xb7e276c0 16:16:59.271     + C_GetAttributeValue( hSession=0x08730004
> hObject=0x08ec0008 pTemplate={ CKA_EXTRACTABLE=1 } )
> 0xb7e276c0 16:16:59.274       C_GetAttributeValue [3] ( pTemplate={
> CKA_EXTRACTABLE=0 } )
> 0xb7e276c0 16:16:59.274     + C_GetAttributeValue( hSession=0x08730004
> hObject=0x08ec0008 pTemplate={ CKA_MODULUS=524 } )
> 0xb7e276c0 16:16:59.281       C_GetAttributeValue [7] ( pTemplate={
> CKA_MODULUS=[256](9d f5 ef 5c b8 1d 15 cb 01 e7 bf ab fc 89 d0 52 cc 94
> c2 6d dc 60 d9 b5 c8 12 06 a1 eb eb 4b 0d 92 76 f0 25 a5 96 44 cf 51 92
> 28 b4 fe 81 79 b4 e9 6a cc c4 87 73 1a 5e 32 f1 5c e4 1f e8 c2 78 25 fa
> 9a 88 ab 3f dd e9 78 e8 1a f6 5a 16 fa 29 05 e5 a3 1d 13 37 86 71 09 11
> fa 5d 5c 1c b9 83 65 8c 83 5c b9 3e cc 01 4a de 8b db fb a2 ad 3c 56 0b
> d5 16 d9 ca 88 b9 7f 4c df 3b f7 9a 7a 52 b1 74 79 c0 62 14 3c 64 30 f8
> db c1 1d 33 ac 67 91 5f 63 ca 79 75 4d 48 76 b1 95 f7 7b f1 22 b3 8d f1
> ca 9b 74 43 06 a6 70 4d 2f 1c 55 26 a2 fc 29 f1 0f 7e 3b e6 c6 53 30 1c
> a4 21 10 3b dc 21 9e 1e df 78 35 d2 e4 48 e2 86 79 59 d0 85 e7 60 0e 3e
> 49 8e fc c1 9b 59 29 3d 0c ab 42 d9 a0 db ca 7b cf 26 ba 7c 63 31 42 ee
> 5a 49 28 7e f3 71 a4 e0 11 87 b5 7d 32 dd b0 bb b1 c4 63 cf d1 77) } )
> 0xb7e276c0 16:16:59.281     + C_GetAttributeValue( hSession=0x08730004
> hObject=0x08ec0008 pTemplate={ CKA_PUBLIC_EXPONENT=524 } )
> 0xb7e276c0 16:16:59.286       C_GetAttributeValue [5] ( pTemplate={
> CKA_PUBLIC_EXPONENT=[3](01 00 01) } )
> 0xb7e276c0 16:16:59.286   <stop
> Z:\home\ad60095910\tmp\etokenLog.fipsabsturz-20120808\Aug 10
> [08-41]\openssl D502517D9 P24552 T-1209895232.trc>
> 0xb37ffb70 16:16:59.559     - IFDHTransmitToICC( Lun=0x00000000
> TxLength=0x00000005 *RxLength=0x00000140 )
> 0xb37ffb70 16:16:59.559         TxBuffer(Send)=: TxBuffer=[5](00 a4 00
> 00 00)
> 0xb37ffb70 16:16:59.559         + eTSC_TransmitApdu( context=0xb6da2714
> request=0xb37df364 requestLen=5 reply=0xb37ef370 replyLen=0xb37df19a )
> 0xb37ffb70 16:16:59.584           eTSC_TransmitApdu [25] ( )
> 0xb37ffb70 16:16:59.584       IFDHTransmitToICC [25] ( )
> 0xb37ffb70 16:17:07.653     - IFDHGetCapabilities( Lun=0x00000000
> Tag=0x00000fb2 )
> 0xb37ffb70 16:17:07.653         Unknown Tag:
> 0xb37ffb70 16:17:07.653       rv=00000266 IFDHGetCapabilities [0] ( )
>
> I sent this trace to the Safenet support as well, they meant that it
> didn't look peculiar to them.
>
> I hope these informations help.
>
> cheers
> Mathias
>
>>
>> On 8/10/2012 3:33 AM, Mathias Tausig wrote:
>>> Hello!
>>>
>>> Has anybody been able to use engine_pkcs11 with the recently released
>>> FIPS approved version of openssl? I failed to do so.
>>>
>>> I was trying to sign a certificate with a FIPS enabled build of openssl
>>> (1.0.1c, FIPS object module 2.0) and the PKCS#11 engine (using a Safenet
>>> eToken). Opensc and engine_pkcs11 are the most recent versions (0.12.2
>>> and 0.1.8)
>>>
>>> I did this procedure before (with the non-fips version) using an openssl
>>> config file:
>>>
>>> openssl_conf = openssl_def
>>> [openssl_def]
>>> engines = engine_section
>>> [engine_section]
>>> pkcs11 = pkcs11_section
>>> [pkcs11_section]
>>> engine_id = pkcs11
>>> dynamic_path = /usr/lib/engines/engine_pkcs11.so
>>> MODULE_PATH = libeTPkcs11.so
>>> PIN = topsecret
>>> VERBOSE = EMPTY
>>> init = 0
>>> [ca]
>>> ...
>>>
>>> and the command
>>> openssl ca  -engine pkcs11 -in /tmp/testcsr -keyfile 2:74 -keyform
>>> engine -out /tmp/cert -batch -config /tmp/testConf -md sha1 -subj
>>> "/C=AT/CN=Test" -days 30
>>>
>>> This worked like charm, but with the fips-build (engine_pkcs11 and the
>>> PKCS#11 client library are the same), I get a segmentation fault:
>>>
>>> Using configuration from /tmp/testConf
>>> initializing engine
>>> engine "pkcs11" set.
>>> Looking in slot 2 for key: 74
>>> Found 6 slots
>>> [0] Cherry SmartBoard XX44 00  no tok
>>> [1] AKS ifdh 00 00             login             (eToken)
>>> [2] AKS ifdh 01 00             login             (INTERN)
>>> [3]                            no tok
>>> [4]                            no tok
>>> [5]                            no tok
>>> Found slot:  AKS ifdh 01 00
>>> Found token: INTERN
>>> Found 2 certificates:
>>>      1    INTERN (/C=AT/CN=INTERN/emailAddress=[hidden email])
>>>      2    INTERN SUB (/C=AT/CN=INTERN SUB/emailAddress=[hidden email])
>>> Found 2 keys:
>>>      1 P  INTERN
>>>      2 P  INTERN SUB
>>> Check that the request matches the signature
>>> Signature ok
>>> The Subject's Distinguished Name is as follows
>>> countryName           :PRINTABLE:'AT'
>>> commonName            :PRINTABLE:'Test'
>>> Certificate is to be certified until Aug 10 10:17:22 2012 GMT (30 days)
>>> Segmentation fault
>>>
>>> All this is happening with the FIPS-capable build but without actually
>>> enabling FIPS-mode.
>>>
>>> I am quite lost here. Any ideas?
>>>
>>> cheers
>>> Mathias
>>> _______________________________________________
>>> opensc-devel mailing list
>>> [hidden email]
>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>
>>>
>>
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unsing engine_pks11 with openssl-fips 2.0

Martin Paljak-4
Hello,

On Mon, Aug 13, 2012 at 1:41 AM, Douglas E. Engert <[hidden email]> wrote:

> I don't anything in this, other then it looks like it never called
> OpenSC.
>
> OpenSC is compiled with OpenSSL, and it could be conflicts
> with two different versions of OpenSSL.
>
> ldd /usr/lib/engines/engine_pkcs11.so
> would show what version it wants to use.
>
> You may have to recompile OpenSC and use the FIPS version
> of OPenSSL.

I would guess the problem comes indeed from mixing two OpenSSL
versions. As OpenSC itself (or the engine) it not a validated product,
I don't really see what would it add to the picture. If you need to be
validated, you probably can't use OpenSC (or the engine) and if not,
why not choose the standard OpenSSL?

Martin
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel