openssl -updatedb with pkcs11 engine

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl -updatedb with pkcs11 engine

Stefan Mink

Hi,

I'm trying to update the DB in demoCA/index.txt, so expired
certificates are being marked as such, but I don't manage
to get it working with the pkcs11 engine:


OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/opensc/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine

OpenSSL> ca -engine pkcs11 -keyfile id_45 -keyform engine -updatedb
Using configuration from /usr/lib/ssl/openssl.cnf
engine "pkcs11" set.
SmartCard PIN:
DEBUG[load_index]: unique_subject = "yes"
error in ca
OpenSSL>

Without using the engine, this works:
nn:~/lal# openssl ca -updatedb
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
DEBUG[load_index]: unique_subject = "yes"
nn:~/lal#

Any idea?

   tschuess
             Stefan
--
Stefan Mink, Schlund+Partner AG (AS 8560)
Primary key fingerprint: 389E 5DC9 751F A6EB B974  DC3F 7A1B CF62 F0D4 D2BA

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

signature.asc (264 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: openssl -updatedb with pkcs11 engine

Nils Larsch
Stefan Mink wrote:

> Hi,
>
> I'm trying to update the DB in demoCA/index.txt, so expired
> certificates are being marked as such, but I don't manage
> to get it working with the pkcs11 engine:
>
>
> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so -pre
> ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/opensc/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
> Loaded: (pkcs11) pkcs11 engine
>
> OpenSSL> ca -engine pkcs11 -keyfile id_45 -keyform engine -updatedb
> Using configuration from /usr/lib/ssl/openssl.cnf
> engine "pkcs11" set.
> SmartCard PIN:
> DEBUG[load_index]: unique_subject = "yes"
> error in ca
> OpenSSL>
>
> Without using the engine, this works:
> nn:~/lal# openssl ca -updatedb
> Using configuration from /usr/lib/ssl/openssl.cnf
> Enter pass phrase for ./demoCA/private/cakey.pem:
> DEBUG[load_index]: unique_subject = "yes"
> nn:~/lal#
>
> Any idea?

could you do the same with the "-verbose" option ?

Cheers,
Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: openssl -updatedb with pkcs11 engine

Stefan Mink
Nils Larsch wrote:
> could you do the same with the "-verbose" option ?

OpenSSL> ca -verbose -engine pkcs11 -keyfile id_45 -keyform engine -updatedb
Using configuration from /usr/lib/ssl/openssl.cnf
engine "pkcs11" set.
SmartCard PIN:
DEBUG[load_index]: unique_subject = "yes"
V       021016165154Z           02      unknown...
...
[all entries of index.txt]
...
8 entries loaded from the database
generating index
Updating ./demoCA/index.txt ...
02=Expired
Done. 1 entries marked as expired
error in ca
OpenSSL>

interesting: it seems it did its job nevertheless:

nn:~/lal# head demoCA/index.txt
E       021016165154Z           02      unknown ...

-> it marked the entry as expired

Another observation: "error in ca" is printed although
there has been nothing do do at all, i.e. no certificate
expired and no change had to be done to index.txt

OpenSSL> ca -verbose -engine pkcs11 -keyform engine -keyfile id_45 -updatedb
Using configuration from /usr/lib/ssl/openssl.cnf
engine "pkcs11" set.
SmartCard PIN:
DEBUG[load_index]: unique_subject = "yes"
...
8 entries loaded from the database
generating index
Updating ./demoCA/index.txt ...
No entries found to mark expired
error in ca
OpenSSL>

Mhm confusing but it seems everything works as expected :]

   tschuess
             Stefan
--
Stefan Mink, Schlund+Partner AG (AS 8560)
Primary key fingerprint: 389E 5DC9 751F A6EB B974  DC3F 7A1B CF62 F0D4 D2BA

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

signature.asc (264 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: openssl -updatedb with pkcs11 engine

Nils Larsch
Stefan Mink wrote:
...

> Another observation: "error in ca" is printed although
> there has been nothing do do at all, i.e. no certificate
> expired and no change had to be done to index.txt
>
> OpenSSL> ca -verbose -engine pkcs11 -keyform engine -keyfile id_45 -updatedb
> Using configuration from /usr/lib/ssl/openssl.cnf
> engine "pkcs11" set.
> SmartCard PIN:
> DEBUG[load_index]: unique_subject = "yes"
> ...
> 8 entries loaded from the database
> generating index
> Updating ./demoCA/index.txt ...
> No entries found to mark expired
> error in ca
> OpenSSL>
>
> Mhm confusing but it seems everything works as expected :]

looks like a openssl bug, looking OpenSSL/apps/ca.c line 946ff

        /*****************************************************************/
        /* Update the db file for expired certificates */
        if (doupdatedb)
                {
                if (verbose)
                        BIO_printf(bio_err, "Updating %s ...\n",
                                                        dbfile);

                i = do_updatedb(db);
                if (i == -1)
                        {
                        BIO_printf(bio_err,"Malloc failure\n");
                        goto err;
                        }
                else if (i == 0)
                        {
                        if (verbose) BIO_printf(bio_err,
                                        "No entries found to mark expired\n");
                        }
            else
                        {
                        if (!save_index(dbfile,"new",db)) goto err;
                               
                        if (!rotate_index(dbfile,"new","old")) goto err;
                               
                        if (verbose) BIO_printf(bio_err,
                                "Done. %d entries marked as expired\n",i);
              }
                        goto err;
          }

the last "goto err;" looks wrong. I will commit a fix to the
openssl repository soon, please try a next openssl snapshot.

Thanks,
Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user