"fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

"fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

Adam Zimmerman
Hi everyone,

I'm trying to set up DNSSEC for my domain with my KSK being stored on a
smart card. I have an Aventra MyEID card, and setting up the card seems
to go perfectly (except for finalizing it). However, when I try to use
dnssec-keyfromlabel to generate the public key information to be used
later with dnssec-signzone, I get the error listed in the subject. The
error occurs before I'm asked for my PIN.

So I have a couple of questions:
- Is this something I'm doing wrong, a bug somewhere, or an issue with
  the card? (also, am I on the right list? This seemed to be the most
  relevant one when I searched)
- Is it related at all to the inability to finalize the card?
- (on the off chance this is the culprit) My PIN and PUK are identical.
  I'm assuming this isn't the issue, am I right?

Below I've copied/pasted the commands I'm using to set up the card and
run dnssec-keyfromlabel. I've also attached the output from running
dnssec-keyfromlabel with OPENSC_DEBUG=9 set. Let me know if I can
provide any more information.

Thanks in advance,
- Adam



--------



adam@midnight% pkcs15-init -E
Using reader with a card: Lenovo Integrated Smart Card Reader 00 00

adam@midnight% pkcs15-init -C --no-so-pin --pin 1111 --puk 1111
Using reader with a card: Lenovo Integrated Smart Card Reader 00 00

adam@midnight% pkcs15-init -P -a 1 -l "User PIN"
Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
New User PIN.
Please enter User PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:

adam@midnight% pkcs15-init -G rsa/2048 -a 1 -u sign
Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
User PIN [User PIN] required.
Please enter User PIN [User PIN]:

adam@midnight% pkcs15-init -F
Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
Failed to delete object(s): Not allowed

adam@midnight(1)% pkcs11-tool --module
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
Using slot 1 with a present token (0x1)
Public Key Object; RSA 2048 bits
  label:      Private Key
  ID:         cd1314e84c82cbc6e4a156a5c091ba02efde18c0
  Usage:      verify

adam@midnight% OPENSSL_CONF=/home/adam/openssl.conf dnssec-keyfromlabel
-E pkcs11 -l "id_cd1314e84c82cbc6e4a156a5c091ba02efde18c0" -3 -a
RSASHA256 -n ZONE -f KSK -K keys -R +2y digitalpirate.ca
initializing engine
GOST engine already loaded
dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure

adam@midnight(1)% cat /home/adam/openssl.conf
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
VERBOSE = EMPTY
init = 0

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

opensc_debug.log (224K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: "fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

Adam Zimmerman
I realized I forgot to mention any version information. I'm running
Ubuntu 14.04, with all packages being installed from the repos. The only
change I had to make was the fix to myeid.profile mentioned on
https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card .

Current package versions:

opensc 0.13.0-3ubuntu4.1
pcscd 1.8.10-1ubuntu1
libengine-pkcs11-openssl 0.1.8-3
bind9utils 1:9.9.5.dfsg-3

On 14-07-26 09:25 AM, Adam Zimmerman wrote:

> Hi everyone,
>
> I'm trying to set up DNSSEC for my domain with my KSK being stored on a
> smart card. I have an Aventra MyEID card, and setting up the card seems
> to go perfectly (except for finalizing it). However, when I try to use
> dnssec-keyfromlabel to generate the public key information to be used
> later with dnssec-signzone, I get the error listed in the subject. The
> error occurs before I'm asked for my PIN.
>
> So I have a couple of questions:
> - Is this something I'm doing wrong, a bug somewhere, or an issue with
>   the card? (also, am I on the right list? This seemed to be the most
>   relevant one when I searched)
> - Is it related at all to the inability to finalize the card?
> - (on the off chance this is the culprit) My PIN and PUK are identical.
>   I'm assuming this isn't the issue, am I right?
>
> Below I've copied/pasted the commands I'm using to set up the card and
> run dnssec-keyfromlabel. I've also attached the output from running
> dnssec-keyfromlabel with OPENSC_DEBUG=9 set. Let me know if I can
> provide any more information.
>
> Thanks in advance,
> - Adam
>
>
>
> --------
>
>
>
> adam@midnight% pkcs15-init -E
> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>
> adam@midnight% pkcs15-init -C --no-so-pin --pin 1111 --puk 1111
> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>
> adam@midnight% pkcs15-init -P -a 1 -l "User PIN"
> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
> New User PIN.
> Please enter User PIN:
> Please type again to verify:
> Unblock Code for New User PIN (Optional - press return for no PIN).
> Please enter User unblocking PIN (PUK):
> Please type again to verify:
>
> adam@midnight% pkcs15-init -G rsa/2048 -a 1 -u sign
> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
> User PIN [User PIN] required.
> Please enter User PIN [User PIN]:
>
> adam@midnight% pkcs15-init -F
> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
> Failed to delete object(s): Not allowed
>
> adam@midnight(1)% pkcs11-tool --module
> /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
> Using slot 1 with a present token (0x1)
> Public Key Object; RSA 2048 bits
>   label:      Private Key
>   ID:         cd1314e84c82cbc6e4a156a5c091ba02efde18c0
>   Usage:      verify
>
> adam@midnight% OPENSSL_CONF=/home/adam/openssl.conf dnssec-keyfromlabel
> -E pkcs11 -l "id_cd1314e84c82cbc6e4a156a5c091ba02efde18c0" -3 -a
> RSASHA256 -n ZONE -f KSK -K keys -R +2y digitalpirate.ca
> initializing engine
> GOST engine already loaded
> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>
> adam@midnight(1)% cat /home/adam/openssl.conf
> openssl_conf = openssl_def
>
> [openssl_def]
> engines = engine_section
>
> [engine_section]
> pkcs11 = pkcs11_section
>
> [pkcs11_section]
> engine_id = pkcs11
> dynamic_path = /usr/lib/engines/engine_pkcs11.so
> MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
> VERBOSE = EMPTY
> init = 0
>
> [req]
> distinguished_name = req_distinguished_name
>
> [req_distinguished_name]
>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: "fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

Andreas Schwier (ML)
Hi Adam,

does it work if you use openssl directly with the card, e.g.

OPENSSL_CONF=/home/adam/openssl.conf openssl req -engine pkcs11 -new
-key id_cd1314e84c82cbc6e4a156a5c091ba02efde18c0 -keyform engine

I've tried the same thing with a SmartCard-HSM here and get "format not
recognized" for an apparently valid key id.

Andreas


On 07/26/2014 06:36 PM, Adam Zimmerman wrote:

> I realized I forgot to mention any version information. I'm running
> Ubuntu 14.04, with all packages being installed from the repos. The only
> change I had to make was the fix to myeid.profile mentioned on
> https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card .
>
> Current package versions:
>
> opensc 0.13.0-3ubuntu4.1
> pcscd 1.8.10-1ubuntu1
> libengine-pkcs11-openssl 0.1.8-3
> bind9utils 1:9.9.5.dfsg-3
>
> On 14-07-26 09:25 AM, Adam Zimmerman wrote:
>> Hi everyone,
>>
>> I'm trying to set up DNSSEC for my domain with my KSK being stored on a
>> smart card. I have an Aventra MyEID card, and setting up the card seems
>> to go perfectly (except for finalizing it). However, when I try to use
>> dnssec-keyfromlabel to generate the public key information to be used
>> later with dnssec-signzone, I get the error listed in the subject. The
>> error occurs before I'm asked for my PIN.
>>
>> So I have a couple of questions:
>> - Is this something I'm doing wrong, a bug somewhere, or an issue with
>>   the card? (also, am I on the right list? This seemed to be the most
>>   relevant one when I searched)
>> - Is it related at all to the inability to finalize the card?
>> - (on the off chance this is the culprit) My PIN and PUK are identical.
>>   I'm assuming this isn't the issue, am I right?
>>
>> Below I've copied/pasted the commands I'm using to set up the card and
>> run dnssec-keyfromlabel. I've also attached the output from running
>> dnssec-keyfromlabel with OPENSC_DEBUG=9 set. Let me know if I can
>> provide any more information.
>>
>> Thanks in advance,
>> - Adam
>>
>>
>>
>> --------
>>
>>
>>
>> adam@midnight% pkcs15-init -E
>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>
>> adam@midnight% pkcs15-init -C --no-so-pin --pin 1111 --puk 1111
>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>
>> adam@midnight% pkcs15-init -P -a 1 -l "User PIN"
>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>> New User PIN.
>> Please enter User PIN:
>> Please type again to verify:
>> Unblock Code for New User PIN (Optional - press return for no PIN).
>> Please enter User unblocking PIN (PUK):
>> Please type again to verify:
>>
>> adam@midnight% pkcs15-init -G rsa/2048 -a 1 -u sign
>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>> User PIN [User PIN] required.
>> Please enter User PIN [User PIN]:
>>
>> adam@midnight% pkcs15-init -F
>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>> Failed to delete object(s): Not allowed
>>
>> adam@midnight(1)% pkcs11-tool --module
>> /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
>> Using slot 1 with a present token (0x1)
>> Public Key Object; RSA 2048 bits
>>   label:      Private Key
>>   ID:         cd1314e84c82cbc6e4a156a5c091ba02efde18c0
>>   Usage:      verify
>>
>> adam@midnight% OPENSSL_CONF=/home/adam/openssl.conf dnssec-keyfromlabel
>> -E pkcs11 -l "id_cd1314e84c82cbc6e4a156a5c091ba02efde18c0" -3 -a
>> RSASHA256 -n ZONE -f KSK -K keys -R +2y digitalpirate.ca
>> initializing engine
>> GOST engine already loaded
>> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>>
>> adam@midnight(1)% cat /home/adam/openssl.conf
>> openssl_conf = openssl_def
>>
>> [openssl_def]
>> engines = engine_section
>>
>> [engine_section]
>> pkcs11 = pkcs11_section
>>
>> [pkcs11_section]
>> engine_id = pkcs11
>> dynamic_path = /usr/lib/engines/engine_pkcs11.so
>> MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
>> VERBOSE = EMPTY
>> init = 0
>>
>> [req]
>> distinguished_name = req_distinguished_name
>>
>> [req_distinguished_name]
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Want fast and easy access to all the code in your enterprise? Index and
>> search up to 200,000 lines of code with a free copy of Black Duck
>> Code Sight - the same software that powers the world's largest code
>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> http://p.sf.net/sfu/bds
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: "fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

Andreas Schwier (ML)
In reply to this post by Adam Zimmerman
Hi Adam,

apparently dnssec-keyfromlabel prefixes the label with the engine name,
unless the label already contains a colon.

engine-pkcs11 doesn't understand this notation and fails. If you
specific the label as slot:id it works for me
(0:cd1314e84c82cbc6e4a156a5c091ba02efde18c0).

Andreas

On 07/26/2014 06:36 PM, Adam Zimmerman wrote:

> I realized I forgot to mention any version information. I'm running
> Ubuntu 14.04, with all packages being installed from the repos. The only
> change I had to make was the fix to myeid.profile mentioned on
> https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card .
>
> Current package versions:
>
> opensc 0.13.0-3ubuntu4.1
> pcscd 1.8.10-1ubuntu1
> libengine-pkcs11-openssl 0.1.8-3
> bind9utils 1:9.9.5.dfsg-3
>
> On 14-07-26 09:25 AM, Adam Zimmerman wrote:
>> Hi everyone,
>>
>> I'm trying to set up DNSSEC for my domain with my KSK being stored on a
>> smart card. I have an Aventra MyEID card, and setting up the card seems
>> to go perfectly (except for finalizing it). However, when I try to use
>> dnssec-keyfromlabel to generate the public key information to be used
>> later with dnssec-signzone, I get the error listed in the subject. The
>> error occurs before I'm asked for my PIN.
>>
>> So I have a couple of questions:
>> - Is this something I'm doing wrong, a bug somewhere, or an issue with
>>   the card? (also, am I on the right list? This seemed to be the most
>>   relevant one when I searched)
>> - Is it related at all to the inability to finalize the card?
>> - (on the off chance this is the culprit) My PIN and PUK are identical.
>>   I'm assuming this isn't the issue, am I right?
>>
>> Below I've copied/pasted the commands I'm using to set up the card and
>> run dnssec-keyfromlabel. I've also attached the output from running
>> dnssec-keyfromlabel with OPENSC_DEBUG=9 set. Let me know if I can
>> provide any more information.
>>
>> Thanks in advance,
>> - Adam
>>
>>
>>
>> --------
>>
>>
>>
>> adam@midnight% pkcs15-init -E
>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>
>> adam@midnight% pkcs15-init -C --no-so-pin --pin 1111 --puk 1111
>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>
>> adam@midnight% pkcs15-init -P -a 1 -l "User PIN"
>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>> New User PIN.
>> Please enter User PIN:
>> Please type again to verify:
>> Unblock Code for New User PIN (Optional - press return for no PIN).
>> Please enter User unblocking PIN (PUK):
>> Please type again to verify:
>>
>> adam@midnight% pkcs15-init -G rsa/2048 -a 1 -u sign
>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>> User PIN [User PIN] required.
>> Please enter User PIN [User PIN]:
>>
>> adam@midnight% pkcs15-init -F
>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>> Failed to delete object(s): Not allowed
>>
>> adam@midnight(1)% pkcs11-tool --module
>> /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
>> Using slot 1 with a present token (0x1)
>> Public Key Object; RSA 2048 bits
>>   label:      Private Key
>>   ID:         cd1314e84c82cbc6e4a156a5c091ba02efde18c0
>>   Usage:      verify
>>
>> adam@midnight% OPENSSL_CONF=/home/adam/openssl.conf dnssec-keyfromlabel
>> -E pkcs11 -l "id_cd1314e84c82cbc6e4a156a5c091ba02efde18c0" -3 -a
>> RSASHA256 -n ZONE -f KSK -K keys -R +2y digitalpirate.ca
>> initializing engine
>> GOST engine already loaded
>> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>>
>> adam@midnight(1)% cat /home/adam/openssl.conf
>> openssl_conf = openssl_def
>>
>> [openssl_def]
>> engines = engine_section
>>
>> [engine_section]
>> pkcs11 = pkcs11_section
>>
>> [pkcs11_section]
>> engine_id = pkcs11
>> dynamic_path = /usr/lib/engines/engine_pkcs11.so
>> MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
>> VERBOSE = EMPTY
>> init = 0
>>
>> [req]
>> distinguished_name = req_distinguished_name
>>
>> [req_distinguished_name]
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Want fast and easy access to all the code in your enterprise? Index and
>> search up to 200,000 lines of code with a free copy of Black Duck
>> Code Sight - the same software that powers the world's largest code
>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> http://p.sf.net/sfu/bds
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: "fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

Adam Zimmerman
In reply to this post by Andreas Schwier (ML)
Hi Andreas,

openssl does work directly, after I make the change you mentioned in
your other email (putting the slot number in), as well as setting up a
template in my openssl.conf file. However, dnssec-keyfromlabel still
doesn't work.

Interestingly, dnssec-keyfromlabel fails in the same way regardless of
whether the slot is correct. Specifying both slot 0 (incorrect) and slot
1 (correct) give the same error message, possibly suggesting that this
is happening before it tries to access the key stored on the card.

Anything else I should try? Or does this suggest it might be an issue
with the dnssec tools?

- Adam


adam@midnight(1)% OPENSSL_CONF=/home/adam/openssl.conf
dnssec-keyfromlabel -E pkcs11 -l
"1:cd1314e84c82cbc6e4a156a5c091ba02efde18c0" -3 -a RSASHA256 -n ZONE -f
KSK -K keys -R +2y digitalpirate.ca
initializing engine
GOST engine already loaded
dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure



adam@midnight% OPENSSL_CONF=/home/adam/openssl.conf openssl req -engine
pkcs11 -new -key 1:cd1314e84c82cbc6e4a156a5c091ba02efde18c0 -keyform engine
initializing engine
engine "pkcs11" set.
Looking in slot 1 for key: cd1314e84c82cbc6e4a156a5c091ba02efde18c0
Found 2 slots
[18446744073709551615] Virtual hotplug slot       no tok
[1] Lenovo Integrated Smart C  login             (MyEID (User PIN))
Found slot:  Lenovo Integrated Smart Card Reader 00 00
Found token: MyEID (User PIN)
Found 0 certificate:
PKCS#11 token PIN:
Found 1 key:
   1 P  Private Key
You are about to be asked to enter information that will be incorporated
into your certificate request.

... from here on it's just a normal run of setting up a certificate request.


On 14-07-28 02:02 AM, Andreas Schwier wrote:

> Hi Adam,
>
> does it work if you use openssl directly with the card, e.g.
>
> OPENSSL_CONF=/home/adam/openssl.conf openssl req -engine pkcs11 -new
> -key id_cd1314e84c82cbc6e4a156a5c091ba02efde18c0 -keyform engine
>
> I've tried the same thing with a SmartCard-HSM here and get "format not
> recognized" for an apparently valid key id.
>
> Andreas
>
>
> On 07/26/2014 06:36 PM, Adam Zimmerman wrote:
>> I realized I forgot to mention any version information. I'm running
>> Ubuntu 14.04, with all packages being installed from the repos. The only
>> change I had to make was the fix to myeid.profile mentioned on
>> https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card .
>>
>> Current package versions:
>>
>> opensc 0.13.0-3ubuntu4.1
>> pcscd 1.8.10-1ubuntu1
>> libengine-pkcs11-openssl 0.1.8-3
>> bind9utils 1:9.9.5.dfsg-3
>>
>> On 14-07-26 09:25 AM, Adam Zimmerman wrote:
>>> Hi everyone,
>>>
>>> I'm trying to set up DNSSEC for my domain with my KSK being stored on a
>>> smart card. I have an Aventra MyEID card, and setting up the card seems
>>> to go perfectly (except for finalizing it). However, when I try to use
>>> dnssec-keyfromlabel to generate the public key information to be used
>>> later with dnssec-signzone, I get the error listed in the subject. The
>>> error occurs before I'm asked for my PIN.
>>>
>>> So I have a couple of questions:
>>> - Is this something I'm doing wrong, a bug somewhere, or an issue with
>>>   the card? (also, am I on the right list? This seemed to be the most
>>>   relevant one when I searched)
>>> - Is it related at all to the inability to finalize the card?
>>> - (on the off chance this is the culprit) My PIN and PUK are identical.
>>>   I'm assuming this isn't the issue, am I right?
>>>
>>> Below I've copied/pasted the commands I'm using to set up the card and
>>> run dnssec-keyfromlabel. I've also attached the output from running
>>> dnssec-keyfromlabel with OPENSC_DEBUG=9 set. Let me know if I can
>>> provide any more information.
>>>
>>> Thanks in advance,
>>> - Adam
>>>
>>>
>>>
>>> --------
>>>
>>>
>>>
>>> adam@midnight% pkcs15-init -E
>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>
>>> adam@midnight% pkcs15-init -C --no-so-pin --pin 1111 --puk 1111
>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>
>>> adam@midnight% pkcs15-init -P -a 1 -l "User PIN"
>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>> New User PIN.
>>> Please enter User PIN:
>>> Please type again to verify:
>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>> Please enter User unblocking PIN (PUK):
>>> Please type again to verify:
>>>
>>> adam@midnight% pkcs15-init -G rsa/2048 -a 1 -u sign
>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>> User PIN [User PIN] required.
>>> Please enter User PIN [User PIN]:
>>>
>>> adam@midnight% pkcs15-init -F
>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>> Failed to delete object(s): Not allowed
>>>
>>> adam@midnight(1)% pkcs11-tool --module
>>> /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
>>> Using slot 1 with a present token (0x1)
>>> Public Key Object; RSA 2048 bits
>>>   label:      Private Key
>>>   ID:         cd1314e84c82cbc6e4a156a5c091ba02efde18c0
>>>   Usage:      verify
>>>
>>> adam@midnight% OPENSSL_CONF=/home/adam/openssl.conf dnssec-keyfromlabel
>>> -E pkcs11 -l "id_cd1314e84c82cbc6e4a156a5c091ba02efde18c0" -3 -a
>>> RSASHA256 -n ZONE -f KSK -K keys -R +2y digitalpirate.ca
>>> initializing engine
>>> GOST engine already loaded
>>> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>>>
>>> adam@midnight(1)% cat /home/adam/openssl.conf
>>> openssl_conf = openssl_def
>>>
>>> [openssl_def]
>>> engines = engine_section
>>>
>>> [engine_section]
>>> pkcs11 = pkcs11_section
>>>
>>> [pkcs11_section]
>>> engine_id = pkcs11
>>> dynamic_path = /usr/lib/engines/engine_pkcs11.so
>>> MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
>>> VERBOSE = EMPTY
>>> init = 0
>>>
>>> [req]
>>> distinguished_name = req_distinguished_name
>>>
>>> [req_distinguished_name]
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Want fast and easy access to all the code in your enterprise? Index and
>>> search up to 200,000 lines of code with a free copy of Black Duck
>>> Code Sight - the same software that powers the world's largest code
>>> search on Ohloh, the Black Duck Open Hub! Try it now.
>>> http://p.sf.net/sfu/bds
>>>
>>>
>>>
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Want fast and easy access to all the code in your enterprise? Index and
>> search up to 200,000 lines of code with a free copy of Black Duck
>> Code Sight - the same software that powers the world's largest code
>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> http://p.sf.net/sfu/bds
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: "fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

Petr Pisar
On Mon, Jul 28, 2014 at 08:06:37AM -0700, Adam Zimmerman wrote:

> openssl does work directly, after I make the change you mentioned in
> your other email (putting the slot number in), as well as setting up a
> template in my openssl.conf file. However, dnssec-keyfromlabel still
> doesn't work.
>
> Interestingly, dnssec-keyfromlabel fails in the same way regardless of
> whether the slot is correct. Specifying both slot 0 (incorrect) and slot
> 1 (correct) give the same error message, possibly suggesting that this
> is happening before it tries to access the key stored on the card.
>
> Anything else I should try? Or does this suggest it might be an issue
> with the dnssec tools?
>
> - Adam
>
>
> adam@midnight(1)% OPENSSL_CONF=/home/adam/openssl.conf
> dnssec-keyfromlabel -E pkcs11 -l
> "1:cd1314e84c82cbc6e4a156a5c091ba02efde18c0" -3 -a RSASHA256 -n ZONE -f
> KSK -K keys -R +2y digitalpirate.ca
> initializing engine
> GOST engine already loaded
> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>
Does the dnssec-keyfromlabel honor the OPENSSL_CONF environment variable. If
I recall correctly, this is not handled by the OpenSSL library itself but each
application is expected to pass the value into OPENSSL_config().

-- Petr

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (220 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: "fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

Andreas Schwier (ML)
In reply to this post by Adam Zimmerman
Hi Adam,

might as well be a problem with the card.

Maybe you can run the command with

OPENSC_DEBUG=9 ...

and see where card interaction fails (or doesn't happen at all).

Andreas

On 07/28/2014 05:06 PM, Adam Zimmerman wrote:

> Hi Andreas,
>
> openssl does work directly, after I make the change you mentioned in
> your other email (putting the slot number in), as well as setting up a
> template in my openssl.conf file. However, dnssec-keyfromlabel still
> doesn't work.
>
> Interestingly, dnssec-keyfromlabel fails in the same way regardless of
> whether the slot is correct. Specifying both slot 0 (incorrect) and slot
> 1 (correct) give the same error message, possibly suggesting that this
> is happening before it tries to access the key stored on the card.
>
> Anything else I should try? Or does this suggest it might be an issue
> with the dnssec tools?
>
> - Adam
>
>
> adam@midnight(1)% OPENSSL_CONF=/home/adam/openssl.conf
> dnssec-keyfromlabel -E pkcs11 -l
> "1:cd1314e84c82cbc6e4a156a5c091ba02efde18c0" -3 -a RSASHA256 -n ZONE -f
> KSK -K keys -R +2y digitalpirate.ca
> initializing engine
> GOST engine already loaded
> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>
>
>
> adam@midnight% OPENSSL_CONF=/home/adam/openssl.conf openssl req -engine
> pkcs11 -new -key 1:cd1314e84c82cbc6e4a156a5c091ba02efde18c0 -keyform engine
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: cd1314e84c82cbc6e4a156a5c091ba02efde18c0
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok
> [1] Lenovo Integrated Smart C  login             (MyEID (User PIN))
> Found slot:  Lenovo Integrated Smart Card Reader 00 00
> Found token: MyEID (User PIN)
> Found 0 certificate:
> PKCS#11 token PIN:
> Found 1 key:
>    1 P  Private Key
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
>
> ... from here on it's just a normal run of setting up a certificate request.
>
>
> On 14-07-28 02:02 AM, Andreas Schwier wrote:
>> Hi Adam,
>>
>> does it work if you use openssl directly with the card, e.g.
>>
>> OPENSSL_CONF=/home/adam/openssl.conf openssl req -engine pkcs11 -new
>> -key id_cd1314e84c82cbc6e4a156a5c091ba02efde18c0 -keyform engine
>>
>> I've tried the same thing with a SmartCard-HSM here and get "format not
>> recognized" for an apparently valid key id.
>>
>> Andreas
>>
>>
>> On 07/26/2014 06:36 PM, Adam Zimmerman wrote:
>>> I realized I forgot to mention any version information. I'm running
>>> Ubuntu 14.04, with all packages being installed from the repos. The only
>>> change I had to make was the fix to myeid.profile mentioned on
>>> https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card .
>>>
>>> Current package versions:
>>>
>>> opensc 0.13.0-3ubuntu4.1
>>> pcscd 1.8.10-1ubuntu1
>>> libengine-pkcs11-openssl 0.1.8-3
>>> bind9utils 1:9.9.5.dfsg-3
>>>
>>> On 14-07-26 09:25 AM, Adam Zimmerman wrote:
>>>> Hi everyone,
>>>>
>>>> I'm trying to set up DNSSEC for my domain with my KSK being stored on a
>>>> smart card. I have an Aventra MyEID card, and setting up the card seems
>>>> to go perfectly (except for finalizing it). However, when I try to use
>>>> dnssec-keyfromlabel to generate the public key information to be used
>>>> later with dnssec-signzone, I get the error listed in the subject. The
>>>> error occurs before I'm asked for my PIN.
>>>>
>>>> So I have a couple of questions:
>>>> - Is this something I'm doing wrong, a bug somewhere, or an issue with
>>>>   the card? (also, am I on the right list? This seemed to be the most
>>>>   relevant one when I searched)
>>>> - Is it related at all to the inability to finalize the card?
>>>> - (on the off chance this is the culprit) My PIN and PUK are identical.
>>>>   I'm assuming this isn't the issue, am I right?
>>>>
>>>> Below I've copied/pasted the commands I'm using to set up the card and
>>>> run dnssec-keyfromlabel. I've also attached the output from running
>>>> dnssec-keyfromlabel with OPENSC_DEBUG=9 set. Let me know if I can
>>>> provide any more information.
>>>>
>>>> Thanks in advance,
>>>> - Adam
>>>>
>>>>
>>>>
>>>> --------
>>>>
>>>>
>>>>
>>>> adam@midnight% pkcs15-init -E
>>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>>
>>>> adam@midnight% pkcs15-init -C --no-so-pin --pin 1111 --puk 1111
>>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>>
>>>> adam@midnight% pkcs15-init -P -a 1 -l "User PIN"
>>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>> New User PIN.
>>>> Please enter User PIN:
>>>> Please type again to verify:
>>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>>> Please enter User unblocking PIN (PUK):
>>>> Please type again to verify:
>>>>
>>>> adam@midnight% pkcs15-init -G rsa/2048 -a 1 -u sign
>>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>> User PIN [User PIN] required.
>>>> Please enter User PIN [User PIN]:
>>>>
>>>> adam@midnight% pkcs15-init -F
>>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>> Failed to delete object(s): Not allowed
>>>>
>>>> adam@midnight(1)% pkcs11-tool --module
>>>> /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
>>>> Using slot 1 with a present token (0x1)
>>>> Public Key Object; RSA 2048 bits
>>>>   label:      Private Key
>>>>   ID:         cd1314e84c82cbc6e4a156a5c091ba02efde18c0
>>>>   Usage:      verify
>>>>
>>>> adam@midnight% OPENSSL_CONF=/home/adam/openssl.conf dnssec-keyfromlabel
>>>> -E pkcs11 -l "id_cd1314e84c82cbc6e4a156a5c091ba02efde18c0" -3 -a
>>>> RSASHA256 -n ZONE -f KSK -K keys -R +2y digitalpirate.ca
>>>> initializing engine
>>>> GOST engine already loaded
>>>> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>>>>
>>>> adam@midnight(1)% cat /home/adam/openssl.conf
>>>> openssl_conf = openssl_def
>>>>
>>>> [openssl_def]
>>>> engines = engine_section
>>>>
>>>> [engine_section]
>>>> pkcs11 = pkcs11_section
>>>>
>>>> [pkcs11_section]
>>>> engine_id = pkcs11
>>>> dynamic_path = /usr/lib/engines/engine_pkcs11.so
>>>> MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
>>>> VERBOSE = EMPTY
>>>> init = 0
>>>>
>>>> [req]
>>>> distinguished_name = req_distinguished_name
>>>>
>>>> [req_distinguished_name]
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Want fast and easy access to all the code in your enterprise? Index and
>>>> search up to 200,000 lines of code with a free copy of Black Duck
>>>> Code Sight - the same software that powers the world's largest code
>>>> search on Ohloh, the Black Duck Open Hub! Try it now.
>>>> http://p.sf.net/sfu/bds
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Want fast and easy access to all the code in your enterprise? Index and
>>> search up to 200,000 lines of code with a free copy of Black Duck
>>> Code Sight - the same software that powers the world's largest code
>>> search on Ohloh, the Black Duck Open Hub! Try it now.
>>> http://p.sf.net/sfu/bds
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Infragistics Professional
>> Build stunning WinForms apps today!
>> Reboot your WinForms applications with our WinForms controls.
>> Build a bridge from your legacy apps to the future.
>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: "fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

Andreas Schwier (ML)
In reply to this post by Adam Zimmerman
You could also use pkcs11-spy to see what is happening at the interface
between engine-pkcs11.so and opensc-pkcs11.so

Andreas


On 07/28/2014 05:06 PM, Adam Zimmerman wrote:

> Hi Andreas,
>
> openssl does work directly, after I make the change you mentioned in
> your other email (putting the slot number in), as well as setting up a
> template in my openssl.conf file. However, dnssec-keyfromlabel still
> doesn't work.
>
> Interestingly, dnssec-keyfromlabel fails in the same way regardless of
> whether the slot is correct. Specifying both slot 0 (incorrect) and slot
> 1 (correct) give the same error message, possibly suggesting that this
> is happening before it tries to access the key stored on the card.
>
> Anything else I should try? Or does this suggest it might be an issue
> with the dnssec tools?
>
> - Adam
>
>
> adam@midnight(1)% OPENSSL_CONF=/home/adam/openssl.conf
> dnssec-keyfromlabel -E pkcs11 -l
> "1:cd1314e84c82cbc6e4a156a5c091ba02efde18c0" -3 -a RSASHA256 -n ZONE -f
> KSK -K keys -R +2y digitalpirate.ca
> initializing engine
> GOST engine already loaded
> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>
>
>
> adam@midnight% OPENSSL_CONF=/home/adam/openssl.conf openssl req -engine
> pkcs11 -new -key 1:cd1314e84c82cbc6e4a156a5c091ba02efde18c0 -keyform engine
> initializing engine
> engine "pkcs11" set.
> Looking in slot 1 for key: cd1314e84c82cbc6e4a156a5c091ba02efde18c0
> Found 2 slots
> [18446744073709551615] Virtual hotplug slot       no tok
> [1] Lenovo Integrated Smart C  login             (MyEID (User PIN))
> Found slot:  Lenovo Integrated Smart Card Reader 00 00
> Found token: MyEID (User PIN)
> Found 0 certificate:
> PKCS#11 token PIN:
> Found 1 key:
>    1 P  Private Key
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
>
> ... from here on it's just a normal run of setting up a certificate request.
>
>
> On 14-07-28 02:02 AM, Andreas Schwier wrote:
>> Hi Adam,
>>
>> does it work if you use openssl directly with the card, e.g.
>>
>> OPENSSL_CONF=/home/adam/openssl.conf openssl req -engine pkcs11 -new
>> -key id_cd1314e84c82cbc6e4a156a5c091ba02efde18c0 -keyform engine
>>
>> I've tried the same thing with a SmartCard-HSM here and get "format not
>> recognized" for an apparently valid key id.
>>
>> Andreas
>>
>>
>> On 07/26/2014 06:36 PM, Adam Zimmerman wrote:
>>> I realized I forgot to mention any version information. I'm running
>>> Ubuntu 14.04, with all packages being installed from the repos. The only
>>> change I had to make was the fix to myeid.profile mentioned on
>>> https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card .
>>>
>>> Current package versions:
>>>
>>> opensc 0.13.0-3ubuntu4.1
>>> pcscd 1.8.10-1ubuntu1
>>> libengine-pkcs11-openssl 0.1.8-3
>>> bind9utils 1:9.9.5.dfsg-3
>>>
>>> On 14-07-26 09:25 AM, Adam Zimmerman wrote:
>>>> Hi everyone,
>>>>
>>>> I'm trying to set up DNSSEC for my domain with my KSK being stored on a
>>>> smart card. I have an Aventra MyEID card, and setting up the card seems
>>>> to go perfectly (except for finalizing it). However, when I try to use
>>>> dnssec-keyfromlabel to generate the public key information to be used
>>>> later with dnssec-signzone, I get the error listed in the subject. The
>>>> error occurs before I'm asked for my PIN.
>>>>
>>>> So I have a couple of questions:
>>>> - Is this something I'm doing wrong, a bug somewhere, or an issue with
>>>>   the card? (also, am I on the right list? This seemed to be the most
>>>>   relevant one when I searched)
>>>> - Is it related at all to the inability to finalize the card?
>>>> - (on the off chance this is the culprit) My PIN and PUK are identical.
>>>>   I'm assuming this isn't the issue, am I right?
>>>>
>>>> Below I've copied/pasted the commands I'm using to set up the card and
>>>> run dnssec-keyfromlabel. I've also attached the output from running
>>>> dnssec-keyfromlabel with OPENSC_DEBUG=9 set. Let me know if I can
>>>> provide any more information.
>>>>
>>>> Thanks in advance,
>>>> - Adam
>>>>
>>>>
>>>>
>>>> --------
>>>>
>>>>
>>>>
>>>> adam@midnight% pkcs15-init -E
>>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>>
>>>> adam@midnight% pkcs15-init -C --no-so-pin --pin 1111 --puk 1111
>>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>>
>>>> adam@midnight% pkcs15-init -P -a 1 -l "User PIN"
>>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>> New User PIN.
>>>> Please enter User PIN:
>>>> Please type again to verify:
>>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>>> Please enter User unblocking PIN (PUK):
>>>> Please type again to verify:
>>>>
>>>> adam@midnight% pkcs15-init -G rsa/2048 -a 1 -u sign
>>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>> User PIN [User PIN] required.
>>>> Please enter User PIN [User PIN]:
>>>>
>>>> adam@midnight% pkcs15-init -F
>>>> Using reader with a card: Lenovo Integrated Smart Card Reader 00 00
>>>> Failed to delete object(s): Not allowed
>>>>
>>>> adam@midnight(1)% pkcs11-tool --module
>>>> /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
>>>> Using slot 1 with a present token (0x1)
>>>> Public Key Object; RSA 2048 bits
>>>>   label:      Private Key
>>>>   ID:         cd1314e84c82cbc6e4a156a5c091ba02efde18c0
>>>>   Usage:      verify
>>>>
>>>> adam@midnight% OPENSSL_CONF=/home/adam/openssl.conf dnssec-keyfromlabel
>>>> -E pkcs11 -l "id_cd1314e84c82cbc6e4a156a5c091ba02efde18c0" -3 -a
>>>> RSASHA256 -n ZONE -f KSK -K keys -R +2y digitalpirate.ca
>>>> initializing engine
>>>> GOST engine already loaded
>>>> dnssec-keyfromlabel: fatal: could not initialize dst: crypto failure
>>>>
>>>> adam@midnight(1)% cat /home/adam/openssl.conf
>>>> openssl_conf = openssl_def
>>>>
>>>> [openssl_def]
>>>> engines = engine_section
>>>>
>>>> [engine_section]
>>>> pkcs11 = pkcs11_section
>>>>
>>>> [pkcs11_section]
>>>> engine_id = pkcs11
>>>> dynamic_path = /usr/lib/engines/engine_pkcs11.so
>>>> MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
>>>> VERBOSE = EMPTY
>>>> init = 0
>>>>
>>>> [req]
>>>> distinguished_name = req_distinguished_name
>>>>
>>>> [req_distinguished_name]
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Want fast and easy access to all the code in your enterprise? Index and
>>>> search up to 200,000 lines of code with a free copy of Black Duck
>>>> Code Sight - the same software that powers the world's largest code
>>>> search on Ohloh, the Black Duck Open Hub! Try it now.
>>>> http://p.sf.net/sfu/bds
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Want fast and easy access to all the code in your enterprise? Index and
>>> search up to 200,000 lines of code with a free copy of Black Duck
>>> Code Sight - the same software that powers the world's largest code
>>> search on Ohloh, the Black Duck Open Hub! Try it now.
>>> http://p.sf.net/sfu/bds
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Infragistics Professional
>> Build stunning WinForms apps today!
>> Reboot your WinForms applications with our WinForms controls.
>> Build a bridge from your legacy apps to the future.
>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: "fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

Adam Zimmerman
In reply to this post by Petr Pisar
On 14-07-28 08:20 AM, Petr Pisar wrote:
> On Mon, Jul 28, 2014 at 08:06:37AM -0700, Adam Zimmerman wrote:
> Does the dnssec-keyfromlabel honor the OPENSSL_CONF environment variable. If
> I recall correctly, this is not handled by the OpenSSL library itself but each
> application is expected to pass the value into OPENSSL_config().

Yes, it does honour the variable. The program doesn't work at all
without specifying it ("dnssec-keyfromlabel: fatal: could not initialize
dst: no engine").

- Adam

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel