Dynamic engine / smart card support for CSR generation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Dynamic engine / smart card support for CSR generation

Robinson, Richard L (Rick)
All -

I am working to integrate a smart card as part of a certificate request
on Linux with OpenSSL but I am having a hard time using a script file to
keep the engine loaded AND use it for a certificate request.

Interactively with openSSL everything works fine.  I can load the engine
with one command (engine) and submit the request with another openssl
command (req)... But both of these commands must be performed without
exiting the openssl prompt.

However, from a script file perspective, I am not able figure out how to
get the "openssl REQ -engine" command to remember or reload the dynamic
engine.  Any help would be appreciated.

Specific Details:
I can issue this command which dynamically loads the engine:

Openssl engine dynamic -vvv -pre
SO_PATH:/usr/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1
-pre NO_VCHECK:1 -pre LOAD

And it works great.

But if I follow that command with this separate openssl command (from
the linux prompt):

openssl req -config cert.cnf -engine pkcs11 -newkey rsa:1024 -sha1 -key
id_45 -keyform engine -text -out csr.pem

I get errors indicating the engine (pkcs11) is not known.  This sort of
makes sense if the engine was discarded ones the previous command was
exited.  I have tried various engine IDs but have had not luck.

So... I am open to ideas.  How can I keep the engine loaded?  How can I
find out what "engine IDs" are valid for the "openssl req -engine
engine_id" command?  How can I make the pkcs11 engine "static?"

Any suggestions or advice would be appreciated.  It seems as thought I
am very close.


Thanks,
Rick

[hidden email]

 


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic engine / smart card support for CSR generation

Erwann ABALEA-2
Bonjour,

Hodie post. Non. Iul. MMV est, Robinson, Richard L (Rick) scripsit:
> I get errors indicating the engine (pkcs11) is not known.  This sort of
> makes sense if the engine was discarded ones the previous command was
> exited.  I have tried various engine IDs but have had not luck.

Use the autoconfig feature of OpenSSL. Update your openssl.cnf file,
by adding this:

-----
openssl_conf = openssl_init

[openssl_init]
oid_section = new_oids
engine = engine_section

[ engine_section ]
dynamic = dynamic_section

[ dynamic_section ]
engine_id = dynamic
SO_PATH = /usr/lib/opensc/engine_pkcs11.so
ID = pkcs11
LIST_ADD = 1
NO_VCHECK = 1
LOAD = EMPTY
-----

adjust the commands to your specific case, then set the environment
variable OPENSSL_CONF to point to this openssl.cnf file, and you'll be
able to use 'openssl req' as usual.

I don't know how the change of ENGINE id will perform with the rest,
but you should now go a little farther.

--
Erwann ABALEA <[hidden email]>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Dynamic engine / smart card support for CSR generation

Robinson, Richard L (Rick)
In reply to this post by Robinson, Richard L (Rick)
I am still running into a few problems and am hoping for a little more
debugging assistance.

I created these entries in my configuration file (certsc.cnf):

----
engine = engine_section

[ engine_section ]
smartcard = smartcard_engine

[ smartcard_engine ]
engine_id = smartcard
SO_PATH = /usr/lib/opensc/engine_pkcs11.so
MODULE_PATH = /usr/lib/pkcs11/opensc-pkcs11.so
ID = smartcard
LIST_ADD = 1
NO_VCHECK = 1
LOAD = EMPTY
----

And then I made the following OpenSSL call...

---
openssl req \
        -config $ConfigFile \
        -engine smartcard \
        -newkey rsa:1024
#       -new \
        -sha1 \
        -key id_45 \
        -keyform engine \
        -text \
        -out certsc.csr
---

But received these error message...

----
invalid engine "smartcard"
6779:error:2606A074:engine routines:ENGINE_by_id:no such
engine:eng_list.c:379:id=smartcard
6779:error:25066067:DSO support routines:DLFCN_LOAD:could not load the
shared library:dso_dlfcn.c:153:filename(libsmartcard.so):
libsmartcard.so: cannot open shared object file: No such file or
directory
6779:error:25070067:DSO support routines:DSO_load:could not load the
shared library:dso_lib.c:244:
6779:error:260B6084:engine routines:DYNAMIC_LOAD:dso not
found:eng_dyn.c:365:
----

It seems as if the engine 'smartcard' is not recognized.

Any suggestions would be greatly appreciated.


Regards,
Rick

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Erwann ABALEA
Sent: Friday, July 08, 2005 9:08 AM
To: [hidden email]
Subject: Re: [openssl-users] Dynamic engine / smart card support for CSR
generation

Bonjour,

Hodie post. Non. Iul. MMV est, Robinson, Richard L (Rick) scripsit:
> I get errors indicating the engine (pkcs11) is not known.  This sort
> of makes sense if the engine was discarded ones the previous command
> was exited.  I have tried various engine IDs but have had not luck.

Use the autoconfig feature of OpenSSL. Update your openssl.cnf file, by
adding this:

-----
openssl_conf = openssl_init

[openssl_init]
oid_section = new_oids
engine = engine_section

[ engine_section ]
dynamic = dynamic_section

[ dynamic_section ]
engine_id = dynamic
SO_PATH = /usr/lib/opensc/engine_pkcs11.so ID = pkcs11 LIST_ADD = 1
NO_VCHECK = 1 LOAD = EMPTY
-----

adjust the commands to your specific case, then set the environment
variable OPENSSL_CONF to point to this openssl.cnf file, and you'll be
able to use 'openssl req' as usual.

I don't know how the change of ENGINE id will perform with the rest, but
you should now go a little farther.

--
Erwann ABALEA <[hidden email]>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic engine / smart card support for CSR generation

Nils Larsch
Robinson, Richard L (Rick) wrote:

> I am still running into a few problems and am hoping for a little more
> debugging assistance.
>
> I created these entries in my configuration file (certsc.cnf):
>
> ----
> engine = engine_section
>
> [ engine_section ]
> smartcard = smartcard_engine
>
> [ smartcard_engine ]
> engine_id = smartcard
> SO_PATH = /usr/lib/opensc/engine_pkcs11.so
> MODULE_PATH = /usr/lib/pkcs11/opensc-pkcs11.so
> ID = smartcard
> LIST_ADD = 1
> NO_VCHECK = 1
> LOAD = EMPTY
> ----

as Erwann Abalea already told you need something like:

openssl_conf = openssl_init;

[openssl_init]
engines = engine_section;
...

in your conf (btw: it should be "engines" and not "engine"). The
"openssl_conf" and "engines" Entries are mandatory, without them
openssl won't find/parse the engine section.

Nils
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Dynamic engine / smart card support for CSR generation

Robinson, Richard L (Rick)
In reply to this post by Robinson, Richard L (Rick)
I truely appreciate the help.

I reviewed the certsc.cnf file and made sure I exactly duplicated the
recommended additions including using "engines" instead of "engine."

But I am still having a few problems...

Here is what I have in my config file (certsc.cnf):

---

openssl_conf = openssl_init

[openssl_init]
oid_section = new_oids
engines = engine_section

[ engine_section ]
dynamic = dynamic_section

[ dynamic_section ]
engine_id = dynamic
SO_PATH = /usr/lib/opensc/engine_pkcs11.so
ID = pkcs11
LIST_ADD = 1
NO_VCHECK = 1
LOAD = EMPTY

---

The error codes have changed.  I am pretty sure this is a parsing
problem.  But I am not sure where to go next.  Here are the errors I am
now getting.

---

Using configuration from certsc.cnf
Error configuring OpenSSL
7683:error:0E07406D:configuration file routines:CONF_modules_load:module
initialization error:conf_mod.c:234:module=engines,
value=engine_section, retcode=-1

---

Any further recommendations?  Is there a tool that will verbosely parse
the config file and provide some more detail on the meaning of the
return code (-1)?  Or any other tools you recommend?

If it makes any difference, I am using 0.9.7g

Regards,
Rick

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Nils Larsch
Sent: Saturday, July 09, 2005 2:17 AM
To: [hidden email]
Subject: Re: [openssl-users] Dynamic engine / smart card support for CSR
generation

Robinson, Richard L (Rick) wrote:
> I am still running into a few problems and am hoping for a little more

> debugging assistance.
>
> I created these entries in my configuration file (certsc.cnf):
>
> ----
> engine = engine_section
>
> [ engine_section ]
> smartcard = smartcard_engine
>
> [ smartcard_engine ]
> engine_id = smartcard
> SO_PATH = /usr/lib/opensc/engine_pkcs11.so MODULE_PATH =
> /usr/lib/pkcs11/opensc-pkcs11.so ID = smartcard LIST_ADD = 1 NO_VCHECK

> = 1 LOAD = EMPTY
> ----

as Erwann Abalea already told you need something like:

openssl_conf = openssl_init;

[openssl_init]
engines = engine_section;
...

in your conf (btw: it should be "engines" and not "engine"). The
"openssl_conf" and "engines" Entries are mandatory, without them openssl
won't find/parse the engine section.

Nils
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]