smartcard/ pkcs11 - 'bad decrypt' error after upgrade from 0.9.8 to 1.0.1

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

smartcard/ pkcs11 - 'bad decrypt' error after upgrade from 0.9.8 to 1.0.1

Pawel Suwinski
Hello


After  openssl upgrade  (new  OS  version, new  machine)  I get  error
decrypting  SMIME  messages  using Alladin  eToken  SmardCard  (pkcs11
engine).

On old system (Debian 6.0 Squeeze-LTS)/ machine:
#v+
[old]$ openssl version
OpenSSL 0.9.8g 19 Oct 2007 (Library: OpenSSL 0.9.8o 01 Jun 2010)

[old]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
engine "pkcs11" set.
0
#v-

Now on the new system (Debian 8.6 Jessie)/ machine I get:
#v+
[new]$ openssl version
OpenSSL 1.0.1t  3 May 2016
[new]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
engine "pkcs11" set.
Error decrypting PKCS#7 structure
3073701564:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:516:
4
#v-

Of course smime.p7m file and  smartcard are the same. Machines differs
but  smartcard reader  on  the new  machine seams  to  work fine,  for
example I can access smartcard data:

#v+
[new]$ pkcs11-dump dump /usr/lib/libeTPkcs11.so 0 XXXX | grep -1

                        CKA_ID:
e3 c5
(...)
#v-


Config files are the same with additional pkcs11 engine section
described in libengine-pkcs11-openssl package docs:

#v+
# /etc/ssl/openssl.cnf
(...)
openssl_conf            = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/libeTPkcs11.so
init = 0
(...)
#v-


I will be grateful for any hints why it does not work? Maybe I missed
something in config file?


--
regards
Pawel Suwinski
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: smartcard/ pkcs11 - 'bad decrypt' error after upgrade from 0.9.8 to 1.0.1

Jan Just Keijser-2
Hi,

On 10/11/16 10:49, Pawel Suwinski wrote:

> Hello
>
>
> After  openssl upgrade  (new  OS  version, new  machine)  I get  error
> decrypting  SMIME  messages  using Alladin  eToken  SmardCard  (pkcs11
> engine).
>
> On old system (Debian 6.0 Squeeze-LTS)/ machine:
> #v+
> [old]$ openssl version
> OpenSSL 0.9.8g 19 Oct 2007 (Library: OpenSSL 0.9.8o 01 Jun 2010)
>
> [old]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
> engine "pkcs11" set.
> 0
> #v-
>
> Now on the new system (Debian 8.6 Jessie)/ machine I get:
> #v+
> [new]$ openssl version
> OpenSSL 1.0.1t  3 May 2016
> [new]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
> engine "pkcs11" set.
> Error decrypting PKCS#7 structure
> 3073701564:error:06065064:digital envelope
> routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:516:
> 4
> #v-
>
> Of course smime.p7m file and  smartcard are the same. Machines differs
> but  smartcard reader  on  the new  machine seams  to  work fine,  for
> example I can access smartcard data:
>
> #v+
> [new]$ pkcs11-dump dump /usr/lib/libeTPkcs11.so 0 XXXX | grep -1
>
>                          CKA_ID:
> e3 c5
> (...)
> #v-
>
>
> Config files are the same with additional pkcs11 engine section
> described in libengine-pkcs11-openssl package docs:
>
> #v+
> # /etc/ssl/openssl.cnf
> (...)
> openssl_conf            = openssl_def
>
> [openssl_def]
> engines = engine_section
>
> [engine_section]
> pkcs11 = pkcs11_section
>
> [pkcs11_section]
> engine_id = pkcs11
> dynamic_path = /usr/lib/engines/engine_pkcs11.so
> MODULE_PATH = /usr/lib/libeTPkcs11.so
> init = 0
> (...)
> #v-
>
>
> I will be grateful for any hints why it does not work? Maybe I missed
> something in config file?
>

This has little to do with openssl itself, but I am familiar with such
issues.
I'm using the same token with the same driver on CentOS 6, 7 and Fedora
20/22 without and issues. Your problem could be caused by numerous
incompatibilities:
- which version of opensc is installed
- which version of engine_pkcs11 and libp11 are installed
- which *exact* version of the eTPkcs11 driver are you using?

Keep in mind that for the latest OSes you will need the SafeNet client v9

HTH,

JJK

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users