Проблема с engine_pkcs11 и openssl.cnf

Здравствуйте. Никак не получается завести  engine_pkcs11 c openssl конфигом. Выдаёт кучу ошибок, может кто чего подскажет.

Версии ПО

[root@localhost dev]# rpm -qa | grep engine_pkcs11
engine_pkcs11-0.1.8-1.fc14.x86_64
[root@localhost dev]# rpm -qa | grep openssl
openssl-devel-1.0.0c-1.fc14.x86_64
openssl-1.0.0c-1.fc14.x86_64

OC Fedora 14 x86_64

Проверяем возможность работы engine_pkcs11 с openssl

[midnighter@localhost ~]$ openssl
OpenSSL> engine dynamic -pre
SO_PATH:/usr/lib64/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:engine_pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib64/openssl/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:engine_pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL>

Редактируем файл конфигурации openssl

[root@localhost dev]# vi /etc/pki/tls/openssl.cnf

Убираем всё что там есть и пишем

openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so
init = 0

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]

В ответ получаем

[root@localhost dev]# openssl engine -v -t
(aesni) Intel AES-NI engine (no-aesni)
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
     SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
(pkcs11) pkcs11 engine
openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:284
Auto configuration failed
139977877768000:error:26078067:engine routines:ENGINE_LIST_ADD:conflicting
engine id:eng_list.c:116:
139977877768000:error:2606906E:engine routines:ENGINE_add:internal list
error:eng_list.c:288:
139977877768000:error:260B6067:engine routines:DYNAMIC_LOAD:conflicting engine
id:eng_dyn.c:540:
139977877768000:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine
configuration error:eng_cnf.c:204:section=pkcs11_section, name=dynamic_path,
value=/usr/lib64/openssl/engines/engine_pkcs11.so
139977877768000:error:0E07606D:configuration file routines:MODULE_RUN:module
initialization error:conf_mod.c:235:module=engines, value=engine_section,
retcode=-1      

Такая же проблема у другого человека

http://www.opensc-project.org/pipermail … 04330.html

Я оформил проблему в багзиле https://bugzilla.redhat.com/show_bug.cgi?id=664160 но может тут кто уже сталкивался.

(2010-12-19 20:16:33 отредактировано MidNight^er)

Re: Проблема с engine_pkcs11 и openssl.cnf

По линку я нашёл обсуждение подобной проблемы и вроде как её частичное решение.. Но пока не моуг разобраться мой ли это случай.
http://www.opensc-project.org/pipermail … 13953.html Патч что там предлагают меня не спас.

Re: Проблема с engine_pkcs11 и openssl.cnf

root@Serverstation:/etc/ssl# cat openssl.cnf
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
init = 0

root@Serverstation:/etc/ssl# uname -a
Linux Serverstation 2.6.35.10-greyplace #1 SMP Sat Jan 29 04:12:07 MSK 2011 x86_64 GNU/Linux

Ubuntu 10.10 x64

root@Serverstation:/etc/ssl# openssl engine -v -t
(aesni) Intel AES-NI engine (no-aesni)
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
     SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
(pkcs11) pkcs11 engine
<виснем>
^C

Re: Проблема с engine_pkcs11 и openssl.cnf

pkcs11-tool -L
pkcs11-tool -I
pkcs11-tool -T

тоже виснем насмерть до ^C

PIN вбил в конфиг OpenSSL - no result

root@Serverstation:/etc/ssl# openssl version
OpenSSL 1.1.0-dev xx XXX xxxx

он последний с CVS

Библиотеки тоже, собралось все ОК, OpenCT при этом ест все замечательно :

root@Serverstation:/etc/ssl# opensc-tool --serial -Dl
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Aktiv Rutoken ECP 00 00
Configured card drivers:
  cardos           Siemens CardOS
  flex             Schlumberger Multiflex/Cryptoflex
  cyberflex        Schlumberger Cyberflex
  gpk              Gemplus GPK
  gemsafeV1        driver for the Gemplus GemSAFE V1 applet
  miocos           MioCOS 1.1
  mcrd             MICARDO 2.1 / EstEID 1.0 - 3.0
  asepcos          Athena ASEPCOS
  starcos          STARCOS SPK 2.3/2.4
  tcos             TCOS 3.0
  openpgp          OpenPGP card
  jcop             JCOP cards with BlueZ PKCS#15 applet
  oberthur         Oberthur AuthentIC.v2/CosmopolIC.v4
  belpic           Belpic cards
  ias              IAS
  incrypto34       Incard Incripto34
  acos5            ACS ACOS5 card
  akis             TUBITAK UEKAE AKIS
  entersafe        entersafe
  rutoken          Rutoken driver
  rutoken_ecp      Rutoken ECP driver
  westcos          WESTCOS compatible cards
  myeid            MyEID cards with PKCS#15 applet
  setcos           Setec cards
  muscle           MuscleApplet
  atrust-acos      A-Trust ACOS cards
  piv              PIV-II  for multiple cards
  itacns           Italian CNS
  javacard         JavaCard (without supported applet)
  default          Default driver for unknown cards
Using reader with a card: Aktiv Rutoken ECP 00 00
00 00 00 00 2A 31 78 55 ....*1xU

Re: Проблема с engine_pkcs11 и openssl.cnf

Если вытащить токен - вот что выдают комманды :

root@Serverstation:/home/epodbot/openct-0.6.20# pkcs11-tool -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
root@Serverstation:/home/epodbot/openct-0.6.20# pkcs11-tool -I
Cryptoki version 2.20
Manufacturer     OpenSC (www.opensc-project.org)
Library          Smart card PKCS#11 API (ver 0.0)
No slot with a token was found.
root@Serverstation:/home/epodbot/openct-0.6.20# pkcs11-tool -T
Available slots:
No slots.

Re: Проблема с engine_pkcs11 и openssl.cnf

MidNight^er пишет:

По линку я нашёл обсуждение подобной проблемы и вроде как её частичное решение.. Но пока не моуг разобраться мой ли это случай.
http://www.opensc-project.org/pipermail … 13953.html Патч что там предлагают меня не спас.

Тот патч уже не актуален - код изменен.

Re: Проблема с engine_pkcs11 и openssl.cnf

#pcscd -df


19856305 hotplug_libusb.c:503:HPAddHotPluggable() Adding USB device: 3:44:0
00000034 readerfactory.c:934:RFInitializeReader() Attempting startup of Aktiv Rutoken ECP 00 00 using /usr/lib64/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so
00019344 readerfactory.c:824:RFBindFunctions() Loading IFD Handler 3.0
00000049 ifdhandler.c:1732:init_driver() Driver version: 1.4.3
00001011 ifdhandler.c:1750:init_driver() LogLevel: 0x0003
00000014 ifdhandler.c:1771:init_driver() DriverOptions: 0x0000
00000121 ifdhandler.c:79:IFDHCreateChannelByName() lun: 0, device: usb:0a89/0030:libusb-1.0:3:44:0
00000931 ccid_usb.c:245:OpenUSBByName() ifdManufacturerString: Ludovic Rousseau (ludovic.rousseau@free.fr)
00000012 ccid_usb.c:246:OpenUSBByName() ifdProductString: Generic CCID driver
00000008 ccid_usb.c:247:OpenUSBByName() Copyright: This driver is protected by terms of the GNU Lesser General Public License version 2.1, or (at your option) any later version.
00020999 ccid_usb.c:486:OpenUSBByName() Found Vendor/Product: 0A89/0030 (Aktiv Rutoken ECP)
00000015 ccid_usb.c:488:OpenUSBByName() Using USB bus/device: 3/44
00000312 ccid_usb.c:918:get_data_rates() IFD does not support GET_DATA_RATES request: -9
00004047 ifdhandler.c:401:IFDHGetCapabilities() tag: 0xFB3, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00000024 readerfactory.c:290:RFAddReader() Using the pcscd polling thread
00003997 ifdhandler.c:401:IFDHGetCapabilities() tag: 0xFAE, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00000023 ifdhandler.c:489:IFDHGetCapabilities() Reader supports 1 slot(s)
00007904 ifdhandler.c:1151:IFDHPowerICC() action: PowerUp, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00004011 eventhandler.c:256:EHStatusHandlerThread() powerState: POWER_STATE_POWERED
00000016 Card ATR: 3B 8B 01 52 75 74 6F 6B 65 6E 20 44 53 20 C1
00406967 ifdhandler.c:1151:IFDHPowerICC() action: PowerDown, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00003997 eventhandler.c:446:EHStatusHandlerThread() powerState: POWER_STATE_UNPOWERED

токен он видит - уже хорошо.  Продолжаем :

# opensc-explorer -vv
OpenSC Explorer version 0.12.1-svn
0x7fc4a27fc700 02:43:22.719 [opensc-explorer] sc.c:185:sc_detect_card_presence: called
0x7fc4a27fc700 02:43:22.719 [opensc-explorer] reader-pcsc.c:366:pcsc_detect_card_presence: returning with: 1
Using reader with a card: Aktiv Rutoken ECP 00 00
0x7fc4a27fc700 02:43:22.719 [opensc-explorer] sc.c:185:sc_detect_card_presence: called
0x7fc4a27fc700 02:43:22.719 [opensc-explorer] reader-pcsc.c:366:pcsc_detect_card_presence: returning with: 1
0x7fc4a27fc700 02:43:22.719 [opensc-explorer] card.c:115:sc_connect_card: called
0x7fc4a27fc700 02:43:22.719 [opensc-explorer] card-rtecp.c:91:rtecp_init: returning with: 0 (Success)
0x7fc4a27fc700 02:43:22.719 [opensc-explorer] apdu.c:524:sc_transmit_apdu: called
0x7fc4a27fc700 02:43:22.723 [opensc-explorer] iso7816.c:478:iso7816_select_file: returning with: -1201 (File not found)
0x7fc4a27fc700 02:43:22.723 [opensc-explorer] card-rtecp.c:268:rtecp_select_file: returning with: -1201 (File not found)
unable to select MF: File not found


вывод демона :

95580956 winscard_msg_srv.c:202:ProcessEventsServer() Common channel packet arrival
00000027 winscard_msg_srv.c:214:ProcessEventsServer() ProcessCommonChannelRequest detects: 13
00000008 pcscdaemon.c:91:SVCServiceRunLoop() A new context thread creation is requested: 13
00000099 winscard_svc.c:297:ContextThread() Thread is started: dwClientID=13, threadContext @13FB280
00000093 winscard_svc.c:315:ContextThread() Received command: CMD_VERSION from client 13
00000015 winscard_svc.c:327:ContextThread() Client is protocol version 4:2
00000008 winscard_svc.c:347:ContextThread() CMD_VERSION rv=0x0 for client 13
00000044 winscard_svc.c:315:ContextThread() Received command: ESTABLISH_CONTEXT from client 13
00000017 winscard.c:193:SCardEstablishContext() Establishing Context: 0x1034989
00000007 winscard_svc.c:406:ContextThread() ESTABLISH_CONTEXT rv=0x0 for client 13
00000041 winscard_svc.c:315:ContextThread() Received command: CMD_GET_READERS_STATE from client 13
00000033 winscard_svc.c:315:ContextThread() Received command: CMD_GET_READERS_STATE from client 13
00000101 winscard_svc.c:315:ContextThread() Received command: CMD_GET_READERS_STATE from client 13
00000173 winscard_svc.c:315:ContextThread() Received command: CONNECT from client 13
00000013 winscard.c:235:SCardConnect() Attempting Connect to Aktiv Rutoken ECP 00 00 using protocol: 3
00002221 ifdhandler.c:1151:IFDHPowerICC() action: PowerUp, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00003991 winscard.c:309:SCardConnect() power up complete.
00000025 Card ATR: 3B 8B 01 52 75 74 6F 6B 65 6E 20 44 53 20 C1
00000008 winscard.c:328:SCardConnect() powerState: POWER_STATE_INUSE
00000015 prothandler.c:127:PHSetProtocol() Attempting PTS to T=1
00000015 ifdhandler.c:700:IFDHSetProtocolParameters() protocol T=1, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00000009 winscard.c:406:SCardConnect() Active Protocol: T=1
00000009 winscard.c:426:SCardConnect() hCard Identity: 177cb
00000012 winscard_svc.c:447:ContextThread() CONNECT rv=0x0 for client 13
00000244 winscard_svc.c:315:ContextThread() Received command: CONTROL from client 13
00000021 ifdhandler.c:1323:IFDHControl() ControlCode: 0x42000D48, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00000009 Control TxBuffer:
00000015 Control RxBuffer: 0A 04 42 33 00 0A 12 04 42 33 00 12
00000007 winscard_svc.c:646:ContextThread() CONTROL rv=0x0 for client 13
00000087 winscard_svc.c:315:ContextThread() Received command: CONTROL from client 13
00000018 ifdhandler.c:1323:IFDHControl() ControlCode: 0x4233000A, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00000006 Control TxBuffer:
00000007 Control RxBuffer: 00 00 07 00
00000006 winscard_svc.c:646:ContextThread() CONTROL rv=0x0 for client 13
00000055 winscard_svc.c:315:ContextThread() Received command: DISCONNECT from client 13
00000020 winscard.c:826:SCardDisconnect() Active Contexts: 1
00000006 winscard.c:827:SCardDisconnect() dwDisposition: 0
00000008 winscard.c:992:SCardDisconnect() powerState: POWER_STATE_GRACE_PERIOD
00000007 ifdhandler.c:401:IFDHGetCapabilities() tag: 0xFB2, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00000008 winscard_svc.c:484:ContextThread() DISCONNECT rv=0x0 for client 13
00000099 winscard_svc.c:315:ContextThread() Received command: CMD_GET_READERS_STATE from client 13
00000046 winscard_svc.c:315:ContextThread() Received command: CMD_WAIT_READER_STATE_CHANGE from client 13
00000023 winscard_svc.c:315:ContextThread() Received command: CMD_STOP_WAITING_READER_STATE_CHANGE from client 13
00000017 winscard_svc.c:387:ContextThread() CMD_STOP_WAITING_READER_STATE_CHANGE rv=0x0 for client 13
00000025 winscard_svc.c:315:ContextThread() Received command: CMD_GET_READERS_STATE from client 13
00000178 winscard_svc.c:315:ContextThread() Received command: CMD_GET_READERS_STATE from client 13
00000061 winscard_svc.c:315:ContextThread() Received command: CMD_WAIT_READER_STATE_CHANGE from client 13
00000019 winscard_svc.c:315:ContextThread() Received command: CMD_STOP_WAITING_READER_STATE_CHANGE from client 13
00000013 winscard_svc.c:387:ContextThread() CMD_STOP_WAITING_READER_STATE_CHANGE rv=0x0 for client 13
00000131 winscard_svc.c:315:ContextThread() Received command: CMD_GET_READERS_STATE from client 13
00000180 winscard_svc.c:315:ContextThread() Received command: CMD_GET_READERS_STATE from client 13
00000043 winscard_svc.c:315:ContextThread() Received command: CMD_WAIT_READER_STATE_CHANGE from client 13
00000019 winscard_svc.c:315:ContextThread() Received command: CMD_STOP_WAITING_READER_STATE_CHANGE from client 13
00000014 winscard_svc.c:387:ContextThread() CMD_STOP_WAITING_READER_STATE_CHANGE rv=0x0 for client 13
00000029 winscard_svc.c:315:ContextThread() Received command: CMD_GET_READERS_STATE from client 13
00000126 winscard_svc.c:315:ContextThread() Received command: CONNECT from client 13
00000013 winscard.c:235:SCardConnect() Attempting Connect to Aktiv Rutoken ECP 00 00 using protocol: 3
00000007 winscard.c:328:SCardConnect() powerState: POWER_STATE_INUSE
00000006 winscard.c:406:SCardConnect() Active Protocol: T=1
00000008 winscard.c:426:SCardConnect() hCard Identity: 16213
00000007 winscard_svc.c:447:ContextThread() CONNECT rv=0x0 for client 13
00000564 winscard_svc.c:315:ContextThread() Received command: BEGIN_TRANSACTION from client 13
00000162 winscard.c:1057:SCardBeginTransaction() Status: 0x00000000
00000008 winscard_svc.c:499:ContextThread() BEGIN_TRANSACTION rv=0x0 for client 13
00000155 winscard_svc.c:315:ContextThread() Received command: TRANSMIT from client 13
00000024 winscard.c:1551:SCardTransmit() Send Protocol: T=1
00000009 ifdhandler.c:1280:IFDHTransmitToICC() usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00003407 winscard_svc.c:602:ContextThread() TRANSMIT rv=0x0 for client 13
00000617 winscard_svc.c:307:ContextThread() Client die: 13
00000020 winscard.c:204:SCardReleaseContext() Releasing Context: 0x1034989
00000013 winscard.c:826:SCardDisconnect() Active Contexts: 1
00000005 winscard.c:827:SCardDisconnect() dwDisposition: 1
00002346 ifdhandler.c:1151:IFDHPowerICC() action: Reset, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00003990 winscard.c:893:SCardDisconnect() Reset complete.
00000025 Card ATR: 3B 8B 01 52 75 74 6F 6B 65 6E 20 44 53 20 C1
00000010 winscard.c:992:SCardDisconnect() powerState: POWER_STATE_GRACE_PERIOD
00000008 ifdhandler.c:401:IFDHGetCapabilities() tag: 0xFB2, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00000010 winscard_svc.c:916:MSGCleanupClient() Thread is stopping: dwClientID=13, threadContext @13FB280
00000008 winscard_svc.c:922:MSGCleanupClient() Freeing SCONTEXT @13FB280
00311984 eventhandler.c:458:EHStatusHandlerThread() powerState: POWER_STATE_POWERED
00405923 ifdhandler.c:1151:IFDHPowerICC() action: PowerDown, usb:0a89/0030:libusb-1.0:3:44:0 (lun: 0)
00003987 eventhandler.c:446:EHStatusHandlerThread() powerState: POWER_STATE_UNPOWERED

OpenSSL :

#openssl engine -v -t
(aesni) Intel AES-NI engine (no-aesni)
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
     SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD
(pkcs11) pkcs11 engine

но... немного смущает то, что для PKCS#11 модуля нет ни строчки описания....

далее дело и тело пока не сдвинулись...
Единственная комманда, которая, как мне кажется, корректно отрабатывает :
#pkcs15-init -E -p rutoken
токен мигает и подает признаки жизни......

Re: Проблема с engine_pkcs11 и openssl.cnf

OpenSSL:

Если идти по официальному руководству http://www.opensc-project.org/opensc/wiki/QuickStart то.....
root@Serverstation:~# openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> version
OpenSSL 1.1.0-dev xx XXX xxxx

НО - любая дальнейшая операция заканчивается висением до того момента как мы нажмем Ctrl-C

Re: Проблема с engine_pkcs11 и openssl.cnf

Добрый день.

Производили ли Вы первоначальную инициализацию токена, как описано здесь?
http://www.opensc-project.org/opensc/wi … RutokenECP ?

Re: Проблема с engine_pkcs11 и openssl.cnf

Нет, не проводил - провел и все ОК заработало :) Спасибо!