security/engine_pkcs11 unable to use it
in [Ports]
|
From: Mel Flynn on 8 Sep 2009 17:14 Hi, after installing security/engine_pkcs11, I'm unable to use it. As per http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart I've modified my /etc/ssl/openssl.cnf, yet: % openssl req -config /etc/ssl/openssl.cnf -engine pkcs11 -new -key id_45 - keyform engine -out req.pem -text -x509 -subj "/CN=Foo Bar" invalid engine "pkcs11" 18730:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_dlfcn.c:162:filename(/usr/lib/engines/libpkcs11.so): Cannot open "/usr/lib/engines/libpkcs11.so" 18730:error:25070067:DSO support routines:DSO_load:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_lib.c:244: 18730:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:450: 18730:error:2606A074:engine routines:ENGINE_by_id:no such engine:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_list.c:415:id=pkcs11 18730:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_dlfcn.c:162:filename(libpkcs11.so): Shared object "libpkcs11.so" not found, required by "openssl" 18730:error:25070067:DSO support routines:DSO_load:could not load the shared library:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/dso/dso_lib.c:244: 18730:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_dyn.c:450: no engine specified unable to load Private Key Also, the file referenced on the quickstart page opensc-pkcs11.so is not installed by the port. Probably the weirdest thing is that I see no evidence of openssl understanding the configuration variables, meaning not looking in /usr/local/lib. For completeness: openssl.cnf changes: engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/local/lib/engines/engine_pkcs11.so init = 0 uname -a FreeBSD smoochies.rachie.is-a-geek.net 8.0-BETA4 FreeBSD 8.0-BETA4 #14 r196875M: Mon Sep 7 18:00:45 CEST 2009 mel(a)smoochies.rachie.is-a- geek.net:/usr/obj/usr/src/sys/HPDV9000 i386 openssl version (base): OpenSSL 0.9.8k 25 Mar 2009 How would one get this engine recognized and working and could this information be added to a pkg-message? -- Mel _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Alex Dupre on 9 Sep 2009 04:42 Mel Flynn ha scritto: > As per http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart I've > modified my /etc/ssl/openssl.cnf, yet: Can you try the command-line alternative? -- Alex Dupre _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Mel Flynn on 9 Sep 2009 05:28 On Wednesday 09 September 2009 10:41:32 Alex Dupre wrote: > Mel Flynn ha scritto: > > As per http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart I've > > modified my /etc/ssl/openssl.cnf, yet: > > Can you try the command-line alternative? OpenSSL> engine -t dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD Loaded: (pkcs11) pkcs11 engine unable to load module (null) OpenSSL> engine -t dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/engines/engine_pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/local/lib/engines/engine_pkcs11.so Loaded: (pkcs11) pkcs11 engine unable to load module /usr/local/lib/engines/engine_pkcs11.so [ unavailable ] % ldd /usr/local/lib/engines/engine_pkcs11.so /usr/local/lib/engines/engine_pkcs11.so: libp11.so.3 => /usr/local/lib/libp11.so.3 (0x281b7000) libssl.so.6 => /usr/lib/libssl.so.6 (0x28300000) libltdl.so.7 => /usr/local/lib/libltdl.so.7 (0x281bf000) libc.so.7 => /lib/libc.so.7 (0x28091000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x28346000) % find /usr/lib /usr/local/lib -name 'opensc-*' -ls|wc -l 0 -- Mel _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Alex Dupre on 9 Sep 2009 05:45 Mel Flynn ha scritto: >> Mel Flynn ha scritto: >>> As per http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart I've >>> modified my /etc/ssl/openssl.cnf, yet: >> Can you try the command-line alternative? > > OpenSSL> engine -t dynamic -pre > SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 > -pre LOAD -pre MODULE_PATH:/usr/local/lib/engines/engine_pkcs11.so > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/local/lib/engines/engine_pkcs11.so > Loaded: (pkcs11) pkcs11 engine > unable to load module /usr/local/lib/engines/engine_pkcs11.so > [ unavailable ] Ops, I didn't notice it before, but which PKCS11 token are you using? This is the engine, MODULE_PATH must address a criptoki library. -- Alex Dupre _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Mel Flynn on 9 Sep 2009 06:12 On Wednesday 09 September 2009 11:45:15 Alex Dupre wrote: > Mel Flynn ha scritto: > >> Mel Flynn ha scritto: > >>> As per http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart I've > >>> modified my /etc/ssl/openssl.cnf, yet: > >> > >> Can you try the command-line alternative? > > > > OpenSSL> engine -t dynamic -pre > > SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre > > LIST_ADD:1 -pre LOAD -pre > > MODULE_PATH:/usr/local/lib/engines/engine_pkcs11.so (dynamic) Dynamic > > engine loading support > > [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so > > [Success]: ID:pkcs11 > > [Success]: LIST_ADD:1 > > [Success]: LOAD > > [Success]: MODULE_PATH:/usr/local/lib/engines/engine_pkcs11.so > > Loaded: (pkcs11) pkcs11 engine > > unable to load module /usr/local/lib/engines/engine_pkcs11.so > > [ unavailable ] > > Ops, I didn't notice it before, but which PKCS11 token are you using? > This is the engine, MODULE_PATH must address a criptoki library. Aha! Maybe patch below is an idea? OpenSSL> engine -t dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/local/lib/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine --- security/engine_pkcs11/Makefile.orig 2009-08-05 22:28:40.000000000 +0200 +++ security/engine_pkcs11/Makefile 2009-09-09 12:01:51.000000000 +0200 @@ -33,4 +33,8 @@ ${WRKSRC}/Makefile.in ${WRKSRC}/doc/Makefile.in .endif +post-install: + @${ECHO_MSG} "You will need a criptoki library to use the engine." + @${ECHO_MSG} "One is provided by security/opensc" + .include <bsd.port.mk> -- Mel _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
|
Next
|
Last
Pages: 1 2 Prev: FreeBSD ports which are currently marked broken Next: libx11 build problems |