[Opensc-devel] Testing Libp11, engine and OpenSC with OpenSSL-1.1-pre2

[Douglas E E. <dee...@gm...>]

If anyone wants to do any testing of opensc libp11 and engine with OpenSSL-1.1  the patches applied to libp11 for use with OpenSSL-1.1 are based on the tag-OpenSSL_1_1_0-pre2.
  OpenSSL developers are  continuing to update the github version which introduces new issues.  (I am trying to follow them.)

There is still https://github.com/OpenSC/engine_pkcs11/pull/39
that adds the engine side of the patch.

$ /opt/smartcard/bin/openssl version
OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016


To test the engine with ECDH, I have been using PIV cards that have a key management cert and key.

To encrypt a message, $2 is the key management certificate of the recipient of the message.

No  card is need to send.  The sender's key is not used here because the method  cms uses only requires the recipient's certificate.
echo "Hello World!" > /tmp/ml.txt
openssl cms -encrypt -out  /tmp/cms.encrypted.mail.msg -from dee...@gm... -to DEE...@gm... -aes256 -in /tmp/ml.txt $2


Then to use the recipient's card and key management key:

# write out the recipient's cert from the card.
pkcs15-tool -r 03 > /tmp/mycert.pem
myeckey="slot_01-id_03"

openssl cms -decrypt -out  /tmp/cms.decrypted.mail.msg -engine pkcs11 -inkey $myeckey -keyform e -recip /tmp/mycert.pem -in /tmp/cms.encrypted.mail.msg

The above should work with OpenSSL-1.1.0-pre2.
Attached are two patches to tag-OpenSSL_1_1_0-pre2 to get openssl cms and openssl req to sign a message using the engine.

https://github.com/OpenSC/engine_pkcs11/pull/39
src/engine_pkcs11.c has some code  to find the pkcs#11 module that needs to be looked at.-- Douglas E. Engert <DEE...@gm...>