Re: [Opensc-devel] Adding libp11 (or its equivalent) to OpenSSL

[David W. <dw...@in...>]

On Fri, 2016-02-26 at 22:36 +0200, Michael Jackson wrote:
> Engine isn't even a first-class citizen in OpenSSL, doesn't get much
> love anymore at all from the developers. Engine does not work on any
> RHEL variants at the moment. Reason being is that Engine actually has
> a downward dependency on one of it's plugins: Gost (Russian Federal
> Crypto standard). If libgost.so is missing from a system, OpenSSL will
> refuse to load Engine wholesale. And libgost.so is not included in the
> RH builds of OpenSSL.

I happened to be prodding at a RHEL7 box today, so I checked this. It
looks like engine_pkcs11 isn't present in RHEL or even EPEL, so I built
it myself.  It seems to work fine...

 $ openssl req -engine pkcs11 -new -key "pkcs11:token=NSS%20Certificate%20DB;object=test-key;type=private" -keyform engine -text -x509 -subj "/CN=dwmw2"
engine "pkcs11" set.
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13141336097864957623 (0xb65f678e23423eb7)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=dwmw2
        Validity
            Not Before: Feb 26 23:02:29 2016 GMT
            Not After : Mar 27 23:02:29 2016 GMT
        Subject: CN=dwmw2

-- 
David Woodhouse                            Open Source Technology Centre
Dav...@in...                              Intel Corporation