Menu
▾
▴
Re: [Opensc-devel] Adding libp11 (or its equivalent) to OpenSSL
|
From: Richard L. <le...@op...> - 2016-02-27 00:14:21
|
In message <145...@in...> on Fri, 26 Feb 2016 23:12:56 +0000, David Woodhouse <dw...@in...> said: dwmw2> On Fri, 2016-02-26 at 22:36 +0200, Michael Jackson wrote: dwmw2> > Engine isn't even a first-class citizen in OpenSSL, doesn't get much dwmw2> > love anymore at all from the developers. Engine does not work on any dwmw2> > RHEL variants at the moment. Reason being is that Engine actually has dwmw2> > a downward dependency on one of it's plugins: Gost (Russian Federal dwmw2> > Crypto standard). If libgost.so is missing from a system, OpenSSL will dwmw2> > refuse to load Engine wholesale. And libgost.so is not included in the dwmw2> > RH builds of OpenSSL. dwmw2> dwmw2> I happened to be prodding at a RHEL7 box today, so I checked this. It dwmw2> looks like engine_pkcs11 isn't present in RHEL or even EPEL, so I built dwmw2> it myself. It seems to work fine... dwmw2> dwmw2> $ openssl req -engine pkcs11 -new -key "pkcs11:token=NSS%20Certificate%20DB;object=test-key;type=private" -keyform engine -text -x509 -subj "/CN=dwmw2" dwmw2> engine "pkcs11" set. dwmw2> Certificate: dwmw2> Data: dwmw2> Version: 3 (0x2) dwmw2> Serial Number: 13141336097864957623 (0xb65f678e23423eb7) dwmw2> Signature Algorithm: sha256WithRSAEncryption dwmw2> Issuer: CN=dwmw2 dwmw2> Validity dwmw2> Not Before: Feb 26 23:02:29 2016 GMT dwmw2> Not After : Mar 27 23:02:29 2016 GMT dwmw2> Subject: CN=dwmw2 I checked one of those claims that I found on Google, where the command 'host' would fail if libgost.so wasn't present (I could reproduce that on my laptop). It turns out that libgost.so is normally required when building Bind... I had a look at the source, and, well, lib/dns/opensslgost_link.c is telling the tale, and is built if libgost.so is available at the time of building Bind. So, I know OpenSSL is a popular scapegoat 'n all, especially since Heartblead, but frankly, we can't be blamed for what others decide to do with our toolkit. Now, I hope this question can be laid to rest and that we can return to the matter at hand. Cheers, Richard -- Richard Levitte le...@op... OpenSSL Project http://www.openssl.org/~levitte/ |
