Menu
▾
▴
Re: [Opensc-devel] How to build OpenSC/libp11 ?
|
From: Jana N. <jn...@al...> - 2017-08-24 23:11:34
|
Unfortunately I'm not on MAC, I'm on Centos 6. It's linux. I'm trying to see if Safenet HSM works with openssl from cryptography. It seems running ./configure && make && sudo make install Did not generate me the: opensc-pkcs11.so and libpkcs11.so Am I missing an additional step? Thanks pkcs11 guru for responding. On Thu, Aug 24, 2017 at 3:12 PM, Ben Cottrell <Ben...@no...> wrote: > Hi Jana, > > On Thu, 24 Aug 2017 14:01:41 -0700, Jana Nguyen wrote: > > Thanks, running the tarball seems to run without error. Following the > > README.md, I tried to locate > > > > opensc-pkcs11.so and libpkcs11.so > > > > None was found. Am I suppose to also install the "engine_pkcs11" ? I > > want to use p11 and OpenSSL from the command line. > > Are you on a Mac? The files may be called .dylib instead of .so. > > Here's my notes for running openssl from the command line: > > 1. You need to be using openssl commands that allow -engine and > -keyform flags to be passed in. Not all openssl commands do. If > you need to use a command that doesn't, you're out of luck :-( > > 2. You need to use openssl in interactive mode, by typing > "openssl" and then entering commands into the prompt. (Or by > doing the equivalent from a shell script using a here-document.) > This is because the openssl "engine" command is stateful. It > sets up state which is used later by the actual command you're > trying to run. Trying to run "openssl engine ..." from your shell, > and then trying to run "openssl whatever ...", will lose state > between the two invocations. > > Here's an example of a pair of commands that can be typed into an > interactive openssl session: > > engine dynamic -pre SO_PATH:/path/to/pkcs11.so -pre ID:pkcs11 -pre > LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/path/to/hsm/library.so -pre VERBOSE > > req -new -keyform engine -engine pkcs11 -key "pkcs11:type=private;object=foo;token=bar" > -out myreq.csr -subj "/C=US/ST=CA/CN=localhost" -days 10000 > > (The /path/to/pkcs11.so may be .dylib if you're on a Mac, as noted above) > > The first "engine" command sets up an engine and names it "pkcs11" (the ID: > is what associates it with a name). > > The -engine flag in the second command refers to the engine by the name we > gave it. Then "-keyform engine" says that the key we pass in should be > interpreted by the engine, not treated as the name of a file on disk. Then > finally the -key flag can be passed as a PKCS11 URL, which works because we > did the "-keyform engine". > > See https://www.ietf.org/rfc/rfc7512.txt for a description of the > PKCS11 URI format. > > Hope this helps! I went through the same process of discovery you're > going through, earlier this year. > > ~Ben > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
