1. 首頁
  2. 問答
  3. PKCS#11引擎在openssl上無法工作6

PKCS#11引擎在openssl上無法工作6

2013-02-24 84 views
5

我想爲OpenSSL添加PKCS#11引擎,並使用CentOS 6.2。我實際加載引擎沒有問題,因爲你可以看到如下:PKCS#11引擎在openssl上無法工作6

[[email protected] 05:06:18 openssl-1.0.1e]$ openssl engine -t dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/libsst.so 
(dynamic) Dynamic engine loading support 
[Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so 
[Success]: ID:pkcs11 
[Success]: LIST_ADD:1 
[Success]: LOAD 
[Success]: MODULE_PATH:/usr/local/lib/libsst.so 
Loaded: (pkcs11) pkcs11 engine 
    [ available ]

,但是當我使用OpenSSL選項來查看加載的發動機,該發動機PKCS11不在名單:

[[email protected] 05:19:58 openssl-1.0.1e]$ openssl engine -v -t 
(aesni) Intel AES-NI engine (no-aesni) 
    [ available ] 
(dynamic) Dynamic engine loading support 
    [ unavailable ] 
    SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD

和當我想用發動機,我看到這個錯誤:

[[email protected] 05:20:04 openssl-1.0.1e]$ openssl genrsa -engine pkcs11 -out priv.key 1024 
invalid engine "pkcs11" 
3078776556:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(/usr/lib/openssl/engines/libpkcs11.so): /usr/lib/openssl/engines/libpkcs11.so: cannot open shared object file: No such file or directory 
3078776556:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 
3078776556:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: 
3078776556:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=pkcs11 
3078776556:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libpkcs11.so): libpkcs11.so: cannot open shared object file: No such file or directory 
3078776556:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 
3078776556:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: 
Generating RSA private key, 1024 bit long modulus 
.......++++++ 
.......++++++ 
e is 65537 (0x10001)

我想不通的問題可能是什麼?

來源

2013-02-24 Maryam Saeidi

+1

是pkcs11引擎深入包括,還是喲無人修補openssl? – 2013-02-26 21:28:08

回答

6

這個問題是因爲OpenSSL的加載庫只是一個時間之後,它不會保持狀態,所以如果我們想保持狀態,我們必須使用以下命令:

[[email protected] 04:58:25 home]$ openssl 
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/libsst.so 
(dynamic) Dynamic engine loading support 
[Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so 
[Success]: ID:pkcs11 
[Success]: LIST_ADD:1 
[Success]: LOAD 
[Success]: MODULE_PATH:/usr/local/lib/libsst.so 
Loaded: (pkcs11) pkcs11 engine 
     [ available ] 
OpenSSL> engine 
(aesni) Intel AES-NI engine (no-aesni) 
(dynamic) Dynamic engine loading support 
(pkcs11) pkcs11 engine 
OpenSSL>

來源

2013-03-03 13:05:12

+1

你已經寫了'libsst.so'。你有可能寫'libssl.so'嗎? – 2015-10-17 02:03:09

+0

對於允許像'openssl genrsa -engine pkcs11 -out priv.key 1024'這樣的命令工作的靜態配置,請查看https://web.archive中的「使用Engine_pkcs11和openssl配置文件」。組織/網絡/ 20110909101027/HTTP://www.opensc-project.org/engine_pkcs11/wiki/QuickStart – 2016-02-21 18:51:06

0

事實上,如前所述在上面的一個註釋中,對於重複使用,將引擎的參數包含在相應的OpenSSL配置文件中更方便。對於給定的例子中,你將所述第一部分之前,添加行

openssl_conf = openssl_def

(其與啓動「[」字符在行開始) 和在末尾添加標記爲[openssl_def]的區間,爲簡單起見該文件:

[openssl_def] 
engines = engine_section 

[engine_section] 
pkcs11 = pkcs11_section 

[pkcs11_section] 
engine_id = pkcs11 
dynamic_path = /usr/lib/openssl/engines/engine_pkcs11.so 
MODULE_PATH = /usr/local/lib/libsst.so 
init = 0 
# adapt as desired: PIN = 1234

來源

2016-04-11 12:52:50 dvo

相關問題

 相關問題