[openssl-users] Using engine to create a digest fails
Jakob Bohm
jb-openssl at wisemo.com
Wed Apr 27 02:10:24 UTC 2016
On 26/04/2016 10:08, Johannes Rath wrote:
>
> Hi all,
>
> I am trying to create a digest using a key stored on a smart card, but
> it fails:
>
> jor at jorVirtualUbuntu1404:/mnt/Projects/TestOpenSC$ openssl dgst
> -engine pkcs11 -sign 45 -keyform engine -passin pass:1234 -out
> test.sig test.txt
>
> engine "pkcs11" set.
>
> Error setting context
>
> 140074800309920:error:260C0065:engine
> routines:ENGINE_get_pkey_meth:unimplemented public key
> method:tb_pkmeth.c:127:
>
> 140074800309920:error:0609D09C:digital envelope
> routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164:
>
> jor at jorVirtualUbuntu1404:/mnt/Projects/TestOpenSC$ openssl version -a
>
> OpenSSL 1.0.1f 6 Jan 2014
>
> built on: Mon Feb 29 18:11:15 UTC 2016
>
> platform: debian-amd64
>
> options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
>
> compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2
> -fstack-protector --param=ssp-buffer-size=4 -Wformat
> -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions
> -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int
> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
>
> OPENSSLDIR: "/usr/lib/ssl"
>
> Any ideas?
>
You have not specified the digest algorithm to sign, so the dgst
command defaults to the outdated MD5 algorithm, which your
smartcard probably refuses to use.
I am assuming that this 1.0.1f is from an Ubuntu package with all
the later security fixes merged back in, similar to the 1.0.1e
package in Debian Wheezy.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list