[openssl-users] upgrade to 1.0.1r breaks script that worked for years. Config issue?

lists lists at rustichelli.net
Wed Feb 24 16:22:08 UTC 2016 

Hi all,

recently I have upgraded from OpenSSL 1.0.1e to 1.0.1r (system packages 
on Slackware 14.1) but a CA script that I have been using for years, 
with countless OpenSSL versions, stopped working.
It also relies on the pkcs11 engine to sign but my first guess is that 
the issue is in the OpenSSL configuration files (handled differently in 
the new version?) and not some engine issue.
Re-installing the OpenSSL 1.0.1e pack makes things work again.

Here is what happens. First, I run (nothing special here)

/usr/bin/openssl genrsa -rand blahblahblah -out 
./CERTS/depot/Ubi2016.key 1024
/usr/bin/openssl req -sha1 -config /tmp/Ubi.gendata.tmp -new -key 
./CERTS/depot/Ubi2016.key -out ./CERTS/depot/Ubi2016.csr

This is one sample CSR (openssl req -verify tells the signature is fine):

-----BEGIN CERTIFICATE REQUEST-----
MIIB1TCCAT4CAQAwgZQxCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsG
A1UEBwwEUm9tZTENMAsGA1UECgwER1Q1MDEMMAoGA1UECwwDRGV2MRwwGgYDVQQD
DBNVbWJlcnRvIFJ1c3RpY2hlbGxpMSswKQYJKoZIhvcNAQkBFhx1bWJlcnRvLnJ1
c3RpY2hlbGxpQGd0NTAub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+
6vSzIWKaAy0OYa/Er6B6ZdmlZDFHXHW7p9Tnvhg+QmwETQ/XSjwbz/3WZVcp3DnD
bYWoNK3LibEWon8Vhhcu2wPMfTg8Oj98NX1ExFtk7Va+XrZdJreKX9tK3qbFRWTg
Y2giYQHzAH99IQKjHQEzVQ5zJ8W+OLpqmVXmmdr3YQIDAQABoAAwDQYJKoZIhvcN
AQEFBQADgYEAFaT2sx5U6STFSBC828iPUDCUkIfTAH5GKirWzBHbFlhNsD7aaWb1
DnzgfRVErkPoZcw7xiRqitnHC8BO9wrtR3cJBX8zAlvbQV4/yTUTO4b4X6OaLN+k
dfL/2lDx605XGtgf3fmqQgmlD+KBhzVQU6j+pkIaHdpC5CqC4srgdVw=
-----END CERTIFICATE REQUEST-----

and when it is time to sign the CSR using a smart card containing the CA 
certificate:

export OPENSSL_CONF=/tmp/my.conf

/usr/bin/openssl x509 -extfile ./ETC/OSSL.default_x509_auth.cfg \
     -days 2000 -sha256 \
     -CAserial ./ETC/CA.serial -CA ./ETC/CA.2048.crt \
     -in ./CERTS/depot/Ubi2016.csr \
     -req -out ./CERTS/depot/Ubi2016.crt \
     -engine pkcs11 -CAkey slot_0-id_aaaa \
     -CAkeyform engine -passin pass:***

where I have this extension file (OSSL.default_x509_auth.cfg):

----

extensions = x509v3

[ x509v3 ]
keyUsage              = digitalSignature
extendedKeyUsage      = clientAuth,emailProtection
crlDistributionPoints = URI:http://ldap.secure-edge.com/secure-edge-ca.crl
subjectAltName        = email:copy
basicConstraints      = CA:false,pathlen:0
nsComment             = "Certificato X.509 v3 FIRMA generato da Secure 
Edge Global Root CA"
nsCertType            = client,email

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy

---

and this /tmp/my.conf:

openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id    = pkcs11
dynamic_path = "/usr/local/lib/engines/engine_pkcs11.so"
MODULE_PATH  = "./ETC/libbit4ipki.Venice.so"
init         = 0


Now, with OpenSSL 1.0.1e all is fine (first two are just warnings):

openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:284
openssl (lock_dbg_cb): not locked (mode=10, type=30) at eng_table.c:186
engine "pkcs11" set.
Signature ok
subject=/C=IT/ST=Italy/L=Rome/O=GT50/OU=Dev/CN=Umberto 
Rustichelli/emailAddress=umberto.rustichelli at gt50.org


With OpenSSL 1.0.1r I get:

openssl (lock_dbg_cb): already locked (mode=9, type=30) at eng_list.c:265
openssl (lock_dbg_cb): not locked (mode=10, type=30) at eng_table.c:187
engine "pkcs11" set.
Signature did not match the certificate request


For completeness, I have installed engine_pkcs11 1.0.8, libp11 0.2.8, 
pcsc-lite 1.8.11, ccid 1.4.17.

Before I try some heavy debugging, does anybody know of a change from 
version 1.0.1e to 1.0.1r that would prevent the commands above from working?
If so, is it something that goes away with newer versions?
If not so (no clue), where should I look for?

Thanks a lot

   Umberto Rustichelli aka Ubi

More information about the openssl-users mailing list