[openssl-users] smartcard/ pkcs11 - 'bad decrypt' error after upgrade from 0.9.8 to 1.0.1
Pawel Suwinski
dracono at wp.pl
Thu Nov 10 09:49:57 UTC 2016
Hello
After openssl upgrade (new OS version, new machine) I get error
decrypting SMIME messages using Alladin eToken SmardCard (pkcs11
engine).
On old system (Debian 6.0 Squeeze-LTS)/ machine:
#v+
[old]$ openssl version
OpenSSL 0.9.8g 19 Oct 2007 (Library: OpenSSL 0.9.8o 01 Jun 2010)
[old]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
engine "pkcs11" set.
0
#v-
Now on the new system (Debian 8.6 Jessie)/ machine I get:
#v+
[new]$ openssl version
OpenSSL 1.0.1t 3 May 2016
[new]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
engine "pkcs11" set.
Error decrypting PKCS#7 structure
3073701564:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:516:
4
#v-
Of course smime.p7m file and smartcard are the same. Machines differs
but smartcard reader on the new machine seams to work fine, for
example I can access smartcard data:
#v+
[new]$ pkcs11-dump dump /usr/lib/libeTPkcs11.so 0 XXXX | grep -1
CKA_ID:
e3 c5
(...)
#v-
Config files are the same with additional pkcs11 engine section
described in libengine-pkcs11-openssl package docs:
#v+
# /etc/ssl/openssl.cnf
(...)
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/libeTPkcs11.so
init = 0
(...)
#v-
I will be grateful for any hints why it does not work? Maybe I missed
something in config file?
--
regards
Pawel Suwinski
More information about the openssl-users
mailing list