[openssl-users] smartcard/ pkcs11 - 'bad decrypt' error after upgrade from 0.9.8 to 1.0.1

Jan Just Keijser janjust at nikhef.nl
Fri Nov 11 15:04:00 UTC 2016 

Hi,

On 10/11/16 10:49, Pawel Suwinski wrote:
> Hello
>
>
> After  openssl upgrade  (new  OS  version, new  machine)  I get  error
> decrypting  SMIME  messages  using Alladin  eToken  SmardCard  (pkcs11
> engine).
>
> On old system (Debian 6.0 Squeeze-LTS)/ machine:
> #v+
> [old]$ openssl version
> OpenSSL 0.9.8g 19 Oct 2007 (Library: OpenSSL 0.9.8o 01 Jun 2010)
>
> [old]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
> engine "pkcs11" set.
> 0
> #v-
>
> Now on the new system (Debian 8.6 Jessie)/ machine I get:
> #v+
> [new]$ openssl version
> OpenSSL 1.0.1t  3 May 2016
> [new]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
> engine "pkcs11" set.
> Error decrypting PKCS#7 structure
> 3073701564:error:06065064:digital envelope
> routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:516:
> 4
> #v-
>
> Of course smime.p7m file and  smartcard are the same. Machines differs
> but  smartcard reader  on  the new  machine seams  to  work fine,  for
> example I can access smartcard data:
>
> #v+
> [new]$ pkcs11-dump dump /usr/lib/libeTPkcs11.so 0 XXXX | grep -1
>
>                          CKA_ID:
> e3 c5
> (...)
> #v-
>
>
> Config files are the same with additional pkcs11 engine section
> described in libengine-pkcs11-openssl package docs:
>
> #v+
> # /etc/ssl/openssl.cnf
> (...)
> openssl_conf            = openssl_def
>
> [openssl_def]
> engines = engine_section
>
> [engine_section]
> pkcs11 = pkcs11_section
>
> [pkcs11_section]
> engine_id = pkcs11
> dynamic_path = /usr/lib/engines/engine_pkcs11.so
> MODULE_PATH = /usr/lib/libeTPkcs11.so
> init = 0
> (...)
> #v-
>
>
> I will be grateful for any hints why it does not work? Maybe I missed
> something in config file?
>

This has little to do with openssl itself, but I am familiar with such 
issues.
I'm using the same token with the same driver on CentOS 6, 7 and Fedora 
20/22 without and issues. Your problem could be caused by numerous 
incompatibilities:
- which version of opensc is installed
- which version of engine_pkcs11 and libp11 are installed
- which *exact* version of the eTPkcs11 driver are you using?

Keep in mind that for the latest OSes you will need the SafeNet client v9

HTH,

JJK

More information about the openssl-users mailing list