[openssl-users] smartcard/ pkcs11 - 'bad decrypt' error after upgrade from 0.9.8 to 1.0.1
Jan Just Keijser
janjust at nikhef.nl
Fri Nov 11 15:04:00 UTC 2016
On 10/11/16 10:49, Pawel Suwinski wrote:
> After openssl upgrade (new OS version, new machine) I get error
> decrypting SMIME messages using Alladin eToken SmardCard (pkcs11
> On old system (Debian 6.0 Squeeze-LTS)/ machine:
> [old]$ openssl version
> OpenSSL 0.9.8g 19 Oct 2007 (Library: OpenSSL 0.9.8o 01 Jun 2010)
> [old]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
> engine "pkcs11" set.
> Now on the new system (Debian 8.6 Jessie)/ machine I get:
> [new]$ openssl version
> OpenSSL 1.0.1t 3 May 2016
> [new]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
> engine "pkcs11" set.
> Error decrypting PKCS#7 structure
> 3073701564:error:06065064:digital envelope
> routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:516:
> Of course smime.p7m file and smartcard are the same. Machines differs
> but smartcard reader on the new machine seams to work fine, for
> example I can access smartcard data:
> [new]$ pkcs11-dump dump /usr/lib/libeTPkcs11.so 0 XXXX | grep -1
> e3 c5
> Config files are the same with additional pkcs11 engine section
> described in libengine-pkcs11-openssl package docs:
> # /etc/ssl/openssl.cnf
> openssl_conf = openssl_def
> engines = engine_section
> pkcs11 = pkcs11_section
> engine_id = pkcs11
> dynamic_path = /usr/lib/engines/engine_pkcs11.so
> MODULE_PATH = /usr/lib/libeTPkcs11.so
> init = 0
> I will be grateful for any hints why it does not work? Maybe I missed
> something in config file?
This has little to do with openssl itself, but I am familiar with such
I'm using the same token with the same driver on CentOS 6, 7 and Fedora
20/22 without and issues. Your problem could be caused by numerous
- which version of opensc is installed
- which version of engine_pkcs11 and libp11 are installed
- which *exact* version of the eTPkcs11 driver are you using?
Keep in mind that for the latest OSes you will need the SafeNet client v9
More information about the openssl-users