<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi,<br>
<br>
I had a look at the pkcs11-helper and can see where the
RSA_METHOD_FLAG_NO_CHECK is being set. It's using a session object
called <span class="pl-c1">pkcs11h_openssl_session_t, which I do
not see in the libp11 or openSC code.<br>
</span><br>
Right now I am using the "libp11" DLL (i.e.
libp11-libp11-0.4.11\src\pkcs11.dll) with my PKCS11 smart card
middleware DLL. Should I be using the OpenSC pkcs11 DLL instead of
my middleware DLL if I am using libp1?<br>
<br>
Do you know if it is normal to see exceptions related to the
PKCS11 function calls in the libp11 code? For example, I can see
the following function generate an exception on C_GetSlotList(...)
multiple times but it eventually is successful. Is this normal
behaviour?<br>
<br>
int pkcs11_enumerate_slots(PKCS11_CTX *ctx, PKCS11_SLOT **slotp,
unsigned int *countp)<br>
{<br>
. . .<br>
rv = cpriv->method->C_GetSlotList(FALSE, NULL_PTR,
&nslots);<br>
. . .<br>
}<br>
<br>
<br>
Thanks,<br>
George<br>
<br>
<br>
<br>
On 2021-01-08 6:32 p.m., Michael Wojcik wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM6PR18MB2700D51CA007871717F6C533F9AE9@DM6PR18MB2700.namprd18.prod.outlook.com">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">From: openssl-users <a class="moz-txt-link-rfc2396E" href="mailto:openssl-users-bounces@openssl.org"><openssl-users-bounces@openssl.org></a> On Behalf Of George
Sent: Friday, 8 January, 2021 14:35
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">The comment indicates that the flag RSA_METHOD_FLAG_NO_CHECK should be set
for smart cards[...]
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">However, it is not actually set when I use a debugger to inspect the flag.
Does it need to be set? If so, how is this done?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
If memory serves, the PKCS#11 implementation invoked by the pkcs11 engine is supposed to set it.
See for example this patch to OpenSC's pkcs11-helper library:
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/pkcs11-helper/commit/5198bb1e557dfd4109bea41c086825bf6ebdd9f3">https://github.com/OpenSC/pkcs11-helper/commit/5198bb1e557dfd4109bea41c086825bf6ebdd9f3</a>
(That patch actually is to set a different flag, but it shows the code in question.)
I know, that's probably not terribly helpful.
If you do a web search for something like
pkcs11 "RSA_METHOD_FLAG_NO_CHECK"
you'll probably find a number of hits where other people ran into similar problems.
Isn't PKCS#11 grand? If you're bored with all the interoperability problems of X.509, PKIX, and TLS, we have good news!
--
Michael Wojcik
</pre>
</blockquote>
<br>
</body>
</html>