--0-1385349592-1163420760=:33243
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Dear all,
I'm implementing HSM support to our OCSP Responder which uses openssl lib=
raries to perform crypto operations.=20
When searching for a PKCS11 engine's implementation for OpenSSL 0.9.8c (O=
CSP patched already with Engine support) I found OpenSC project and their=
engine_pkcs11 libraries, so I've begun testing it with the OpenSSL's com=
mand line, just like this:
*Engine preparation (from openssl environment):
engine -t dynamic -pre SO_PATH:\openssl-0.9.8c\out32dll\engine_pkcs11.d=
ll -pre IDkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:\openssl-0=
..9.8c\out32dll\rsecpk11.dll

*OCSP client issuing a signed Request (same mechanism is used by the OCSP=
Server when sending a signed Response):
ocsp -host ocsp.camerfirma.com:80 -path http://ocsp.camerfirma.com/ocsp -=
issuer Camerfirma-RootSinPoderes.pem -serial 0x00C20FA62E42F03643257115AE=
D64383 -nonce -CAfile VA-root.pem -VAfile CACamerfirma-ocspSign.pem -sign=
key jluna.cve -signer jluna.cer -reqout hsm_ocsp_req.txt -respout hsm_ocs=
p.txt -req_text -engine pkcs11

*Error message:
Error signing OCSP request
1640:error:80009404:Vendor defined:PKCS11_rsa_encrypt:Not supported11_o=
ps.c:107:
1640:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:.\crypt=
o\asn1\a_sign.c:276:
error in ocsp

I've tried also with a SmartCard and OpenSC's native opensc-pkcs11.dll mo=
dule, but the error is still the same.=20
Question is, may this be an issue from OpenSSL or from the OpenSC impleme=
ntation? Do you know/recommend some other open-source PKCS11 engine imple=
mentation for OpenSSL?
Thanks in advance for your help,

Jesus Luna
PKI Research
www.certiver.com


=09
---------------------------------

LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y m=F3viles desde 1 c=E9ntimo por minuto.
http://es.voice.yahoo.com
--0-1385349592-1163420760=:33243
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Dear all,
I'm implementing HSM support to our OCSP Responder which use=
s openssl libraries to perform crypto operations.
When searching for =
a PKCS11 engine's implementation for OpenSSL 0.9.8c (OCSP patched already=
with Engine support) I found OpenSC project and their engine_pkcs11 libr=
aries, so I've begun testing it with the OpenSSL's command line, just lik=
e this:
*Engine preparation (from openssl environment):
engine -t d=
ynamic -pre SO_PATH:\openssl-0.9.8c\out32dll\engine_pkcs11.dll -pre ID:=
pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:\openssl-0.9.8c\out32=
dll\rsecpk11.dll

*OCSP client issuing a signed Request (same mecha=
nism is used by the OCSP Server when sending a signed Response):
ocsp =
-host ocsp.camerfirma.com:80 -path http://ocsp.camerfirma.com/ocsp -issue=
r Camerfirma-RootSinPoderes.pem -serial 0x00C20FA62E42F03643257115AED6438=
3 -nonce -CAfile VA-root.pem -VAfile CACamerfirma-ocspSign.pem -signkey j=
luna.cve -signer jluna.cer -reqout
hsm_ocsp_req.txt -respout hsm_ocsp.txt -req_text -engine pkcs11

*=
Error message:
Error signing OCSP request
1640:error:80009404:Vendo=
r defined:PKCS11_rsa_encrypt:Not supported11_ops.c:107:
1640:error:0=
D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:.\crypto\asn1\a_sig=
n.c:276:
error in ocsp

I've tried also with a SmartCard and Ope=
nSC's native opensc-pkcs11.dll module, but the error is still the same. <=
br>Question is, may this be an issue from OpenSSL or from the OpenSC impl=
ementation? Do you know/recommend some other open-source PKCS11 engine im=
plementation for OpenSSL?
Thanks in advance for your help,

Jesu=
s Luna
PKI Research
www.certiver.com




LLama Gratis a cual=
quier PC del Mundo.
Llamadas a fijos y m=F3viles desde 1 c=E9ntimo por=
minuto.
http://es.voice.yahoo.com/">http://es.voice.yahoo.com

--0-1385349592-1163420760=:33243--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org