openssl pkcs#11 engine patch

Emil Natan shlyoko at gmail.com
Mon Feb 7 15:59:15 UTC 2011 

Hi,

I try to build BIND 9.7.2-P3 with HSM support needed for DNSSEC on CentOS-5
box. Following the documentation (arm97, starting from page 27) I download
the openssl source (0.9.8l), apply the patch provided with BIND
(bin/pkcs11/openssl-0.9.8l-patch), no errors during the "configure" and
"make" phase but I finish with openssl that does not supports pkcs#11. I
tried to use both SCA6000 and SoftHSM pkcs#11 providers with no success.
Here is my configure line:

./Configure linux-generic32 -m32 -pthread
--pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so
--pk11-flavor=crypto-accelerator --prefix=/opt/pkcs11/usr

/opt/pkcs11/usr/lib/libpkcs11.so is the pkcs#11 provider shipped with
SCA6000 (actually copy of the original
/opt/sun/sca6000/lib/libpkcs11_sca.so).
Here is the error I get checking for pkcs#11 support:

/opt/pkcs11/usr/bin/openssl engine pkcs11
27876:error:25066067:DSO support routines:DLFCN_LOAD:could not load the
shared
library:dso_dlfcn.c:162:filename(/opt/pkcs11/usr/lib/engines/libpkcs11.so):
/opt/pkcs11/usr/lib/engines/libpkcs11.so: cannot open shared object file: No
such file or directory
27876:error:25070067:DSO support routines:DSO_load:could not load the shared
library:dso_lib.c:244:
27876:error:260B6084:engine routines:DYNAMIC_LOAD:dso not
found:eng_dyn.c:450:
27876:error:2606A074:engine routines:ENGINE_by_id:no such
engine:eng_list.c:419:id=pkcs11

/opt/pkcs11/usr/lib/engines/libpkcs11.so should be the pkcs#11 engine if I
understand this correctly, but it is not created. I checked all components
are 32-bit and there is no mixing of 32 and 64-bit objects as proposed in
README.pkcs11.

If I go further and build BIND as described in ARM when I try to create keys
using the pkcs11-keygen tool I get:

/chroot/named/sbin/pkcs11-keygen -b 1024 -l ksk
C_Initialize: Error = 0x000000FF

Someone got this working?

The output of the configure command is attached.

Thanks.

ena
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110207/3b7cd7a4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: configure_output.txt.gz
Type: application/x-gzip
Size: 2480 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110207/3b7cd7a4/attachment.bin>

More information about the bind-users mailing list