[opensc-user] Problem Loading Engine

Andreas Jellinghaus aj at dungeon.inka.de
Tue Jun 23 19:06:40 UTC 2009 

Hi Bram,

> I am trying to work with the pkcs11_engine from the opensc project and a
> vendor supplied module and I am running into some problems.

does "pkcs11-tool --test" work with that pkcs#11 library
you are using? if not, please talk to the vendor of that
library. it is hard for us to see if the problem is in openssl,
engine_pkcs11, libp11 or that library :(

> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so
> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
> MODULE_PATH:/root/.tblive/libtbpkcs11.so
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/root/.tblive/libtbpkcs11.so
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL>  req  -engine pkcs11 -new -key slot_0-label_TB_AUTH_KEY
> -keyform engine -out req.pem -text -x509         -subj "/CN=TrustBearer"
> unable to load module /root/.tblive/libtbpkcs11.so
> Segmentation fault

looks to me like a problem in that library, but I can't say for sure.
can you run that inside gdb to get a proper stack trace?

maybe opensuse has debug binaries for engine_pkcs11 and libp11 and openssl? if 
not you might need to compile those yourself.

> or sometimes I get:
> __pthread_mutex_lock: Assertion `robust || (oldval & 0x40000000) == 0
> failed
> instead of the segfault.

engine_pkcs11 and libp11 have no clue about threads. so it mist be an openssl
issue or issue with your vendor pkcs#11 library.

> I have traced the point where the load module fails to the call:
> CRYPTOKI_checkerr(PKCS11_F_PKCS11_CTX_LOAD, rv);
> in libp11 file src/p11_load.c

that line exist several times. but it only tells me: libp11 called your
vendors library, and that returned an error.

you can install opensc and use pkcs11-spy.so from opensc. the idea is
to hook that PKCS#11 module between openssl/engine_pkcs11/libp11 and
the real pkcs#11 module you want to use, and it will create a log file
with each function call, all the parameters, and the return values.

export PKCS11SPY=/root/.tblive/libtbpkcs11.so
export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy-file.log
openssl (.... as you did before)

and see if that shows what is going on.

good luck!

Regards, Andreas

More information about the opensc-user mailing list