Hi,
On Tue, 2022-07-05 at 09:00 +0200, Bastian Blank wrote:
> On Mon, Jul 04, 2022 at 10:34:39PM +0200, Ansgar wrote:
> > As a further test I tried a different PKCS#11 module:
>
> Could you try the same with "openssl cms"? Just to make sure it's
> not sign-file itself.
I replaced the `./sign-file` call with:
+---
| openssl cms -sign -binary -outform DER -engine pkcs11 \
| -keyform engine -inkey "${pkcs11_uri}" -signer ${cert_path} \
| -md sha256 -nocerts -noattr -nosmimecap \
| -in data.ko -out data.ko.p7s
+---
and got the same results as with sign-file, both with
libykcs11.so.2.2.0 and opensc-pkcs11.so.
All of this happened on my laptop running a current Debian testing.
There is at least one ykcs11-specific bug (missing the initial zero
bytes), but the broken signature itself happens with both modules.
Ansgar
