Re: [openssl-users] smartcard/ pkcs11 - 'bad decrypt' error after upgrade from 0.9.8 to 1.0.1

Fri, 11 Nov 2016 07:13:32 -0800 

Hi,

On 10/11/16 10:49, Pawel Suwinski wrote:

Hello


After  openssl upgrade  (new  OS  version, new  machine)  I get  error
decrypting  SMIME  messages  using Alladin  eToken  SmardCard  (pkcs11
engine).

On old system (Debian 6.0 Squeeze-LTS)/ machine:
#v+
[old]$ openssl version
OpenSSL 0.9.8g 19 Oct 2007 (Library: OpenSSL 0.9.8o 01 Jun 2010)

[old]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine 
pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
engine "pkcs11" set.
0
#v-

Now on the new system (Debian 8.6 Jessie)/ machine I get:
#v+
[new]$ openssl version
OpenSSL 1.0.1t  3 May 2016
[new]$ openssl smime -decrypt -passin pass:XXXX -inform DER -in smime.p7m -engine 
pkcs11 -inkey id_e3c5 -keyform engine > /dev/null ; echo $?
engine "pkcs11" set.
Error decrypting PKCS#7 structure
3073701564:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:516:
4
#v-

Of course smime.p7m file and  smartcard are the same. Machines differs
but  smartcard reader  on  the new  machine seams  to  work fine,  for
example I can access smartcard data:

#v+
[new]$ pkcs11-dump dump /usr/lib/libeTPkcs11.so 0 XXXX | grep -1

                         CKA_ID:
e3 c5
(...)
#v-


Config files are the same with additional pkcs11 engine section
described in libengine-pkcs11-openssl package docs:

#v+
# /etc/ssl/openssl.cnf
(...)
openssl_conf            = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/libeTPkcs11.so
init = 0
(...)
#v-


I will be grateful for any hints why it does not work? Maybe I missed
something in config file?
This has little to do with openssl itself, but I am familiar with such issues. I'm using the same token with the same driver on CentOS 6, 7 and Fedora 20/22 without and issues. Your problem could be caused by numerous incompatibilities: 
- which version of opensc is installed
- which version of engine_pkcs11 and libp11 are installed
- which *exact* version of the eTPkcs11 driver are you using?

Keep in mind that for the latest OSes you will need the SafeNet client v9

HTH,

JJK

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to