Hello,
I'm using engine_pkcs11 module to initiate SSL connection authenticated by client certificate stored on the smart card. If I've got connected only 1 token (smart card itself) everything seems to be OK.
Problem occurs, after another token, without pkcs#11 support is inserted into another slot. Engine_pkcs11 responds with:
failed to enumerate slots
Key is sent to the engine including the slot id of the token.
What is the reason, that engine tries to enumerate all the slots again? Why the engine is not simply ignoring tokens, which doesn't have PKCS#11 structure and forces to cancel ssl negotiation? Why the engine is simply not connecting the slot specified within key (there is possibility to send key in format 'slot_id:key_id')?
Do you have any idea, how I can solve or workaround this problem?
Output of s_client connection initialization (if there is only 1 token, everything is working properly, after another token is inserted, error appears):
OpenSSL> engine -t dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:siecap11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:engine_pkcs11
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:siecap11.dll
Loaded: (pkcs11) pkcs11 engine
[ available ]
OpenSSL>
OpenSSL> s_client -engine pkcs11 -connect hostname:443 -CAfile cacerts.pem -key 3:010203 -keyform engine -cert cert.pem
engine 'pkcs11' set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
unable to load client certificate private key file
2032:error:80003030:Vendor defined:PKCS11_check_token:Device error:p11_slot.c:373:
2032:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: error in s_client
OpenSSL>
Thank you and best regards,
Peter.
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
I'm using engine_pkcs11 module to initiate SSL connection authenticated by client certificate stored on the smart card. If I've got connected only 1 token (smart card itself) everything seems to be OK.
Problem occurs, after another token, without pkcs#11 support is inserted into another slot. Engine_pkcs11 responds with:
failed to enumerate slots
Key is sent to the engine including the slot id of the token.
What is the reason, that engine tries to enumerate all the slots again? Why the engine is not simply ignoring tokens, which doesn't have PKCS#11 structure and forces to cancel ssl negotiation? Why the engine is simply not connecting the slot specified within key (there is possibility to send key in format 'slot_id:key_id')?
Do you have any idea, how I can solve or workaround this problem?
Output of s_client connection initialization (if there is only 1 token, everything is working properly, after another token is inserted, error appears):
OpenSSL> engine -t dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:siecap11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:engine_pkcs11
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:siecap11.dll
Loaded: (pkcs11) pkcs11 engine
[ available ]
OpenSSL>
OpenSSL> s_client -engine pkcs11 -connect hostname:443 -CAfile cacerts.pem -key 3:010203 -keyform engine -cert cert.pem
engine 'pkcs11' set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
unable to load client certificate private key file
2032:error:80003030:Vendor defined:PKCS11_check_token:Device error:p11_slot.c:373:
2032:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: error in s_client
OpenSSL>
Thank you and best regards,
Peter.
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
- (In reply to Michael from comment #10) I can confirm this issue. Also I can confirm that other USB devices are effected, too (mostly if plugged into an USB3 port). For example: ID 7392:7710 Edimax Technology Co., Ltd (mt7601u) WARN Set TR Deq Ptr cmd failed due to incorrect slot or ep state. dmesg doesn't show IOMMU warnings, so I assume it is a problem introduced in usb/xhci.
- Analytics cookies. We use analytics cookies to understand how you use our websites so we can make them better, e.g. They're used to gather information about the pages you visit and how many clicks you need to accomplish a task.
Openssl Failed To Enumerate Slots Free
Stack Overflow for Teams is a private, secure spot for you and your coworkers to find and share information.
ninonimen1971.netlify.com – 2021