Update of opensc-build?

Hi,

Many thanks in advance for your help.

I saw that you provide a build for open-sc
This build is based on version 0.20.1 if i have correctly understood.

I’m not sure to have fully understood the progress on ecc topics, but I understand that version 0.20.3 will allow us to use ecc keys already residing on the token.
Is it correct ?
It seems that we will be able to use Curve25519 or NIST P256 with pkcs11-tool ?
Do you plan to provide a 0.20.3 builds ?

Since I understand that we need to wait for 0.20.3 release to be able to use Strongswan with token using ecc curves (Curve25519 or NIST P256).

Many thanks in advance.

Best regards.

Hey,

if there are new releases that help users with features we will provide new builds, sure :slight_smile: Let us know if this is the case and what you need exactly. If I remember correctly this should not be necessary anymore though, as OpenSC will provide .deb themseves.

Hi @nitroalex,

Many thanks for your answer and sorry for the delay of my answer.
I have probably misunderstood something.

I would like to use Strongswan with a NitrokeyStart using ecc keys.
If I have correctly understood, OpenSc 0.20 is not able to manage Ecc keys but (and I can’t remember where I saw that) it seems that release 0.20.3 could.

Could you help me to clarify this point ?

Best regards.

Hello,
do you have a link to the release? I can not see any such release and without we will probably not update our opensc-build repo.

Generally, you may can build the current master of the GitHub repo using this script and changing the version with “master”. But I did not test it and you should have a look if you are fine with the change made on your system.

Kind regards
Alex

@szszszsz didn’t you said once that OpenSC will get nightly .deb files?

Hello,

The link is the following one : https://packages.debian.org/bullseye/opensc

I downloaded the source and rebuild the version on my Debian10 system.
Apparently without any problem. But I’m still not able to exchange with my NitrokeyStart filled with ecc keys.

Do you know if we are able to sign or decipher messages/keys with Opensc and ecc keys ?

Kind regards.

Philippe.

Hello,

you are probably confusing Debian’s versioning with the one of OpenSC. 0.20.0-3 means that it is the third package build for Debian (by Debian’s maintainer) of the 0.20.0 version of OpenSC. So for our side there is nothing new to build.

As far as I know there is a open Pull Request which should add most of the needed features for the NK Start regarding ed25519, but there might be missing some things. They are all tracked at OpenSC

Kind regards
Alex

Hi,

Absolutely I was confusing.
Many thanks for the link. If i have correctly understood, I shouldn’t wait for too long.

Regards.

Hi!

I think I have proposed to add packages to our Ubuntu’s PPA channel, but this was left at the idea stage.
It might be done by OpenSC’s CI too - I will ask.

Tickets:

Regards,
Szczepan

This morning my Ubuntu received an update of openssl to version 1.1.1 and immediately afterwards my dovecot stopped working with unresolved symbols errors.

It turned out, it was the opensc/pkcs11 config section in the openssl.cnf which caused problems. Disabling the loading of the opensc modules in the config and restarting dovecot reliably fixed the problem.

But now I cannot access my Nitrokey HSM anymore ofc…

Can we please expect an updated opensc binary module for installation soon? Thank you very much in advance!

Commenting out the following config lines fixed the problem, i.e. prevents loading of our “old” opensc-pkcs11.so

##openssl_conf = openssl_def

##[openssl_def]
##engines = engine_section

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
# empty.

##[engine_section]
##pkcs11 = pkcs11_section

##[pkcs11_section]
##engine_id = pkcs11
##dynamic_path = /usr/lib/ssl/engines/pkcs11.so
##MODULE_PATH = opensc-pkcs11.so
1 Like

The actual problem is:

imap-login: Error: Failed to initialize SSL server context: Can’t load SSL certificate: error:2506406A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name: symname(bind_engine): /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so: undefined symbol: bind_engine, error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name, error:260B6068:engine routines:dynamic_load:DSO failure, error:260BC066:engine routines:int_engine_configure:engine configuration error: section=pkcs11_section, name=dynamic_path, value=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so, error:0E07606D:configuration file routines:module_run:module initialization error: module=engines, value=engine_section, retcode=-1 : user=<>, rip=192.168.0.2, lip=192.168.0.1

The same problem still occurs when building opensc manually using the script from GitHub - Nitrokey/opensc-build: Quick builds of OpenSC for Ubuntu and Debian