On Mon, 2016-06-06 at 14:13 +0200, Michael Schaller wrote: > David explains correctly what happens. This started happening for us > on Debian testing with the release of the libengine-pkcs11-openssl > package version 0.2.1-2 in March 2016 and it took us a while to > analyze the issue. The package had changed the libpkcs11.so location > from /usr/lib/ssl/engines/libpkcs11.so to > /usr/lib/x86_64-linux-gnu/openssl-1.0.2/engines/libpkcs11.so. Since > this move the autoload of the pkcs11 engine on the ENGINE_by_id call > works and we get a pkcs11 engine initialized for the use of p11-kit > instead of the expected initialization for the specified opencryptoki > module. We initialize the pkcs11 engine and module path via D-Bus via > the SetPKCS11EngineAndModulePath method. > > David, is the general recommendation to switch over to p11-kit? Yes, definitely. With p11-kit you get a system-wide configuration for which modules to load into which applications, with a per-user override: https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html This is honoured directly by GnuTLS applications because GnuTLS uses libp11-kit directly. For other crypto libraries (OpenSSL, NSS, etc.) it can be achieved just by loading the p11-kit-proxy.so module — which loads all the modules specified by the p11-kit configuration, as "slots" of its own. In Fedora it is now considered a bug if any packaged software *doesn't* automatically load the tokens specified by the p11-kit configuration, and allow you to use a RFC7512 PKCS#11 URI in any place you would have been able to use a filename to specify a certificate or key. So to go back to what you said above... > we get a pkcs11 engine initialized for the use of p11-kit instead of > the expected initialization for the specified opencryptoki> module. It's not supposed to be "instead of". Your p11-kit configuration is supposed to say what modules you want loaded, and then they're visible. (Yes, it would be nicer if OpenSSL and the engine would use libp11-kit directly instead of the trick of loading p11-kit-proxy.so, but we'll work on that for OpenSSL 1.3 where we turn PKCS#11 into a proper first- class citizen and we'll be able to use it for trust and all kinds of other things properly.) > We initialize the pkcs11 engine and module path via D-Bus via> the > SetPKCS11EngineAndModulePath method. You shouldn't need to do that. If the 'filename' you pass starts with 'pkcs11:' then it gets done automatically. And if you are referencing objects in the PKCS#11 token by the horrid old crufty ID string that predated RFC7512, then don't :) -- dwmw2
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
