Given that ENGINE API is deprecated, I’m trying to port my stuff to Provider API. Starting with “openssl” CLI to get the hang of it. I installed PKCS11 provider from https://github.com/latchset/pkcs11-provider.git (after ensuring it passes 19 out of 20 tests), and started experimenting. Immediately hit several problems:
Needless to say, it all works perfectly with ENGINE interface and current “libp11”. Here’s what I have in “openssl.cnf” (relevant excerpt): [openssl_init] providers = provider_sect #engines = engines_sect [provider_sect] default = default_sect legacy = legacy_sect pkcs11 = pkcs11_sect gost = gost_sect base = base_sect [default_sect] activate = 1 [legacy_sect] activate = 1 [pkcs11_sect] module = /opt/local/libexec/openssl3/lib/ossl_modules/pkcs11.dylib pkcs11-module-allow-export activate = 1 [gost_sect] module = /opt/local/libexec/openssl3/lib/ossl-modules/gostprov.dylib activate = 1 [base_sect] activate = 1 and here’s the error: Decrypt CMS message in file /tmp/derive.97732.text.cms... openssl cms -provider-path /opt/local/lib/ossl-modules/pkcs11.dylib -decrypt -aes256 -binary -inform PEM -in /tmp/derive.99252.text.cms -out /tmp/derive.99252.text.dec -inkey "pkcs11:id=%03;object-type=private" Could not open file or uri for loading signing key from pkcs11:id=%03;object-type=private 40F6064DF87F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file 40F6064DF87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:id=%03;object-type=private) 40F6064DF87F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=pkcs11 40F6064DF87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:383:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>) FAILED to create decrypted file /tmp/derive.97732.text.dec The token is PIV-compliant. I tried several ways of specifying the key URI, none seemed to work. Please advise on how to address/name the key so that the Provider can access it. Or is the provider screwed up? But it seemed to work OK with NSS soft-token and with SoftHSM (except for one test)… Thanks! -- V/R, Uri Blumenthal Voice: (781) 981-1638 Secure Resilient Systems and Technologies Cell: (339) 223-5363 MIT Lincoln Laboratory 244 Wood Street, Lexington, MA 02420-9108 Web: https://www.ll.mit.edu/biographies/uri-blumenthal Root CA: https://www.ll.mit.edu/llrca2.pem There are two ways to design a system. One is to make it so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. - C. A. R. Hoare |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
