How to access keys on HW tokens via PKCS11 Provider?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Given that ENGINE API is deprecated, I’m trying to port my stuff to Provider API. Starting with “openssl” CLI to get the hang of it.

 

I installed PKCS11 provider from https://github.com/latchset/pkcs11-provider.git (after ensuring it passes 19 out of 20 tests), and started experimenting.

 

Immediately hit several problems:

  1. OpenSSL does not seem to automatically load the PKCS11 provider, despite having it added to “openssl.cnf”
  2. Forcing provider via “-provider-path /opt/local/lib/ossl-modules/pkcs11.dylib”, it fails to load/access the private key on my HW token.

 

Needless to say, it all works perfectly with ENGINE interface and current “libp11”.

 

Here’s what I have in “openssl.cnf” (relevant excerpt):

 

[openssl_init]

providers = provider_sect

#engines = engines_sect

 

[provider_sect]

default = default_sect

legacy = legacy_sect

pkcs11 = pkcs11_sect

gost   = gost_sect

base = base_sect

 

[default_sect]

activate = 1

 

[legacy_sect]

activate = 1

 

[pkcs11_sect]

module = /opt/local/libexec/openssl3/lib/ossl_modules/pkcs11.dylib

pkcs11-module-allow-export

activate = 1

 

[gost_sect]

module = /opt/local/libexec/openssl3/lib/ossl-modules/gostprov.dylib

activate = 1

 

[base_sect]

activate = 1

 

and here’s the error:

 

Decrypt CMS message in file /tmp/derive.97732.text.cms...

openssl cms -provider-path /opt/local/lib/ossl-modules/pkcs11.dylib -decrypt -aes256 -binary -inform PEM -in /tmp/derive.99252.text.cms -out /tmp/derive.99252.text.dec -inkey "pkcs11:id=%03;object-type=private"

Could not open file or uri for loading signing key from pkcs11:id=%03;object-type=private

40F6064DF87F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file

40F6064DF87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:id=%03;object-type=private)

40F6064DF87F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=pkcs11

40F6064DF87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:383:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)

 

FAILED to create decrypted file /tmp/derive.97732.text.dec

 

The token is PIV-compliant.

 

I tried several ways of specifying the key URI, none seemed to work. Please advise on how to address/name the key so that the Provider can access it. Or is the provider screwed up? But it seemed to work OK with NSS soft-token and with SoftHSM (except for one test)…

 

Thanks!

--

V/R,

Uri Blumenthal                              Voice: (781) 981-1638 

Secure Resilient Systems and Technologies   Cell:  (339) 223-5363

MIT Lincoln Laboratory                     

244 Wood Street, Lexington, MA  02420-9108      

 

Web:     https://www.ll.mit.edu/biographies/uri-blumenthal

Root CA: https://www.ll.mit.edu/llrca2.pem

 

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux