Just tested with 3.2.0-dev - same problem. There clearly is disconnect between what PKCS#11 provider expects to find in URI, and what I'm giving (which works with engines flawlessly!):
Decrypt CMS message in file /tmp/derive.634.text.cms...
OPENSSL_CONF=/Users/ur20980/openssl-3/etc/openssl.cnf /Users/ur20980/openssl-3/bin/openssl cms -aes256 -decrypt -binary -inform PEM -in /tmp/derive.634.text.cms -out /tmp/derive.634.text.dec -inkey "pkcs11:manufacturer=piv_II;object=KEY%20MAN%20key;object-type=private"
Could not open file or uri for loadingCould not read key etc. of signing key from pkcs11:manufacturer=piv_II;object=KEY%20MAN%20key;object-type=private
40E6BC57F87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:265:calling stat(pkcs11:manufacturer=piv_II;object=KEY%20MAN%20key;object-type=private)
40E6BC57F87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:353:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)
FAILED to create decrypted file /tmp/derive.634.text.dec
Same with "pkcs11:manufacturer=piv_II;id=%03;object-type=private"
TNX
--
V/R,
Uri
On 2/7/23, 14:43, "openssl-users on behalf of Blumenthal, Uri - 0553 - MITLL" <openssl-users-bounces@xxxxxxxxxxx on behalf of uri@xxxxxxxxxx> wrote:
> What is the OpenSSL version you use? There were some fixes after 3.0.7
> related to some problems found by PKCS#11 provider authors.
I'm still on 3.0.7 - hopefully move to 3.0.8 soon (as soon as Macports migrates to 3.0.8).
If you think it's beneficial - I can do the same test with 3.2dev (current OpenSSL master).
I still would like to know *exactly what the URI should look like*, e.g., for KEY MAN Key (encryption/decryption, PIV slot 9d).
Thanks!
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
