For the test purposes could you please write down the pin into the file similarly to the example and provide a path to the module via PKCS11_PROVIDER_MODULE env var? Thanks for nudging me about the documentation, I notified the authors. On Tue, Feb 7, 2023 at 9:41 PM Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> wrote: > > > How do you configure the actual PKCS#11 module (not the provider > > itself) to use and pin? > > This is what I see in tests/tmp.softokn/openssl.cnf: > > [openssl_init] > providers = provider_sect > > [provider_sect] > default = default_sect > pkcs11 = pkcs11_sect > base = base_sect > > [base_sect] > activate = 1 > > [default_sect] > activate = 1 > > [pkcs11_sect] > module = /Users/ur20980/src/pkcs11-provider/src/.libs/pkcs11.dylib > pkcs11-module-init-args = configDir=/Users/ur20980/src/pkcs11-provider/tests/tmp.softokn/tokens > pkcs11-module-token-pin = file:/Users/ur20980/src/pkcs11-provider/tests/pinfile.txt > #pkcs11-module-allow-export > activate = 1 > > I did not include "pkcs11-module-init-args", mainly because I've no idea what kind of init-args OpenSC module needs, and libp11 engine did not seem to need any (besides just pointing at the /usr/local/lib/opensc-pkcs11.so or such). > > Likewise with pin - I expect OpenSSL to prompt me (interactively ;) for the pin and pass it to the provider. > > And this is from tests/tmp.softhsm/openssl.cnf: > > [pkcs11_sect] > module = /Users/ur20980/src/pkcs11-provider/src/.libs/pkcs11.dylib > pkcs11-module-token-pin = file:/Users/ur20980/src/pkcs11-provider/tests/pinfile.txt > #pkcs11-module-allow-export > activate = 1 > > Notice absence of pkcs11-module-init-args. > > > > There should be examples in the openssl.cnf generated by running tests. > > Mostly useless (see above). Also, documentation for that specific provider is non-existent. > > Copied PRKEY from "testvars": > > Decrypt CMS message in file /tmp/derive.27307.text.cms... > OPENSSL_CONF=/Users/ur20980/openssl-3/etc/openssl.cnf /Users/ur20980/openssl-3/bin/openssl cms -aes256 -decrypt -binary -inform PEM -in /tmp/derive.27307.text.cms -out /tmp/derive.27307.text.dec -inkey "pkcs11:id=%00%03;type=private" > Could not open file or uri for loadingCould not read key etc. of signing key from pkcs11:id=%00%03;type=private > 40E6BC57F87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:265:calling stat(pkcs11:id=%00%03;type=private) > 40E6BC57F87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:353:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>) > > > > TNX > > > On Tue, Feb 7, 2023 at 8:42 PM Blumenthal, Uri - 0553 - MITLL > <uri@xxxxxxxxxx> wrote: > > > > > What is the OpenSSL version you use? There were some fixes after 3.0.7 > > > related to some problems found by PKCS#11 provider authors. > > > > I'm still on 3.0.7 - hopefully move to 3.0.8 soon (as soon as Macports migrates to 3.0.8). > > > > If you think it's beneficial - I can do the same test with 3.2dev (current OpenSSL master). > > > > I still would like to know *exactly what the URI should look like*, e.g., for KEY MAN Key (encryption/decryption, PIV slot 9d). > > > > Thanks! > > > > > -- > SY, Dmitry Belyavsky -- SY, Dmitry Belyavsky