I also had quite some trouble getting the PKCS#11 provider used by OpenSSL (with MacOS at least).
Without using an OpenSSL config file, it was relatively
straightforward, e.g.:
PKCS11_PROVIDER_MODULE=/Library/OpenSC/lib/onepin-opensc-pkcs11.so openssl req -new -subj "/CN=x" -provider pkcs11 -key "pkcs11:object=...;type=private"
Yet with such a config file, as recommended by https://github.com/latchset/pkcs11-provider/blob/main/HOWTO.md,
there are many pitfalls.
One of them is this doc does not mention that the file needs to
include in its default (unnamed) section:
openssl_conf = openssl_init
Moreover, looks like OpenSSL does not automatically load all
providers listed in
[provider_sect]
default = default_sect
pkcs11 = pkcs11_sectbut only "predefined" ones. At least, I still need to explicitly
reference it on the command line, e.g.:
openssl req -new -subj "/CN=x" -provider pkcs11 -key "pkcs11:object=...;type=private"
Part of the trouble finding out such
things is that the provider loader is hard to trace.
Including in the default section
Including in the default section
config_diagnostics = 1
does not help much.
Even using the trace API did not really
help to find out that/why the pkcs11 provider does not get used
automatically when included in the config file.
BTW, for getting trace output (such as, for the configuration loading), OpenSSL documents that this requires building with the enable-trace option,
BTW, for getting trace output (such as, for the configuration loading), OpenSSL documents that this requires building with the enable-trace option,
but I found nowhere that in order to
actually make use of it on the command line, OPENSSL_TRACE needs to be set, for
instance as follows:
OPENSSL_TRACE=CONF
openssl ...
Hope this helps,
David
On 07.02.23 23:41, Blumenthal, Uri -
0553 - MITLL wrote:
On 2/7/23, 15:47, "Dmitry Belyavsky" <beldmit@xxxxxxxxx> wrote:For the test purposes could you please write down the pin into the file similarly to the example and provide a path to the module via PKCS11_PROVIDER_MODULE env var?Very-very-same thing: Decrypt CMS message in file /tmp/derive.26600.text.cms... /Users/ur20980/openssl-3/bin/openssl cms -decrypt -aes256 -binary -inform PEM -in /tmp/derive.26600.text.cms -out /tmp/derive.26600.text.dec -inkey "pkcs11:id=%03;type=private" Could not open file or uri for loadingCould not read key etc. of signing key from pkcs11:id=%03;type=private 40F6064DF87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:265:calling stat(pkcs11:id=%03;type=private) 40F6064DF87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:353:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>) FAILED to create decrypted file /tmp/derive.26600.text.dec $ env | grep PKCS11_PROV PKCS11_PROVIDER_MODULE=/Users/ur20980/openssl-3/lib/ossl-modules/pkcs11.dylib $ ll ~/src/pinfile.txt -rw------- 1 ur20980 staff 8 Feb 7 17:37 /Users/ur20980/src/pinfile.txt $ $ cat ~/openssl-3/etc/openssl.cnf . . . [prov_section] default = default_sect base = base_Sect legacy = legacy_sect pkcs11 = pkcs11_sect [default_sect] activate = 1 [base_Sect] activate = 1 [legacy_sect] activate = 1 [pkcs11_sect] module = /Users/ur20980/openssl-3/lib/ossl-modules/pkcs11.dylib pkcs11-module-token-pin = file:/Users/ur20980/src/pinfile.txt activate = 1Thanks for nudging me about the documentation, I notified the authors.;-) Hopefully it will be there by the time ENGINE code is removed from OpenSSL. On Tue, Feb 7, 2023 at 9:41 PM Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> wrote: > > > How do you configure the actual PKCS#11 module (not the provider > > itself) to use and pin? > > This is what I see in tests/tmp.softokn/openssl.cnf: > > [openssl_init] > providers = provider_sect > > [provider_sect] > default = default_sect > pkcs11 = pkcs11_sect > base = base_sect > > [base_sect] > activate = 1 > > [default_sect] > activate = 1 > > [pkcs11_sect] > module = /Users/ur20980/src/pkcs11-provider/src/.libs/pkcs11.dylib > pkcs11-module-init-args = configDir=/Users/ur20980/src/pkcs11-provider/tests/tmp.softokn/tokens > pkcs11-module-token-pin = file:/Users/ur20980/src/pkcs11-provider/tests/pinfile.txt > #pkcs11-module-allow-export > activate = 1 > > I did not include "pkcs11-module-init-args", mainly because I've no idea what kind of init-args OpenSC module needs, and libp11 engine did not seem to need any (besides just pointing at the /usr/local/lib/opensc-pkcs11.so or such). > > Likewise with pin - I expect OpenSSL to prompt me (interactively ;) for the pin and pass it to the provider. > > And this is from tests/tmp.softhsm/openssl.cnf: > > [pkcs11_sect] > module = /Users/ur20980/src/pkcs11-provider/src/.libs/pkcs11.dylib > pkcs11-module-token-pin = file:/Users/ur20980/src/pkcs11-provider/tests/pinfile.txt > #pkcs11-module-allow-export > activate = 1 > > Notice absence of pkcs11-module-init-args. > > > > There should be examples in the openssl.cnf generated by running tests. > > Mostly useless (see above). Also, documentation for that specific provider is non-existent. > > Copied PRKEY from "testvars": > > Decrypt CMS message in file /tmp/derive.27307.text.cms... > OPENSSL_CONF=/Users/ur20980/openssl-3/etc/openssl.cnf /Users/ur20980/openssl-3/bin/openssl cms -aes256 -decrypt -binary -inform PEM -in /tmp/derive.27307.text.cms -out /tmp/derive.27307.text.dec -inkey "pkcs11:id=%00%03;type=private" > Could not open file or uri for loadingCould not read key etc. of signing key from pkcs11:id=%00%03;type=private > 40E6BC57F87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:265:calling stat(pkcs11:id=%00%03;type=private) > 40E6BC57F87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:353:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>) > > > > TNX > > > On Tue, Feb 7, 2023 at 8:42 PM Blumenthal, Uri - 0553 - MITLL > <uri@xxxxxxxxxx> wrote: > > > > > What is the OpenSSL version you use? There were some fixes after 3.0.7 > > > related to some problems found by PKCS#11 provider authors. > > > > I'm still on 3.0.7 - hopefully move to 3.0.8 soon (as soon as Macports migrates to 3.0.8). > > > > If you think it's beneficial - I can do the same test with 3.2dev (current OpenSSL master). > > > > I still would like to know *exactly what the URI should look like*, e.g., for KEY MAN Key (encryption/decryption, PIV slot 9d). > > > > Thanks! > > > > > -- > SY, Dmitry Belyavsky -- SY, Dmitry Belyavsky
