Re: [EXT] Re: provider not loaded on MacOS - Re: How to access keys on HW tokens via PKCS11 Provider?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



How exactly is provider configured? Are base and default providers listed/enabled?

 

This works for me – except that for you the paths would need to be changed:

 

[openssl_init]

providers = provider_sect

engines   = engine_section

 

# List of providers to load

[provider_sect]

default = default_prov

# The fips section name should match the section name inside the

# included fipsmodule.cnf.

# fips = fips_prov

#legacy = legacy_prov

pkcs11 = pkcs11_prov

#gost   = gost_prov

base = base_prov

oqs = oqs_prov

 

[default_prov]

 activate = 1

 

[legacy_prov]

 activate = 0

 

[pkcs11_prov]

 module = /Users/ur20980/openssl-3/lib/ossl-modules/pkcs11.dylib

 pkcs11-module-quirks = no-deinit no-allowed-mechanisms

 pkcs11-module-login-behavior = auto

 pkcs11-module-cache-pins = cache

 #pkcs11-module-path = /Library/OpenSC/lib/opensc-pkcs11.so

 #pkcs11-module-path = /usr/local/lib/libykcs11.dylib

 #pkcs11-module-path = /Library/OpenSC/lib/pkcs11-spy.so

 #pkcs11-module-path = /opt/local/lib/p11-kit-proxy.dylib

 pkcs11-module-path = /opt/p11kit/lib/p11-kit-proxy.dylib

 activate = 1

 

[gost_prov]

 module = /Users/ur20980/openssl-3/lib/ossl-modules/gostprov.dylib

 activate = 0

 

[base_prov]

  activate = 1

 

[oqs_prov]

 module = /Users/ur20980/openssl-3/lib/ossl-modules/oqsprovider.dylib

 activate = 1

 

 

--

V/R,

Uri

 

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

 

From: Tomas Mraz <tomas@xxxxxxxxxxx>
Date: Wednesday, September 6, 2023 at 1:50 PM
To: David von Oheimb <it@xxxxxxxxxxxxx>
Cc: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>, Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx>
Subject: [EXT] Re: provider not loaded on MacOS - Re: How to access keys on HW tokens via PKCS11 Provider?

!-------------------------------------------------------------------|
  This Message Is From an External Sender
  This message came from outside the Laboratory.
|-------------------------------------------------------------------!

On Wed, 2023-09-06 at 18:32 +0200, David von Oheimb wrote:
> On 06.09.23 09:02, Tomas Mraz wrote:
>  
> > On Tue, 2023-09-05 at 23:53 +0200, David von Oheimb wrote:
> >  
> > > Yet with such a config file, as recommended by
> > > https://github.com/latchset/pkcs11-provider/blob/main/HOWTO.md,
> > > there are many pitfalls.
> > >
> > > [...]
> > >
> > > Moreover, looks like OpenSSL does not automatically load all
> > > providers listed in
> > >
> > > [provider_sect]
> > > default = default_sect
> > > pkcs11 = pkcs11_sect
> > >
> > > but only "predefined" ones. At least, I still need to explicitly
> > > reference it on the command line, e.g.:
> > >
> > > openssl req  -new -subj "/CN=x" -provider pkcs11 -key 
> > > "pkcs11:object=...;type=private"
> > That is not intended. There should be no such distinction between
> > default and pkcs11 provider assuming both are activated in the
> > configuration.
> I see.
>  
> > It is either some misconfiguration or a bug in OpenSSL. Do you have
> > activate=1 in pkcs11_sect?
>  Yes, as recommended by that HOWTO.md.
>  
>  
> > Also, is the pkcs11 module configured correctly for the pkcs11
> > provider?
>  I believe so.
>  I've meanwhile tested with Linux, using (modulo the respective lib
> file path names) the same config file contents, and there it works.
>  
>  
> > If you try to strace the command without -provider pkcs11 do you
> > see any attempt to load the provider shared module?
> Good thought to try 'strace' instead of the hard-to-use and in this
> case not very useful OPENSSL_TRACE=CONF.
>  Yet I cannot reproduce the problem on Linux, while on MacOS, strace
> is not available.
>  Would be really good if the OpenSSL config module loader provided
> better tracing.
>  I had manually added some printfs to crypto/provider_core.c to find
> out that, for some reason,
>  provider_activate() and provider_init() only get called for
> "default", but not for "pkcs11":
> OPENSSL_TRACE=CONF apps/openssl x509 -noout -text -in
> "pkcs11:object=...;type=cert"
>
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Configuration in section
> openssl_init
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Adding config module
> 'alg_section'
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Adding config module 'providers'
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Adding config module 'random'
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Loading providers module:
> section provider_sect
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Configuring provider pkcs11
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider command: module =
> /usr/local/lib/ossl-modules/pkcs11.dylib
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider command: pkcs11-module-
> path = /Library/OpenSC/lib/onepin-opensc-pkcs11.so
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: start section
> pkcs11_sect
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: module =
> /usr/local/lib/ossl-modules/pkcs11.dylib
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: pkcs11-module-
> path = /Library/OpenSC/lib/onepin-opensc-pkcs11.so
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: finish section
> pkcs11_sect
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Configuring provider default
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider command: activate = 1
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: start section
> default_sect
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: activate = 1
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: finish section
> default_sect
> provider_activate name = default
> provider_init name = default
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Running module providers
> (provider_sect) returned 1
> Yet when I add  -provider pkcs11  to the command line, this output
> gets extended by:
> provider_activate name = pkcs11
> provider_init name = pkcs11
> module_path = (null)
> merged_path = /Users/david/openssl/providers/pkcs11.dylib
> and the provider loading works, making use, e.g, of
> pkcs11-module-path = /Library/OpenSC/lib/onepin-opensc-pkcs11.so
> Maybe this related to the annoying fact that LD_LIBRARY_PATH does not
> work with MacOS, while DYLD_LIBRARY_PATH is a kind of replacement.
>     David

Not sure how LD_LIBRARY_PATH is related. It is not used when loading
the provider modules.

Is the provider module path correct in the TRACE above? Could you try
this tracing on Linux to compare?

It is suspicious that there is no provider command activate=1 trace
line for the pkcs11 provider.

--
Tomáš Mráz, OpenSSL

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux