How to access keys on HW tokens via PKCS11 Provider?

Dmitry Belyavsky beldmit at gmail.com
Tue Feb 7 19:32:59 UTC 2023


Dear Uri,

On Tue, Feb 7, 2023 at 8:19 PM Blumenthal, Uri - 0553 - MITLL
<uri at ll.mit.edu> wrote:
>
> On 2/7/23, 13:52, "Richard Levitte" <levitte at openssl.org> wrote:
> > On Tue, 07 Feb 2023 04:23:01 +0100,Blumenthal, Uri - 0553 - MITLL wrote:
> >
> > > Here’s what I have in “openssl.cnf” (relevant excerpt):
> >
> > In the [pkcs11_sect], there's this suspicious line:
> >
> > > pkcs11-module-allow-export
> >
> > That might cause the configuration parsing to fail.  Unfortunately,
> > the errors are silenced.
>
> Alas, removing that line seemed to have no effect, similar to attempt to use other ways of identifying the key:
>
> Decrypt CMS message in file /tmp/derive.1143.text.cms...
> openssl cms -decrypt -aes256 -binary -inform PEM -in /tmp/derive.1143.text.cms -out /tmp/derive.1143.text.dec -inkey "pkcs11:id=%03;object-type=private"
> Could not open file or uri for loading signing key from pkcs11:id=%03;object-type=private
> 40F6064DF87F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file
> 40F6064DF87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:id=%03;object-type=private)
> 40F6064DF87F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=pkcs11
> 40F6064DF87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:383:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)
>
> FAILED to create decrypted file /tmp/derive.1143.text.dec
>
> There is a disconnect between what OpenSSL (or this provider) expects, and what it finds in URI.

What is the OpenSSL version you use? There were some fixes after 3.0.7
related to some problems found by PKCS#11 provider authors.


-- 
SY, Dmitry Belyavsky


More information about the openssl-users mailing list