MacOS: lost ability to use p11-kit???

Blumenthal, Uri - 0553 - MITLL uri at
Mon Dec 16 15:29:41 UTC 2019

macOS 10.14.6, Xcode-11.3 (with older Xcode it used to work), p11-kit 0.23.18, OpenSSL-1.1.1d, current master of OpenSC and libp11.

Somehow, p11-kit proxy that selects the correct PKCS#11 library to pass the request to, is no longer invoked.

Any help is appreciated!

$ openssl cms -engine pkcs11 -keyform engine -aes256 -decrypt -binary -inform PEM -in /tmp/derive.95470.text.cms -out /tmp/derive.95470.text.dec -inkey "pkcs11:manufacturer=piv_II;object=KEY%20MAN%20key;object-type=private"
engine "pkcs11" set.
GOST engine already loaded
Unable to load module /opt/local/lib/p11-kit-proxy.dylib
GOST engine already loaded
Unable to load module /opt/local/lib/p11-kit-proxy.dylib
PKCS11_get_private_key returned NULL
cannot load signing key file from engine
4458096064:error:260B606D:engine routines:dynamic_load:init failed:crypto/engine/eng_dyn.c:485:
4458096064:error:260BC066:engine routines:int_engine_configure:engine configuration error:crypto/engine/eng_cnf.c:141:section=gost_section, name=dynamic_path, value=/opt/local/lib/engines-1.1/gost.dylib
4458096064:error:0E07606D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:177:module=engines, value=engine_section, retcode=-1      
4458096064:error:83065006:PKCS#11 module:pkcs11_check_token:Function failed:p11_load.c:92:
4458096064:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:
unable to load signing key file
$ ll /opt/local/lib/p11-kit-proxy.dylib 
lrwxr-xr-x  1 root  admin  18 Dec 11 13:21 /opt/local/lib/p11-kit-proxy.dylib@ -> libp11-kit.0.dylib
$ ll /opt/local/lib/libp11-kit.0.dylib 
-rwxr-xr-x  1 root  admin  1442912 Dec 11 13:23 /opt/local/lib/libp11-kit.0.dylib*

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3367 bytes
Desc: not available
URL: <>

More information about the openssl-users mailing list