Add pkcs11 command

Richard Levitte levitte at openssl.org
Wed Mar 6 15:35:18 UTC 2019 

Not only.

What you need to do on bind is to create a whole OSSL_STORE_LOADER for
pkcs11.  OSSL_STORE_LOADER_set_open only sets the opening functions,
which is expected to take a URI and parse that into something
sensible, and return a context.  There are other functions to set as
well, such as the 'load', 'eof', 'error' and 'close' functions.

The OSSL_STORE_LOADER callback set is designed to work somewhat
vaguely like the stdio API, but instead of handling a set of bytes, it
handles a set of objects, which can be whatever the OSSL_STORE API
knows how to handle.

When you're done building the OSSL_STORE_LOADER (including a scheme
name, that's absolutely important), you hook it into libcrypto with
OSSL_STORE_register_loader(), an voilà, you should be able to do this:

    openssl storeutil -engine yourengine \
        'pkcs11:token=yourtoken;object=my-certificate;objecttype=cert;id=1234'

(I'm sorry, I don't know the URI scheme enough to say how to specify
that you want to get a list of all accessible certificates or other
objects)

There is the manual OSSL_STORE_LOADER(3) found in doc/man3/OSSL_STORE_LOADER.pod,
and the 'file:' scheme loader is in crypto/store/loader_file.c, but
fair warning, that one is a bit more complex than you would probably
expect from the average store loader.

Cheers,
Richard

On Wed, 06 Mar 2019 16:01:05 +0100,
Antonio Iacono wrote:
> 
> OSSL_STORE_LOADER_set_open on bind ?
> 
> On Wed, Mar 6, 2019 at 10:35 AM Richard Levitte <levitte at openssl.org> wrote:
> >
> > There is a more generic command to do exactly this sort of thing,
> > 'openssl storeutil', available since OpenSSL 1.1.1.
> >
> > The pkcs11 backend / engine needs to implement the functionality
> > required to hook with the OSSL_STORE functionality for storeutil to be
> > useful.
> >
> > Cheers,
> > Richard
> >
> > On Wed, 06 Mar 2019 09:47:01 +0100,
> > Antonio Iacono wrote:
> > >
> > > There are some good tools for pkcs11, like pkcs11-tool of the OpenSC
> > > project, but often only need the list of key ids to perform signature
> > > operations with the engine.
> > >
> > > I would propose a new pkcs11 command which, for now, only makes the
> > > list of ids and labels of keys present in a token.
> > >
> > > I have already prepared a draft in this branch
> > > https://github.com/opensignature/openssl/tree/add-pkcs11-command/apps
> > >
> > > Thanks,
> > > Antonio
> > >
> > --
> > Richard Levitte         levitte at openssl.org
> > OpenSSL Project         http://www.openssl.org/~levitte/
> 
-- 
Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-users mailing list