dynamic engine load

Selva Nair selva.nair at gmail.com
Wed May 26 22:44:56 UTC 2021 

Hi,

On Wed, May 26, 2021 at 4:45 PM Piotr Lobacz <piotr.lobacz at softgent.com>
wrote:

> Btw i have verified that in openssl command line tool if i switch order
> from the one that worked for me:
>
> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so
> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
> MODULE_PATH:/usr/lib/libckteec.so
>
> to the one that was in the code:
>
> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so
> -pre MODULE_PATH:/usr/lib/libckteec.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre
> LOAD
>
> the error is the same as for me in the C# code. So the question is if you
> are telling me that the proper order is like that:
>
> dynamic --> set SO_PATH --> LOAD and then set all parameters of
> the engine that SO_PATH implements.
>
> does the order which i used is also correct one?
>

The main error in your original code was setting MODULE_PATH on the dynamic
engine instead of on pkcs11.  And, I mistyped saying set ID after LOAD. As
for LIST_ADD, if required, should be specified before LOAD as it's a
directive to the dynamic engine, not pkcs11.

It has been a while since I have looked into dynamic loading in detail, but
here is my understanding.

The dynamic engine supports only a few controls out of which the most
useful ones are SO_PATH, ID and LIST_ADD. It won't understand MODULE_PATH.
And, if  SO_PATH is not given, I think ID could be used to locate the
so-path of the engine but I have never got it to work. In any case, as you
are giving the full SO_PATH, you don't need to set the ID. A "wrong" ID may
lead to load failure but no ID will succeed. There may be some use of ID if
the same shared lib implements multiple engines with different IDs. I don't
know.

The LOAD control causes the dynamic engine to convert itself to a new
engine. Almost all engine parameters are wiped clean (including id and
name) and the shared library pointed to by SO_PATH is loaded. The bind
function defined in the shared lib gets executed which will fill-in the new
engine parameters and set up the methods it supports. In the case of
pkcs11, It sets the id to "pkcs11" on loading. So, after loading, querying
the ID using Engine_get_id() will return "pkcs11".

LOAD also causes the engine to be added to the internal list if LIST_ADD
was specified before LOAD, not otherwise.

Once loaded, the pkcs11 engine can handle controls like MODULE_PATH. It
will use it to locate the module and load it when required -- usually after
Engine_init() is called.

Selva
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210526/960c99ae/attachment.html>

More information about the openssl-users mailing list