ODP: dynamic engine load

Piotr Lobacz piotr.lobacz at softgent.com
Thu May 27 12:10:16 UTC 2021

so from what you are saying, my order like this:

dynamic --> set SO_PATH --> LOAD and then set all parameters of
the engine that SO_PATH implements. i.e MODULE_PATH

is correct?

Od: Selva Nair <selva.nair at gmail.com>
Wysłane: czwartek, 27 maja 2021 00:44
Do: Piotr Lobacz <piotr.lobacz at softgent.com>
DW: openssl-users at openssl.org <openssl-users at openssl.org>
Temat: Re: dynamic engine load


On Wed, May 26, 2021 at 4:45 PM Piotr Lobacz <piotr.lobacz at softgent.com<mailto:piotr.lobacz at softgent.com>> wrote:
Btw i have verified that in openssl command line tool if i switch order from the one that worked for me:

OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libckteec.so

to the one that was in the code:

OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre MODULE_PATH:/usr/lib/libckteec.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD

the error is the same as for me in the C# code. So the question is if you are telling me that the proper order is like that:

dynamic --> set SO_PATH --> LOAD and then set all parameters of
the engine that SO_PATH implements.

does the order which i used is also correct one?

The main error in your original code was setting MODULE_PATH on the dynamic engine instead of on pkcs11.  And, I mistyped saying set ID after LOAD. As for LIST_ADD, if required, should be specified before LOAD as it's a directive to the dynamic engine, not pkcs11.

It has been a while since I have looked into dynamic loading in detail, but here is my understanding.

The dynamic engine supports only a few controls out of which the most useful ones are SO_PATH, ID and LIST_ADD. It won't understand MODULE_PATH. And, if  SO_PATH is not given, I think ID could be used to locate the so-path of the engine but I have never got it to work. In any case, as you are giving the full SO_PATH, you don't need to set the ID. A "wrong" ID may lead to load failure but no ID will succeed. There may be some use of ID if the same shared lib implements multiple engines with different IDs. I don't know.

The LOAD control causes the dynamic engine to convert itself to a new engine. Almost all engine parameters are wiped clean (including id and name) and the shared library pointed to by SO_PATH is loaded. The bind function defined in the shared lib gets executed which will fill-in the new engine parameters and set up the methods it supports. In the case of pkcs11, It sets the id to "pkcs11" on loading. So, after loading, querying the ID using Engine_get_id() will return "pkcs11".

LOAD also causes the engine to be added to the internal list if LIST_ADD was specified before LOAD, not otherwise.

Once loaded, the pkcs11 engine can handle controls like MODULE_PATH. It will use it to locate the module and load it when required -- usually after Engine_init() is called.


Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND

KRS: 0000674406, NIP: 9581679801, REGON: 367090912


Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego

KRS 0000674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210527/eb97bd5b/attachment-0001.html>

More information about the openssl-users mailing list