How to access keys on HW tokens via PKCS11 Provider?

Tue Feb 7 03:23:01 UTC 2023

Given that ENGINE API is deprecated, I’m trying to port my stuff to Provider API. Starting with “openssl” CLI to get the hang of it.

I installed PKCS11 provider from https://github.com/latchset/pkcs11-provider.git (after ensuring it passes 19 out of 20 tests), and started experimenting.

Immediately hit several problems:
OpenSSL does not seem to automatically load the PKCS11 provider, despite having it added to “openssl.cnf”
Forcing provider via “-provider-path /opt/local/lib/ossl-modules/pkcs11.dylib”, it fails to load/access the private key on my HW token.

Needless to say, it all works perfectly with ENGINE interface and current “libp11”.

Here’s what I have in “openssl.cnf” (relevant excerpt):

[openssl_init]

providers = provider_sect

#engines = engines_sect

[provider_sect]

default = default_sect

legacy = legacy_sect

pkcs11 = pkcs11_sect

gost   = gost_sect

base = base_sect

[default_sect]

activate = 1

[legacy_sect]

activate = 1

[pkcs11_sect]

module = /opt/local/libexec/openssl3/lib/ossl_modules/pkcs11.dylib

pkcs11-module-allow-export

activate = 1

[gost_sect]

module = /opt/local/libexec/openssl3/lib/ossl-modules/gostprov.dylib

activate = 1

[base_sect]

activate = 1

and here’s the error:

Decrypt CMS message in file /tmp/derive.97732.text.cms...

openssl cms -provider-path /opt/local/lib/ossl-modules/pkcs11.dylib -decrypt -aes256 -binary -inform PEM -in /tmp/derive.99252.text.cms -out /tmp/derive.99252.text.dec -inkey "pkcs11:id=%03;object-type=private"

Could not open file or uri for loading signing key from pkcs11:id=%03;object-type=private

40F6064DF87F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file

40F6064DF87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:id=%03;object-type=private)

40F6064DF87F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=pkcs11

40F6064DF87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:383:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)

FAILED to create decrypted file /tmp/derive.97732.text.dec

The token is PIV-compliant.

I tried several ways of specifying the key URI, none seemed to work. Please advise on how to address/name the key so that the Provider can access it. Or is the provider screwed up? But it seemed to work OK with NSS soft-token and with SoftHSM (except for one test)…

Thanks!

--

V/R,

Uri Blumenthal                              Voice: (781) 981-1638 

Secure Resilient Systems and Technologies   Cell:  (339) 223-5363

MIT Lincoln Laboratory                      

244 Wood Street, Lexington, MA  02420-9108      

Web:     https://www.ll.mit.edu/biographies/uri-blumenthal

Root CA: https://www.ll.mit.edu/llrca2.pem

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230207/901d954e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230207/901d954e/attachment-0001.p7s>