How to access keys on HW tokens via PKCS11 Provider?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Tue Feb 7 22:41:07 UTC 2023


On 2/7/23, 15:47, "Dmitry Belyavsky" <beldmit at gmail.com> wrote:
> For the test purposes could you please write down the pin into the
> file similarly to the example and provide a path to the module via
> PKCS11_PROVIDER_MODULE env var?

Very-very-same thing:

Decrypt CMS message in file /tmp/derive.26600.text.cms...
/Users/ur20980/openssl-3/bin/openssl cms -decrypt -aes256 -binary -inform PEM -in /tmp/derive.26600.text.cms -out /tmp/derive.26600.text.dec -inkey "pkcs11:id=%03;type=private"
Could not open file or uri for loadingCould not read key etc. of signing key from pkcs11:id=%03;type=private
40F6064DF87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:265:calling stat(pkcs11:id=%03;type=private)
40F6064DF87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:353:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)

FAILED to create decrypted file /tmp/derive.26600.text.dec

$ env | grep PKCS11_PROV
PKCS11_PROVIDER_MODULE=/Users/ur20980/openssl-3/lib/ossl-modules/pkcs11.dylib
$ ll ~/src/pinfile.txt 
-rw-------  1 ur20980  staff  8 Feb  7 17:37 /Users/ur20980/src/pinfile.txt
$
$ cat ~/openssl-3/etc/openssl.cnf
. . .
[prov_section]
default = default_sect
base = base_Sect
legacy = legacy_sect
pkcs11 = pkcs11_sect

[default_sect]
activate = 1
[base_Sect]
activate = 1
[legacy_sect]
activate = 1
[pkcs11_sect]
module = /Users/ur20980/openssl-3/lib/ossl-modules/pkcs11.dylib
pkcs11-module-token-pin = file:/Users/ur20980/src/pinfile.txt
activate = 1


> Thanks for nudging me about the documentation, I notified the authors.

;-) Hopefully it will be there by the time ENGINE code is removed from OpenSSL.


    On Tue, Feb 7, 2023 at 9:41 PM Blumenthal, Uri - 0553 - MITLL
    <uri at ll.mit.edu> wrote:
    >
    > > How do you configure the actual PKCS#11 module (not the provider
    > > itself) to use and pin?
    >
    > This is what I see in tests/tmp.softokn/openssl.cnf:
    >
    > [openssl_init]
    > providers = provider_sect
    >
    > [provider_sect]
    > default = default_sect
    > pkcs11 = pkcs11_sect
    > base = base_sect
    >
    > [base_sect]
    > activate = 1
    >
    > [default_sect]
    > activate = 1
    >
    > [pkcs11_sect]
    > module = /Users/ur20980/src/pkcs11-provider/src/.libs/pkcs11.dylib
    > pkcs11-module-init-args = configDir=/Users/ur20980/src/pkcs11-provider/tests/tmp.softokn/tokens
    > pkcs11-module-token-pin = file:/Users/ur20980/src/pkcs11-provider/tests/pinfile.txt
    > #pkcs11-module-allow-export
    > activate = 1
    >
    > I did not include "pkcs11-module-init-args", mainly because I've no idea what kind of init-args OpenSC module needs, and libp11 engine did not seem to need any (besides just pointing at the /usr/local/lib/opensc-pkcs11.so or such).
    >
    > Likewise with pin - I expect OpenSSL to prompt me (interactively ;) for the pin and pass it to the provider.
    >
    > And this is from tests/tmp.softhsm/openssl.cnf:
    >
    > [pkcs11_sect]
    > module = /Users/ur20980/src/pkcs11-provider/src/.libs/pkcs11.dylib
    > pkcs11-module-token-pin = file:/Users/ur20980/src/pkcs11-provider/tests/pinfile.txt
    > #pkcs11-module-allow-export
    > activate = 1
    >
    > Notice absence of pkcs11-module-init-args.
    >
    >
    > > There should be examples in the openssl.cnf generated by running tests.
    >
    > Mostly useless (see above). Also, documentation for that specific provider is non-existent.
    >
    > Copied PRKEY from "testvars":
    >
    > Decrypt CMS message in file /tmp/derive.27307.text.cms...
    > OPENSSL_CONF=/Users/ur20980/openssl-3/etc/openssl.cnf /Users/ur20980/openssl-3/bin/openssl cms -aes256 -decrypt -binary -inform PEM -in /tmp/derive.27307.text.cms -out /tmp/derive.27307.text.dec -inkey "pkcs11:id=%00%03;type=private"
    > Could not open file or uri for loadingCould not read key etc. of signing key from pkcs11:id=%00%03;type=private
    > 40E6BC57F87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:265:calling stat(pkcs11:id=%00%03;type=private)
    > 40E6BC57F87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:353:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)
    >
    >
    >
    > TNX
    >
    >
    >     On Tue, Feb 7, 2023 at 8:42 PM Blumenthal, Uri - 0553 - MITLL
    >     <uri at ll.mit.edu> wrote:
    >     >
    >     > >  What is the OpenSSL version you use? There were some fixes after 3.0.7
    >     > >  related to some problems found by PKCS#11 provider authors.
    >     >
    >     > I'm still on 3.0.7 - hopefully move to 3.0.8 soon (as soon as Macports migrates to 3.0.8).
    >     >
    >     > If you think it's beneficial - I can do the same test with 3.2dev (current OpenSSL master).
    >     >
    >     > I still would like to know *exactly what the URI should look like*, e.g., for KEY MAN Key (encryption/decryption, PIV slot 9d).
    >     >
    >     > Thanks!
    >     >
    >
    >
    >     --
    >     SY, Dmitry Belyavsky



    -- 
    SY, Dmitry Belyavsky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230207/237839d2/attachment.p7s>


More information about the openssl-users mailing list