How to access keys on HW tokens via PKCS11 Provider?

David von Oheimb it at von-Oheimb.de
Tue Sep 5 21:53:33 UTC 2023 

I also had quite some trouble getting the PKCS#11 provider used by 
OpenSSL (with MacOS at least).

Without using an OpenSSL config file, it was relatively straightforward, 
e.g.:

PKCS11_PROVIDER_MODULE=/Library/OpenSC/lib/onepin-opensc-pkcs11.so  openssl req  -new -subj "/CN=x" -provider pkcs11 -key  "pkcs11:object=...;type=private"

Yet with such a config file, as recommended by 
https://github.com/latchset/pkcs11-provider/blob/main/HOWTO.md, there 
are many pitfalls.
One of them is this doc does not mention that the file needs to include 
in its default (unnamed) section:

openssl_conf            = openssl_init

Moreover, looks like OpenSSL does not automatically load all providers 
listed in

|[provider_sect] default = default_sect pkcs11 = pkcs11_sect|

but only "predefined" ones. At least, I still need to explicitly 
reference it on the command line, e.g.:

openssl req  -new -subj "/CN=x" -provider pkcs11 -key  "pkcs11:object=...;type=private"


Part of the trouble finding out such things is that the provider loader 
is hard to trace.
Including in the default section

config_diagnostics = 1

does not help much.

Even using the trace API did not really help to find out that/why the 
pkcs11 provider does not get used automatically when included in the 
config file.
BTW, for getting trace output (such as, for the configuration loading), 
OpenSSL documents that this requires building with the enable-trace option,
but I found nowhere that in order to actually make use of it on the 
command line, OPENSSL_TRACE needs to be set, for instance as follows:

OPENSSL_TRACE=CONF openssl ...

Hope this helps,

     David


On 07.02.23 23:41, Blumenthal, Uri - 0553 - MITLL wrote:
> On 2/7/23, 15:47, "Dmitry Belyavsky"<beldmit at gmail.com>  wrote:
>> For the test purposes could you please write down the pin into the
>> file similarly to the example and provide a path to the module via
>> PKCS11_PROVIDER_MODULE env var?
> Very-very-same thing:
>
> Decrypt CMS message in file /tmp/derive.26600.text.cms...
> /Users/ur20980/openssl-3/bin/openssl cms -decrypt -aes256 -binary -inform PEM -in /tmp/derive.26600.text.cms -out /tmp/derive.26600.text.dec -inkey "pkcs11:id=%03;type=private"
> Could not open file or uri for loadingCould not read key etc. of signing key from pkcs11:id=%03;type=private
> 40F6064DF87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:265:calling stat(pkcs11:id=%03;type=private)
> 40F6064DF87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:353:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)
>
> FAILED to create decrypted file /tmp/derive.26600.text.dec
>
> $ env | grep PKCS11_PROV
> PKCS11_PROVIDER_MODULE=/Users/ur20980/openssl-3/lib/ossl-modules/pkcs11.dylib
> $ ll ~/src/pinfile.txt
> -rw-------  1 ur20980  staff  8 Feb  7 17:37 /Users/ur20980/src/pinfile.txt
> $
> $ cat ~/openssl-3/etc/openssl.cnf
> . . .
> [prov_section]
> default = default_sect
> base = base_Sect
> legacy = legacy_sect
> pkcs11 = pkcs11_sect
>
> [default_sect]
> activate = 1
> [base_Sect]
> activate = 1
> [legacy_sect]
> activate = 1
> [pkcs11_sect]
> module = /Users/ur20980/openssl-3/lib/ossl-modules/pkcs11.dylib
> pkcs11-module-token-pin =file:/Users/ur20980/src/pinfile.txt
> activate = 1
>
>
>> Thanks for nudging me about the documentation, I notified the authors.
> ;-) Hopefully it will be there by the time ENGINE code is removed from OpenSSL.
>
>
>      On Tue, Feb 7, 2023 at 9:41 PM Blumenthal, Uri - 0553 - MITLL
>      <uri at ll.mit.edu>  wrote:
>      >
>      > > How do you configure the actual PKCS#11 module (not the provider
>      > > itself) to use and pin?
>      >
>      > This is what I see in tests/tmp.softokn/openssl.cnf:
>      >
>      > [openssl_init]
>      > providers = provider_sect
>      >
>      > [provider_sect]
>      > default = default_sect
>      > pkcs11 = pkcs11_sect
>      > base = base_sect
>      >
>      > [base_sect]
>      > activate = 1
>      >
>      > [default_sect]
>      > activate = 1
>      >
>      > [pkcs11_sect]
>      > module = /Users/ur20980/src/pkcs11-provider/src/.libs/pkcs11.dylib
>      > pkcs11-module-init-args = configDir=/Users/ur20980/src/pkcs11-provider/tests/tmp.softokn/tokens
>      > pkcs11-module-token-pin =file:/Users/ur20980/src/pkcs11-provider/tests/pinfile.txt
>      > #pkcs11-module-allow-export
>      > activate = 1
>      >
>      > I did not include "pkcs11-module-init-args", mainly because I've no idea what kind of init-args OpenSC module needs, and libp11 engine did not seem to need any (besides just pointing at the /usr/local/lib/opensc-pkcs11.so or such).
>      >
>      > Likewise with pin - I expect OpenSSL to prompt me (interactively ;) for the pin and pass it to the provider.
>      >
>      > And this is from tests/tmp.softhsm/openssl.cnf:
>      >
>      > [pkcs11_sect]
>      > module = /Users/ur20980/src/pkcs11-provider/src/.libs/pkcs11.dylib
>      > pkcs11-module-token-pin =file:/Users/ur20980/src/pkcs11-provider/tests/pinfile.txt
>      > #pkcs11-module-allow-export
>      > activate = 1
>      >
>      > Notice absence of pkcs11-module-init-args.
>      >
>      >
>      > > There should be examples in the openssl.cnf generated by running tests.
>      >
>      > Mostly useless (see above). Also, documentation for that specific provider is non-existent.
>      >
>      > Copied PRKEY from "testvars":
>      >
>      > Decrypt CMS message in file /tmp/derive.27307.text.cms...
>      > OPENSSL_CONF=/Users/ur20980/openssl-3/etc/openssl.cnf /Users/ur20980/openssl-3/bin/openssl cms -aes256 -decrypt -binary -inform PEM -in /tmp/derive.27307.text.cms -out /tmp/derive.27307.text.dec -inkey "pkcs11:id=%00%03;type=private"
>      > Could not open file or uri for loadingCould not read key etc. of signing key from pkcs11:id=%00%03;type=private
>      > 40E6BC57F87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:265:calling stat(pkcs11:id=%00%03;type=private)
>      > 40E6BC57F87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:353:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)
>      >
>      >
>      >
>      > TNX
>      >
>      >
>      >     On Tue, Feb 7, 2023 at 8:42 PM Blumenthal, Uri - 0553 - MITLL
>      ><uri at ll.mit.edu>  wrote:
>      >     >
>      >     > >  What is the OpenSSL version you use? There were some fixes after 3.0.7
>      >     > >  related to some problems found by PKCS#11 provider authors.
>      >     >
>      >     > I'm still on 3.0.7 - hopefully move to 3.0.8 soon (as soon as Macports migrates to 3.0.8).
>      >     >
>      >     > If you think it's beneficial - I can do the same test with 3.2dev (current OpenSSL master).
>      >     >
>      >     > I still would like to know *exactly what the URI should look like*, e.g., for KEY MAN Key (encryption/decryption, PIV slot 9d).
>      >     >
>      >     > Thanks!
>      >     >
>      >
>      >
>      >     --
>      >     SY, Dmitry Belyavsky
>
>
>
>      --
>      SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230905/8e4d4b1d/attachment-0001.htm>

More information about the openssl-users mailing list