How to access keys on HW tokens via PKCS11 Provider?
Tomas Mraz
tomas at openssl.org
Wed Sep 6 07:02:19 UTC 2023
On Tue, 2023-09-05 at 23:53 +0200, David von Oheimb wrote:
>
> Yet with such a config file, as recommended by
> https://github.com/latchset/pkcs11-provider/blob/main/HOWTO.md, there
> are many pitfalls.
> One of them is this doc does not mention that the file needs to
> include in its default (unnamed) section:
>
> openssl_conf = openssl_init
>
> Moreover, looks like OpenSSL does not automatically load all
> providers listed in
>
> [provider_sect]
> default = default_sect
> pkcs11 = pkcs11_sect
>
> but only "predefined" ones. At least, I still need to explicitly
> reference it on the command line, e.g.:
>
> openssl req -new -subj "/CN=x" -provider pkcs11 -key
> "pkcs11:object=...;type=private"
That is not intended. There should be no such distinction between
default and pkcs11 provider assuming both are activated in the
configuration.
It is either some misconfiguration or a bug in OpenSSL. Do you have
activate=1 in pkcs11_sect? Also, is the pkcs11 module configured
correctly for the pkcs11 provider? If you try to strace the command
without -provider pkcs11 do you see any attempt to load the provider
shared module?
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list