How to access keys on HW tokens via PKCS11 Provider?

Tomas Mraz tomas at openssl.org
Wed Sep 6 07:02:19 UTC 2023


On Tue, 2023-09-05 at 23:53 +0200, David von Oheimb wrote:
> 
> Yet with such a config file, as recommended by
> https://github.com/latchset/pkcs11-provider/blob/main/HOWTO.md, there
> are many pitfalls.
>  One of them is this doc does not mention that the file needs to
> include in its default (unnamed) section:
>
> openssl_conf            = openssl_init
>
> Moreover, looks like OpenSSL does not automatically load all
> providers listed in 
>
> [provider_sect]
> default = default_sect
> pkcs11 = pkcs11_sect
>
> but only "predefined" ones. At least, I still need to explicitly
> reference it on the command line, e.g.:
>
> openssl req  -new -subj "/CN=x" -provider pkcs11 -key 
> "pkcs11:object=...;type=private" 

That is not intended. There should be no such distinction between
default and pkcs11 provider assuming both are activated in the
configuration.

It is either some misconfiguration or a bug in OpenSSL. Do you have
activate=1 in pkcs11_sect? Also, is the pkcs11 module configured
correctly for the pkcs11 provider? If you try to strace the command
without -provider pkcs11 do you see any attempt to load the provider
shared module?

-- 
Tomáš Mráz, OpenSSL



More information about the openssl-users mailing list