[EXT] Re: provider not loaded on MacOS - Re: How to access keys on HW tokens via PKCS11 Provider?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Sep 6 18:12:24 UTC 2023


How exactly is provider configured? Are base and default providers listed/enabled?
 
This works for me – except that for you the paths would need to be changed:
 
[openssl_init]
providers = provider_sect
engines   = engine_section
 
# List of providers to load
[provider_sect]
default = default_prov
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_prov
#legacy = legacy_prov
pkcs11 = pkcs11_prov
#gost   = gost_prov
base = base_prov
oqs = oqs_prov
 
[default_prov]
 activate = 1
 
[legacy_prov]
 activate = 0
 
[pkcs11_prov]
 module = /Users/ur20980/openssl-3/lib/ossl-modules/pkcs11.dylib
 pkcs11-module-quirks = no-deinit no-allowed-mechanisms
 pkcs11-module-login-behavior = auto
 pkcs11-module-cache-pins = cache
 #pkcs11-module-path = /Library/OpenSC/lib/opensc-pkcs11.so
 #pkcs11-module-path = /usr/local/lib/libykcs11.dylib
 #pkcs11-module-path = /Library/OpenSC/lib/pkcs11-spy.so
 #pkcs11-module-path = /opt/local/lib/p11-kit-proxy.dylib
 pkcs11-module-path = /opt/p11kit/lib/p11-kit-proxy.dylib
 activate = 1
 
[gost_prov]
 module = /Users/ur20980/openssl-3/lib/ossl-modules/gostprov.dylib
 activate = 0
 
[base_prov]
  activate = 1
 
[oqs_prov]
 module = /Users/ur20980/openssl-3/lib/ossl-modules/oqsprovider.dylib
 activate = 1
 
 
--
V/R,
Uri
 
There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                     -  C. A. R. Hoare


 
 
From: Tomas Mraz <tomas at openssl.org>
Date: Wednesday, September 6, 2023 at 1:50 PM
To: David von Oheimb <it at von-Oheimb.de>
Cc: openssl-users at openssl.org <openssl-users at openssl.org>, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu>
Subject: [EXT] Re: provider not loaded on MacOS - Re: How to access keys on HW tokens via PKCS11 Provider?

!-------------------------------------------------------------------|
  This Message Is From an External Sender
  This message came from outside the Laboratory.
|-------------------------------------------------------------------!

On Wed, 2023-09-06 at 18:32 +0200, David von Oheimb wrote:
> On 06.09.23 09:02, Tomas Mraz wrote:
>  
> > On Tue, 2023-09-05 at 23:53 +0200, David von Oheimb wrote:
> >  
> > > Yet with such a config file, as recommended by
> > > https://github.com/latchset/pkcs11-provider/blob/main/HOWTO.md,
> > > there are many pitfalls.
> > > 
> > > [...]
> > > 
> > > Moreover, looks like OpenSSL does not automatically load all
> > > providers listed in 
> > > 
> > > [provider_sect]
> > > default = default_sect
> > > pkcs11 = pkcs11_sect
> > > 
> > > but only "predefined" ones. At least, I still need to explicitly
> > > reference it on the command line, e.g.:
> > > 
> > > openssl req  -new -subj "/CN=x" -provider pkcs11 -key 
> > > "pkcs11:object=...;type=private" 
> > That is not intended. There should be no such distinction between
> > default and pkcs11 provider assuming both are activated in the
> > configuration.
> I see.
>  
> > It is either some misconfiguration or a bug in OpenSSL. Do you have
> > activate=1 in pkcs11_sect?
>  Yes, as recommended by that HOWTO.md.
>  
>  
> > Also, is the pkcs11 module configured correctly for the pkcs11
> > provider?
>  I believe so.
>  I've meanwhile tested with Linux, using (modulo the respective lib
> file path names) the same config file contents, and there it works.
>  
>  
> > If you try to strace the command without -provider pkcs11 do you
> > see any attempt to load the provider shared module?
> Good thought to try 'strace' instead of the hard-to-use and in this
> case not very useful OPENSSL_TRACE=CONF.
>  Yet I cannot reproduce the problem on Linux, while on MacOS, strace
> is not available.
>  Would be really good if the OpenSSL config module loader provided
> better tracing.
>  I had manually added some printfs to crypto/provider_core.c to find
> out that, for some reason,
>  provider_activate() and provider_init() only get called for
> "default", but not for "pkcs11":
> OPENSSL_TRACE=CONF apps/openssl x509 -noout -text -in
> "pkcs11:object=...;type=cert"
> 
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Configuration in section
> openssl_init
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Adding config module
> 'alg_section'
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Adding config module 'providers'
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Adding config module 'random'
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Loading providers module:
> section provider_sect
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Configuring provider pkcs11
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider command: module =
> /usr/local/lib/ossl-modules/pkcs11.dylib
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider command: pkcs11-module-
> path = /Library/OpenSC/lib/onepin-opensc-pkcs11.so
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: start section
> pkcs11_sect
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: module =
> /usr/local/lib/ossl-modules/pkcs11.dylib
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: pkcs11-module-
> path = /Library/OpenSC/lib/onepin-opensc-pkcs11.so
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: finish section
> pkcs11_sect
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Configuring provider default
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider command: activate = 1
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: start section
> default_sect
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: activate = 1
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Provider params: finish section
> default_sect
> provider_activate name = default
> provider_init name = default
> TRACE[80:A0:6D:F0:01:00:00:00]:CONF: Running module providers
> (provider_sect) returned 1
> Yet when I add  -provider pkcs11  to the command line, this output
> gets extended by:
> provider_activate name = pkcs11
> provider_init name = pkcs11
> module_path = (null)
> merged_path = /Users/david/openssl/providers/pkcs11.dylib
> and the provider loading works, making use, e.g, of 
> pkcs11-module-path = /Library/OpenSC/lib/onepin-opensc-pkcs11.so
> Maybe this related to the annoying fact that LD_LIBRARY_PATH does not
> work with MacOS, while DYLD_LIBRARY_PATH is a kind of replacement.
>     David

Not sure how LD_LIBRARY_PATH is related. It is not used when loading
the provider modules. 

Is the provider module path correct in the TRACE above? Could you try
this tracing on Linux to compare?

It is suspicious that there is no provider command activate=1 trace
line for the pkcs11 provider.

-- 
Tomáš Mráz, OpenSSL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230906/241b6ff5/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 9298 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230906/241b6ff5/attachment-0001.bin>


More information about the openssl-users mailing list