Replies: 4 comments 6 replies
-
Providers require some configuration, but now we have a "default" driver that can be used if you specify the provider name in the command line or in properties within the application. I do not understand the OPENSSL_CONF comment, on a working system you should modify /etc/ssl/openssl.cnf to add the provider you want to use there. It will not be used by default unless you specify a pkcs11 uri, so it is safe to have a default configuration in the system for all applications to use. The specific error you are getting is odd, I would recommend trying first by directly loading the pkcs11 driver you want to use so we can see if that is working on its own. I assume you want to use /usr/lib64/opensc-pkcs11.so, you can also specify this via the PKCS11_PROVIDER_MODULE w/o having to modify openssl.cnf yet |
Beta Was this translation helpful? Give feedback.
-
Hmm, I wished it could be entirely drop-in, i.e. I install the However, I get the same error after adding pkcs11 to /etc/ssl/openssl.cnf, and it still has the same problem with infinite recursion in my case (I've explained it below).
Thanks, PKCS11_PROVIDER_MODULE will be useful, but in this case I really want p11-kit-proxy specifically. The reason is that I've configured p11-kit via ~/.config/pkcs11/modules/ to load a remote module through its remoting support – specifically it does But if I enable the pkcs11 provider system-wide via openssl.cnf, this happens:
If the process manually loads a provider (e.g. But I did test directly on the server machine, without any of this p11-kit remoting being involved (i.e. just directly loading libeToken.so), and I get the same error:
The module is from SafeNet Authentication Client 10, for an "Thales/Gemalto/Alladin" eToken 5110. I think the pkcs11: URL is correct because |
Beta Was this translation helpful? Give feedback.
-
I have a feature request for OSSL_PROVIDER_load_ex function that will accept the initialization parameters but I have no resources to work on it. It would be useful for PKCS#11 provider |
Beta Was this translation helpful? Give feedback.
-
So apparently the problem was simply the PKCS#11 URI not matching anything, which was fixed by commit cd52fd4 – at least directly on the server (no fancy remoting or anything) it seems to work with the
|
Beta Was this translation helpful? Give feedback.
-
Now that my distro has upgraded to OpenSSL 3.0 and ripped out all engine support, I'm trying to figure out how to use pkcs11-provider with a hardware eToken – at first via CLI, later hopefully via ruby-openssl – but so far I'm only getting:
Via strace I see it loading p11-kit and libeToken.so and talking to pcscd.
Is this because I haven't provided a PIN? (I tried adding
pin-value=
but that didn't improve things.)I'd like to avoid OPENSSL_CONF, both because the specific p11-kit setup I'm using involves remoting via SSH, which loads openssl recursively (so using OPENSSL_CONF results in a forkbomb), and because it seems clumsy (previously my scripts could just call
OpenSSL::Engine.by_id("pkcs11")
...)Beta Was this translation helpful? Give feedback.
All reactions