using pkcs11-provider with OpenSSL

[embetrix]

Hi,

I would like to use pkcs11-provider to sign using OpenSSL command line

# dd if=/dev/urandom of=data.txt bs=1 count=32
# openssl pkeyutl -sign -in data.txt -out signature.bin -provider pkcs11   \
    -inkey "pkcs11:object=testRSAKey;type=private?pin-value=12345

If I set the following openssl.cnf and export OPENSSL_CONF=$PWD/openssl.cnf this works

#Use this in order to automatically load providers.
openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect
base = base_sect

[base_sect]
activate = 1

[default_sect]
activate = 1

[pkcs11_sect]
module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
activate = 1

However I would like to use it without changing nor exporting OPENSSL_CONF, is there a away to specify pkcs11-module-path in OpenSSL commandline ?

I did try without success :
export PKCS11_PROVIDER_MODULE=/usr/lib/softhsm/libsofthsm2.so

and also :

openssl pkeyutl -sign -in data.txt -out signature.bin -provider pkcs11   \
    -inkey "pkcs11:object=testRSAKey;type=private?pin-value=12345" \
    -propquery "pkcs11-module-path=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"

[simo5]

I believe the following should work:

openssl pkeyutl -sign -in data.txt -out signature.bin -provider pkcs11   \
    -inkey "pkcs11:object=testRSAKey;type=private?pin-value=12345" \
    -provider pkcs11 -provider-path /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so \
    -propquery "provider=pkcs11"

note that the various provider option are sensitive to the order they are passed in.

Whil;e this can give you access to the module, you won't be able to set any pkcs11-provider configuration options, if your usage require any of them (and softhsm2 being very buggy might) you will have to revert to use the openssl config file.

[embetrix]

Any method how to specify the PKCS11_PROVIDER_MODULE path in C code ?

I tried this without sucess :

    const char *module_path = "/usr/lib/libckteec.so.0";

    /* Create the OSSL_PARAM to specify the module_path */
    OSSL_PARAM params[] = {
        OSSL_PARAM_construct_utf8_string("pkcs11-module-path", (char *)module_path, 0),
        OSSL_PARAM_construct_end()
    };

    store = OSSL_STORE_open_ex(pkcs11_uri, NULL, "provider=pkcs11", ui_method, (void *)pin, params, NULL, NULL);

If I export PKCS11_PROVIDER_MODULE=/usr/lib/libckteec.so.0 using environment variables it works, But I would like to avoid that for security reasons, also not to use OPENSSL_CONF

[simo5]

Unfortunately not:
openssl/openssl#21350

[embetrix]

@simo5 : thanks for the clarification, I suspected it :-( I sent a PR #511 to allow to set the provider module at build time.

[beldmit]

@embetrix openssl/openssl#21604 implemented this feature

[simo5]

Doh I completely forgot we had added OSSL_PROVIDER_load_ex() ... we should probably add a test in pkcs1-provider to ensure everything works as expected

[simo5]

#513

[embetrix]

I confirm this is working:

    const char *module_path = "/usr/lib/libckteec.so.0";

    /* Create the OSSL_PARAM to specify the module_path */
    OSSL_PARAM params[] = {
        OSSL_PARAM_construct_utf8_string("pkcs11-module-path", (char *)module_path, 0),
        OSSL_PARAM_construct_end()
    };

    /* Load the default provider */
    default_provider = OSSL_PROVIDER_load(NULL, "default");
    if (!default_provider) {
        fprintf(stderr, "Failed to load default provider\n");
        goto cleanup;
    }

    /* Load the PKCS#11 provider */
    pkcs11_provider = OSSL_PROVIDER_load_ex(NULL, "pkcs11", params);

[beldmit]

Nice, you seem to be the first real user of this feature :)

[embetrix]

I implemented a reference here : https://github.com/embetrix/pkcs11-provider-example in case someone stumble into that problem