search

GoogleCloudPlatform / kms-integrations

https://cloud.google.com/kms
Apache License 2.0
39 stars 13 forks source link

libengine-pkcs11-openssl fails on Ubuntu 20.04 - undefined symbol: C_GetFunctionList #8

Closed dnate-ifs closed 2 years ago

dnate-ifs commented 2 years ago

I installed the pkcs11 library per these instructions on an Ubuntu 20.04 VM and attempted to create a CSR but got the following error.

# openssl req -new -subj '/CN=*.mydomain.com/' -sha256 -engine pkcs11 -keyform engine -key pkcs11:object=my-key-name > mydomain.csr
engine "pkcs11" set.
/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so: undefined symbol: C_GetFunctionList
Unable to load module /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so: undefined symbol: C_GetFunctionList
Unable to load module /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140496919119168:error:81065401:libp11:pkcs11_CTX_load:Unable to load PKCS#11 module:p11_load.c:79:
140496919119168:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:77:
unable to load Private Key

I then tried to do the same on a Debian 11 VM as well as Ubuntu 22.04 but got the same error. Finally I decided to try Ubuntu 16.04 and it still failed albeit with a different error:

invalid engine "pkcs11"
140416720131736:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libpkcs11.so): /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libpkcs11.so: cannot open shared object file: No such file or directory
140416720131736:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
140416720131736:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
140416720131736:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=pkcs11
140416720131736:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libpkcs11.so): libpkcs11.so: cannot open shared object file: No such file or directory
140416720131736:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
140416720131736:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
no engine specified
unable to load Private Key

Ideally I'd like this to work on Ubuntu 20.04. Please assist.

tdbhacks commented 2 years ago

At first glance, those errors look like openssl is having issues locating the PKCS #11 library (module). From the first set of errors, it looks like it’s trying to load /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so, which doesn’t look like a path to our library.

Can you verify that you have set the PKCS11_MODULE_PATH environment variable correctly, and that it’s pointing to our libkmsp11.so file? Consult the configuration instructions for details.

dnate-ifs commented 2 years ago

@tdbhacks you are correct, I had misunderstood the instructions and after installing the correct module was able to get the csr created.