Suggestion: make engine's PKCS11_CTX reachable

OpenSC / libp11

PKCS#11 wrapper library

GNU Lesser General Public License v2.1

310 stars 187 forks source link

Suggestion: make engine's PKCS11_CTX reachable #365

Closed stalowyjez closed 2 years ago

stalowyjez commented 4 years ago

While trying to use both OpenSSL pkcs11 engine and libp11 at the same time, the engine brokes when I load a new instance of PKCS11_CTX with PKCS11_CTX_load - I think it could be solved if there would be any way to use PKCS11_CTX used by the engine.

Would it be possible to make the context reachable? E.g. by adding new ENGINE_ctr_cmd for getting it (or just the OpenSSL index for used ENGINE_CTX)?

mtrojnar commented 4 years ago

While trying to use both OpenSSL pkcs11 engine and libp11 at the same time, the engine brokes when I load a new instance of PKCS11_CTX with PKCS11_CTX_load

Could you please give us some details on how exactly "the engine brokes"?

I think it could be solved if there would be any way to use PKCS11_CTX used by the engine.

"I think the tachyon modulation must be wrongly polarised." https://www.chiark.greenend.org.uk/~sgtatham/bugs.html

Would it be possible to make the context reachable? E.g. by adding new ENGINE_ctr_cmd for getting it (or just the OpenSSL index for used ENGINE_CTX)?

Yes, it would be possible. No, I'm not going to implement it.

stalowyjez commented 4 years ago

It looks like this (as you can see I use softHSM):

When I use only OpenSSL engine I can load keys and certs and use them in OpenSSL functions. I load the engine using ENGINE_by_id("pkcs11") with the following config:

        openssl_conf = openssl_init
        .include /etc/ssl/openssl.cnf

        [openssl_init]
        engines=engine_section

        [engine_section]
        pkcs11 = pkcs11_section

        [pkcs11_section]
        engine_id = pkcs11
        MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
        init = 0;

If I use only libp11 functions I can generate or remove keys - I load the PKCS11_CTX using:

PKCS11_CTX_load(ctx, "/usr/lib/softhsm/libsofthsm2.so");

But when I try to load both of them (i.e. engine and libp11 context) the engine doesn't see the keys generated using libp11 (it returns the message "Not found")

mtrojnar commented 4 years ago

It seems to be a bigger problem. The token can indeed be modified (not necessarily via libp11) while the engine is loaded.

Two basic solutions out of the top of my head:

The engine could reload the list of objects on search failure an retry the search.
The engine could expose a control command to reload the list of objects.

stalowyjez commented 4 years ago

Both of them look good to me, first seems to be more user friendly.

mtrojnar commented 3 years ago

Can you confirm that the RE_ENUMERATE engine control added by PR #398 fixes this issue?

mtrojnar commented 2 years ago

There is no response, so I presume this issue is fixed now.