search

OpenSC / libp11

PKCS#11 wrapper library
GNU Lesser General Public License v2.1
310 stars 187 forks source link

uri pkcs11: missing when I use openssl storeutl #401

Closed skxo closed 2 years ago

skxo commented 3 years ago

Hello,

I use pkcs11 engine to simulate an HSM via softHSMv2 lib. I encounter the following error when I try to use openssl storeutl to read the objects stored in the softHSM

$ OPENSSL_CONF=./engine.conf openssl storeutl -engine pkcs11 "pkcs11:"
engine "pkcs11" set.

Couldn't open file or uri pkcs11:
139709234190144:error:02016002:system library:stat:No such file or directory:crypto/store/loader_file.c:863:pkcs11:
139709234190144:error:2C064069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:231:scheme=pkcs11

other commands such openssl dgst, openssl pkeyutl are doing good. I can sign, verify, encrypt, decrypt.... so It means the keys are well present in the softHSM. Using softhsm-util I am able to check the objects are here:

$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so -l -O --slot 1126541580
Logging in to "token1".
Please enter User PIN: 
Public Key Object; RSA 2048 bits
  label:      token1
  ID:         4142
  Usage:      encrypt, verify, wrap
  Access:     local
Private Key Object; RSA 
  label:      token1
  ID:         4142
  Usage:      decrypt, sign, unwrap
  Access:     sensitive, always sensitive, never extractable, local
Certificate Object; type = X.509 cert
  label:      mycert1
  subject:    DN: CN=MyCertTEST
  ID:         4142

Is there any other method to read objects from openssl ? Is this a bug in openssl storeutl perhaps? Thank you for your help Regards

franzhollerer commented 2 years ago

@skxo I am facing the same problem. Have you solved it somehow?

AlexandreGonzalo commented 2 years ago

I am facing the same issue and interested by any update.

mtrojnar commented 2 years ago

The storeutl manual says:

-engine id specifying an engine (by its unique id string) will cause storeutl to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.

You clearly expect the -engine option to also register a store URI scheme, but this is not something it does.

The OpenSSL engine interface and the OpenSSL store API are separate concepts: https://beta.openssl.org/docs/manmaster/man3/ENGINE_add.html https://beta.openssl.org/docs/manmaster/man3/OSSL_STORE_open.html I am not aware of any way to register an OpenSSL store URI scheme from an OpenSSL engine.