Closed CIPop closed 2 years ago
p11-kit is loading "opensc-pkcs11: opensc-pkcs11.so" and "softhsm2: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"
libp11 engine (package libengine-pkcs11-openssl) installs /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so which will load the default pkcs11 module or one specified in "PKCS11_MODULE_PATH" If p11-kit is installed its pkcs11 module will be loaded and it will then load the list of modules from its list. But
export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
loads this one module.
export PKCS11_MODULE_PATH=
will not work, it says don't load any module.
You could try unset PKCS11_MODULE_PATH
OpenSC can also support softhsm by it sm-hsm driver. So in your examples:
"'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=861c95e903f6cc1e;token=test-token;id=%A0%00;object=test-privkey;type=private?pin-value=1234'"
p11-kit will use the SoftHSM pkcs11 module. But in the second:
'pkcs11:object=test-privkey;type=private?pin-value=1234'
p11-kit will try all pkcs11 module and may return two private keys, one as seen by OpenSC and one as seen by SoftHSM.
https://datatracker.ietf.org/doc/html/rfc7512 defines the URI that can be used with PKCS11.
So choices are:
Are trying trying to build one of these packages from source?
Thank you @dengert for explaining! I will try again unsetting the variable in a few days (I think I already did but worth double-checking).
p11-kit will try all pkcs11 module and may return two private keys, one as seen by OpenSC and one as seen by SoftHSM.
Doesn't this mean there is a bug somewhere (p11kit or the pkcs11 engine)? I only have 2 tokens based on the p11tool --list-tokens
command and only one that matches the label.
Are trying trying to build one of these packages from source?
Only libp11-0.4.11 was built from sources.
The URI in question: 'pkcs11:object=test-privkey;type=private?pin-value=1234' tells p11-kit to look at all tokens and you have not told p11-kit which slot, manufacture or token to look at so it may have to look at all the tokens. many tokens may have a matching "object=test-privkey;type=private`
You could try :'pkcs11:token=test-token;object=test-privkey;type=private?pin-value=1234' which would only find one of your tokens then only look for the object=test-privkey;type=private
on that token.
But In many cases, you must provide the PIN. to even see that a private key is present and to use private key. An since the URI can be applied to every token it may try and verify the PIN with every token. So be careful you do not lock a device by giving the wrong pin to p11-kit-trust: p11-kit-trust.so
, opensc-pkcs11: opensc-pkcs11.so
and softhsm2: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
I am not a p11-kit expert, so you will have to play around to get it correct.
Why are you building libp11-0.4.11 from sources? You may have to specify the default location of a module. or specify the location of p11-kit. Most distros will configure p11-kit and libp11 for you.
So be careful you do not lock a device by giving the wrong pin
I didn't consider that. Thank you!
Why are you building libp11-0.4.11 from sources?
I don't have OpenSC or the pkcs#11 engine installed at all on any of my Ubuntu Server 20.04 VMs. (/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so: cannot open shared object file: No such file or directory
)
Closing this issue as what I was trying to do isn't recommended and could end up in locking up some of the devices by trying invalid PINs.
Thanks again @dengert for all your help!
I can't get p11-kit configured work with the OpenSSL pkcs11 engine.
Using
PKCS11_MODULE_PATH
or changing openssl.cnf works.Here's how I've configured this on an Ubuntu 20 LTS Server VM:
I've created a token and imported a private key:
Some other potentially relevant information: