search

OpenSC / libp11

PKCS#11 wrapper library
GNU Lesser General Public License v2.1
313 stars 189 forks source link

openssl.cnf for OpenSSL 3.x #568

Open 1oh1 opened 2 days ago

1oh1 commented 2 days ago

Very similar to https://github.com/OpenSC/libp11/issues/542

How do I use openssl req -engine pkcs11 -new -key 0:1 -keyform engine -out cert.pem -text -x509 -days 365 to generate a certificate and sign it using the private key stored on the pkcs#11 token?

I have compiled 64 and 32-bit versions of libp11 and verified that they have the right exports and imports:

**********************************************************************
** Visual Studio 2022 Developer Command Prompt v17.12.2
** Copyright (c) 2022 Microsoft Corporation
**********************************************************************
[vcvarsall.bat] Environment initialized for: 'x86'

C:\Program Files\Microsoft Visual Studio\2022\Community>cd C:\Users\1oh1

C:\Users\1oh1>dumpbin /exports pkcs11.dll
Microsoft (R) COFF/PE Dumper Version 14.42.34435.0
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file pkcs11.dll

File Type: DLL

  Section contains the following exports for pkcs11.dll

    00000000 characteristics
    FFFFFFFF time date stamp
        0.00 version
           1 ordinal base
           2 number of functions
           2 number of names

    ordinal hint RVA      name

          1    0 000014D0 bind_engine
          2    1 000014B0 v_check

  Summary

        4000 .data
        1000 .fptable
        9000 .rdata
        2000 .reloc
        1000 .rsrc
       29000 .text

C:\Users\1oh1>openssl version
OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)

C:\Users\1oh1>dumpbin /imports pkcs11.dll | findstr libcrypto
    libcrypto-3.dll

C:\Users\1oh1>cd C:\Program Files (x86)\OpenSC Project\OpenSC\pkcs11\x64

C:\Program Files (x86)\OpenSC Project\OpenSC\pkcs11\x64>dumpbin /imports pkcs11.dll | findstr libcrypto
    libcrypto-3-x64.dll

C:\Program Files (x86)\OpenSC Project\OpenSC\pkcs11\x64>dumpbin /exports pkcs11.dll
Microsoft (R) COFF/PE Dumper Version 14.42.34435.0
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file pkcs11.dll

File Type: DLL

  Section contains the following exports for pkcs11.dll

    00000000 characteristics
    FFFFFFFF time date stamp
        0.00 version
           1 ordinal base
           2 number of functions
           2 number of names

    ordinal hint RVA      name

          1    0 000015C0 bind_engine
          2    1 000015A0 v_check

  Summary

        5000 .data
        1000 .fptable
        3000 .pdata
        E000 .rdata
        1000 .reloc
        1000 .rsrc
       2E000 .text

I installed FireDaemon OpenSSL (64-bit version) and tried this command:

C:\Users\1oh1>openssl engine dynamic -pre SO_PATH:"C:\\Program Files\\FireDaemon OpenSSL 3\\bin\\pkcs11" -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -post MODULE_PATH:"C:\\Program Files\\FireDaemon OpenSSL 3\\bin\\libp11.dll" -t
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:C:\\Program Files\\FireDaemon OpenSSL 3\\bin\\pkcs11
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
Loaded: (pkcs11) pkcs11 engine
     [ available ]
[Success]: MODULE_PATH:C:\\Program Files\\FireDaemon OpenSSL 3\\bin\\libp11.dll

C:\Users\1oh1>openssl version -a
OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)
built on: Wed Oct 23 06:00:24 2024 UTC
platform: VC-WIN64A-HYBRIDCRT
options:  bn(64,64)
compiler: cl  /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"
OPENSSLDIR: "C:\Program Files\Common Files\FireDaemon SSL 3"
ENGINESDIR: "C:\Program Files\FireDaemon OpenSSL 3\lib\engines-3"
MODULESDIR: "C:\Program Files\FireDaemon OpenSSL 3\lib\ossl-modules"
Seeding source: os-specific
CPUINFO: N/A

But I don't know what I should add to C:\Program Files\Common Files\FireDaemon SSL 3\openssl.cnf so that the pkcs11 engine is loaded each time. I've added this to the end but that doesn't seem to be working:

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = "C:\\Program Files (x86)\\OpenSC Project\\OpenSC\\pkcs11\\x64\\pkcs11.dll"
MODULE_PATH = "C:\\Program Files (x86)\\OpenSC Project\\OpenSC\\pkcs11\\x64\\libp11.dll"
init = 0
C:\Users\1oh1>openssl req -engine pkcs11 -new -key 0:1 -keyform engine -out cert.pem -text -x509 -days 365
Engine "pkcs11" set.
Unable to load module C:\Program Files (x86)\OpenSC Project\OpenSC\pkcs11\x64\libp11.dll
PKCS11_get_private_key returned NULL
Could not find private key from org.openssl.engine:pkcs11:0:1
34280000:error:41000401:libp11:ERR_P11_error:Unable to load PKCS#11 module:p11_load.c:103:
34280000:error:40000067:pkcs11 engine:ERR_ENG_error:invalid parameter:eng_back.c:616:
34280000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:..\crypto\engine\eng_pkey.c:79:

The key already exists on the token and I tested it with pkcs11-tool --test --login --pin 111111 as well:

C:\Users\1oh1\openssl-firedaemon-com\x86\bin>pkcs11-tool --login --pin 111111 --list-objects
Using slot 0 with a present token (0x0)
Private Key Object; RSA
  label:      RSA2K
  ID:         01
  Usage:      decrypt, sign, signRecover
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM;id=%01;object=RSA2K;type=private
Public Key Object; RSA 2048 bits
  label:      RSA2K
  ID:         01
  Usage:      encrypt, verify, wrap
  Access:     none
  uri:        pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM;id=%01;object=RSA2K;type=public
Private Key Object; RSA
  label:      Private Key
  ID:         43d2383f335b201d560321cfa66f6fda7527cca6
  Usage:      decrypt, sign, signRecover
  Access:     sensitive, always sensitive, extractable, local
  uri:        pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM;id=%43d2383f335b201d560321cfa66f6fda7527cca6;object=Private%20Key;type=private
Public Key Object; RSA 1024 bits
  label:      Private Key
  ID:         43d2383f335b201d560321cfa66f6fda7527cca6
  Usage:      encrypt, verify, wrap
  Access:     none
  uri:        pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM;id=%43d2383f335b201d560321cfa66f6fda7527cca6;object=Private%20Key;type=public
Private Key Object; EC
  label:
  ID:         33
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM;id=%33;object=;type=private
Profile object 9391864
  profile_id:          CKP_PUBLIC_CERTIFICATES_TOKEN (4)

C:\Users\1oh1>pkcs11-tool --test --login --pin 111111
Using slot 0 with a present token (0x0)
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  RIPEMD160: OK
  SHA-1: OK
  SHA256: OK
Ciphers: not implemented
Signatures (currently only for RSA)
  testing key 0 (RSA2K)
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
  testing key 1 (Private Key) with 1 mechanism
    RSA-X-509: OK
  testing key 2 () with 1 mechanism -- non-RSA, skipping
Verify (currently only for RSA)
  testing key 0 (RSA2K)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
  testing key 1 (Private Key) with 1 mechanism
    RSA-X-509: OK
  testing key 2 () with 1 mechanism -- non-RSA, skipping
Unwrap: not implemented
Decryption (currently only for RSA)
  testing key 0 (RSA2K)
    RSA-X-509: OK
    RSA-PKCS: OK
    RSA-PKCS-OAEP: hash-algorithm RSA-PKCS-KEY-PAIR-GEN unknown, defaulting to CKM_SHA256
mgf not set, defaulting to MGF1-SHA256
OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=1, source_ptr=00285158, source_len=3
OK
    RSA-PKCS-OAEP: hash-algorithm RSA-PKCS-KEY-PAIR-GEN unknown, defaulting to CKM_SHA256
mgf not set, defaulting to MGF1-SHA256
OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=1, source_ptr=00000000, source_len=0
OK
  testing key 1 (Private Key)
    RSA-X-509: OK
    RSA-PKCS: OK
    RSA-PKCS-OAEP: hash-algorithm RSA-PKCS-KEY-PAIR-GEN unknown, defaulting to CKM_SHA256
mgf not set, defaulting to MGF1-SHA256
OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=1, source_ptr=00285158, source_len=3
OK
    RSA-PKCS-OAEP: hash-algorithm RSA-PKCS-KEY-PAIR-GEN unknown, defaulting to CKM_SHA256
mgf not set, defaulting to MGF1-SHA256
OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=1, source_ptr=00000000, source_len=0
OK
  testing key 2 () -- non-RSA, skipping
No errors
1oh1 commented 20 hours ago

On a Raspberry Pi 5 running 64-bit OS, I followed the INSTALL guide on libp11-0.4.12 and see a similar error:

$ openssl engine -t -vv 
(dynamic) Dynamic engine loading support
     [ unavailable ]
     SO_PATH: Specifies the path to the new ENGINE shared library
     NO_VCHECK: Specifies to continue even if version checking fails (boolean)
     ID: Specifies an ENGINE id name for loading
     LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)
     DIR_LOAD: Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)
     DIR_ADD: Adds a directory from which ENGINEs can be loaded
     LOAD: Load up the ENGINE specified by other settings
(pkcs11) pkcs11 engine
     [ available ]
     SO_PATH: Specifies the path to the 'pkcs11' engine shared library
     MODULE_PATH: Specifies the path to the PKCS#11 module shared library
     PIN: Specifies the pin code
     VERBOSE: Print additional details
     QUIET: Remove additional details
     INIT_ARGS: Specifies additional initialization arguments to the PKCS#11 module
     FORCE_LOGIN: Force login to the PKCS#11 module
     RE_ENUMERATE: re enumerate slots

$ openssl version -a    
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
built on: Wed Nov  6 12:37:33 2024 UTC
platform: debian-arm64
options:  bn(64,64)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-D6U5M7/openssl-3.0.15=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -mbranch-protection=standard -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/aarch64-linux-gnu/engines-3"
MODULESDIR: "/usr/lib/aarch64-linux-gnu/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_armcap=0xbd

$ openssl engine dynamic -pre SO_PATH:"/usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so" -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -post MODULE_PATH:"/usr/local/lib/libp11.so" -t
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Failure]: LOAD
40401B19FF7F0000:error:1300006D:engine routines:dynamic_load:init failed:../crypto/engine/eng_dyn.c:514:
     [ unavailable ]

I added this to the end of /etc/ssl/openssl.cnf is:

openssl_conf = openssl_init
[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so
MODULE_PATH = /usr/local/lib/libp11.so
init = 0
PIN=111111

Some other things I've tried:

$ strings /usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so | grep 'bind_engine'            
bind_engine
bind_engine
bind_engine

$ file /usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so                  
/usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2907ee0b8a2a8df5e0d483d4aa1dbe8271366d1a, with debug_info, not stripped

$ ls -alh /usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so 
-rwxr-xr-x 1 root root 406K Dec  2 01:15 /usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so

$ strings /usr/local/lib/libp11.so | grep 'GetFunctionList'
C_GetFunctionList
CK_C_GetFunctionList

$ file /usr/local/lib/libp11.so.3.5.0              
/usr/local/lib/libp11.so.3.5.0: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b74ea3a37724fa7df823f4d45a369da2f50a1a30, with debug_info, not stripped

$ ls -alh /usr/local/lib/libp11.so                        
lrwxrwxrwx 1 root root 15 Dec  2 01:15 /usr/local/lib/libp11.so -> libp11.so.3.5.0

$ openssl req -engine pkcs11 -new -key 0:1 -keyform engine -out cert.pem -text -x509 -days 365 
Engine "pkcs11" set.
/usr/local/lib/libp11.so: undefined symbol: C_GetFunctionList
Unable to load module /usr/local/lib/libp11.so
PKCS11_get_private_key returned NULL
Could not read private key from org.openssl.engine:pkcs11:0:1
40409EAAFF7F0000:error:41000401:libp11:ERR_P11_error:Unable to load PKCS#11 module:p11_load.c:77:
40409EAAFF7F0000:error:40000067:pkcs11 engine:ERR_ENG_error:invalid parameter:eng_back.c:603:
40409EAAFF7F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:79:

$ openssl req -engine pkcs11 -new -key 0:1 -keyform engine -passin pass:111111 -out cert.pem -text -x509 -days 365
Engine "pkcs11" set.
/usr/local/lib/libp11.so: undefined symbol: C_GetFunctionList
Unable to load module /usr/local/lib/libp11.so
PKCS11_get_private_key returned NULL
Could not read private key from org.openssl.engine:pkcs11:0:1
4040E376FF7F0000:error:41000401:libp11:ERR_P11_error:Unable to load PKCS#11 module:p11_load.c:77:
4040E376FF7F0000:error:40000067:pkcs11 engine:ERR_ENG_error:invalid parameter:eng_back.c:603:
4040E376FF7F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:79:

$ pkcs11-tool --module /usr/local/lib/libp11.so -O                                                                                                                            
error: Failed to load pkcs11 module
Aborting.

$ pkcs11-tool --module /usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so -O                        
error: Failed to load pkcs11 module
Aborting.