search

gost-engine / engine

A reference implementation of the Russian GOST crypto algorithms for OpenSSL
Apache License 2.0
376 stars 170 forks source link

If engine is listed in the config, it gets loaded twice #168

Open mouse07410 opened 5 years ago

mouse07410 commented 5 years ago 
$ openssl cms -engine pkcs11 -keyform engine -aes256 -decrypt -binary -inform PEM -in /tmp/derive.520.text.cms -out /tmp/derive.520.text.dec -inkey "pkcs11:manufacturer=piv_II;object=KEY%20MAN%20key;object-type=private"
engine "pkcs11" set.
GOST engine already loaded
Enter PKCS#11 token PIN for xxxxxx:
. . . . .

Here's the relevant part of the openssl.cnf:

. . . . .
[openssl_init]

engines = engine_section

[engine_section]
#pkcs11 = pkcs11_section
gost   = gost_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so
#MODULE_PATH = /opt/local/lib/p11-kit-proxy.dylib
MODULE_PATH  = /Library/OpenSC/lib/opensc-pkcs11.so
init = 0

[gost_section]
engine_id = gost
dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
PBE_PARAMS = "gost12_512"

@levitte something seems wrong here - why would the engine get loaded, and more than once - when a different one is requested?

levitte commented 5 years ago

That is an interesting question. What openssl version is this?

mouse07410 commented 5 years ago

1.1.1c.

But I think 3.0 did the same. Could not replicate with 3.0 on this machine.

beldmit commented 5 years ago

Could you please provide the dtruss logs?

mouse07410 commented 5 years ago

Sorry, I cannot: dtruss requires root access, which somehow blocks access to the HW token.

sudo -EH dtruss -f /opt/local/bin/openssl cms -engine pkcs11 -keyform engine -aes256 -decrypt -binary -inform PEM -in /tmp/derive.44415.text.cms -out /tmp/derive.44415.text.dec -inkey "pkcs11:manufacturer=piv_II;object=KEY%20MAN%20key;object-type=private" 2>&1 | tee ossl-p-out.txt
dtrace: system integrity protection is on, some features will not be available

    PID/THRD  SYSCALL(args)          = return
engine "pkcs11" set.
Specified object not found
Specified object not found
PKCS11_get_private_key returned NULL
cannot load signing key file from engine
4357936576:error:81067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:870:
4357936576:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:

and ossl-p-out.txt

OpenSSL-3.0 does not seem to be doing that:

$ openssl3 cms -engine pkcs11 -keyform engine -aes256 -decrypt -binary -inform PEM -in /tmp/derive.44415.text.cms -out /tmp/derive.44415.text.dec -inkey "pkcs11:manufacturer=piv_II;object=KEY%20MAN%20key;object-type=private"
engine "pkcs11" set.
Enter PKCS#11 token PIN for xxxxxxx:
$

ossl3-p-out.txt

Update

One thing is clear: if the engine is defined in the openssl.cnf, OpenSSL would at least look at it. The question is - would OpenSSL load that engine? It appears that OpenSSL-3 may or may not, but OpenSSL-1.1.1 always does? The second question is - how does the GOST engine end up being loaded twice?

mouse07410 commented 5 years ago

@levitte are you up to fixing another one today? :-)

levitte commented 5 years ago

No, not today.

NMorozxov commented 4 years ago

I remember that I also got twice engine loaded if using openssl ca with -config option

mouse07410 commented 4 years ago

In some cases, like invoking git, this double loading is a fatal error. I'm reasonably certain that this problem is reproducible.

Would be nice to see it fixed.

beldmit commented 4 years ago

Well. If I understand correctly, engines (and providers since 3.0) are not designed for being loaded more than once. For most of the command-line applications, you can provide an extra configuration file for their purpose.

mouse07410 commented 4 years ago

And AFAIK, I don't (explicitly) load it twice. But somehow it ends up there.