Problems using OP-TEE's PKCS#11 TA

[vesajaaskelainen]

Describe the bug I am trying to use pkcs11-provider instead of libp11's engine with OP-TEE's PKCS#11 Trusted Application.

I though that let's start with something simple like exporting public key to filesystem but that didn't get too far as we have infinite loop within pkcs11-provider code.

To Reproduce Steps to reproduce the behavior:

0. Using Yocto Project + qemuarm64-secureboot (I can help here to debug it)
1. Start the qemu for adjusted 'core-image-minimal'
2. Configure openssl provider:

   
   openssl_conf = openssl_init

[ openssl_init ] providers = provider_sect

[ provider_sect ] default = default_sect pkcs11 = pkcs11_sect

[ default_sect ]

activate = 1

[ pkcs11_sect ] module = /usr/lib/ossl-modules/pkcs11.so pkcs11-module-path = /usr/lib/libckteec.so.0

3. Initialize PKCS#11 tokens:

Note: using PIN authentication just to rule that out

root@qemuarm64-secureboot:~# export PKCS11_MODULE=/usr/lib/libckteec.so.0 root@qemuarm64-secureboot:~# export PKCS11_SLOT=0 root@qemuarm64-secureboot:~# export PKCS11_TOKEN=device root@qemuarm64-secureboot:~# export PKCS11_SO_PIN=1234567890 root@qemuarm64-secureboot:~# export PKCS11_USER_PIN=1234 root@qemuarm64-secureboot:~# export PKCS11_OBJECT_ID=112233 root@qemuarm64-secureboot:~# export PKCS11_OBJECT_LABEL=myImportedKey root@qemuarm64-secureboot:~# root@qemuarm64-secureboot:~# export PKCS11_EC_OBJECT_ID=223344 root@qemuarm64-secureboot:~# export PKCS11_EC_OBJECT_LABEL=myECImportedKey root@qemuarm64-secureboot:~# root@qemuarm64-secureboot:~# export PKCS11_ED_OBJECT_ID=5566777 root@qemuarm64-secureboot:~# export PKCS11_ED_OBJECT_LABEL=myEDImportedKey root@qemuarm64-secureboot:~# root@qemuarm64-secureboot:~# export PKCS11_PROVIDER_DEBUG=file:/run/pkcs11-provider.log,level:2 root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --slot-index ${PKCS11_SLOT} --init-token --label ${PKCS11_TOKEN} --so-pin ${PKCS11_SO_PIN} Using slot with index 0 (0x0) Token successfully initialized root@qemuarm64-secureboot:~# root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --slot-index ${PKCS11_SLOT} --init-pin --login --so-pin ${PKCS11_SO_PIN} --new-pin ${PKCS11_USER_PIN} Using slot with index 0 (0x0) User PIN successfully initialized root@qemuarm64-secureboot:~# root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --list-slots Available slots: Slot 0 (0x0): OP-TEE PKCS11 TA - TEE UUID 94e9ab89-4c43-56ea-8b35-45dc07226830 token label : device token manufacturer : Linaro token model : OP-TEE TA token flags : login required, rng, token initialized, PIN initialized hardware version : 0.0 firmware version : 0.1 serial num : 0000000000000000 pin min/max : 4/128 Slot 1 (0x1): OP-TEE PKCS11 TA - TEE UUID 94e9ab89-4c43-56ea-8b35-45dc07226830 token state: uninitialized Slot 2 (0x2): OP-TEE PKCS11 TA - TEE UUID 94e9ab89-4c43-56ea-8b35-45dc07226830 token state: uninitialized root@qemuarm64-secureboot:~# root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --token ${PKCS11_TOKEN} --login --pin ${PKCS11_USER_PIN} --list-objects

4. Generate EC keypair:

root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --token ${PKCS11_TOKEN} --login --pin ${PKCS11_USER_PIN} --keypairgen --key-type EC:prime256v1 --label myECkey Key pair generated: Private Key Object; EC label: myECkey Usage: sign, derive Access: sensitive, always sensitive, never extractable, local Public Key Object; EC EC_POINT 256 bits EC_POINT: 04410470bebfe9bc46b49bab19720ebc3cbd312d3f22a750c95a446d71f95e8aae3b7e7caa16888bc9c97ca15bdfea56f856547c964dbe9f7749ca6c490e1a47f82579 EC_PARAMS: 06082a8648ce3d030107 label: myECkey Usage: verify, derive Access: local

5. Export EC public key to file:

root@qemuarm64-secureboot:~# openssl pkey -propquery provider=pkcs11 -provider pkcs11 -in "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubin -pubout -out /tmp/myECkey.pem

infine loop in here -- aborted with CTRL-C

^C

Inspection in the log:

... [../../../../../../../workspace/sources/pkcs11-provider/src/random.c:85] p11prov_rand_generate(): rand: generate (add bytes: 0) [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:765] p11prov_get_session(): Get session on slot 18446744073709551615, reqlogin=false, rw=false [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:798] p11prov_get_session(): cycle through available slots [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=0, uri=(nil), mechtype=ffffffffffffffff, rw=false) [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:834] p11prov_get_session(): Found a slot 0 [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:266] session_new(): Creating new P11PROV_SESSION session on pool 0x55745c1b00 [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:270] session_new(): Error: 0x000000B1; Max sessions (-1) exceeded [../../../../../../../workspace/sources/pkcs11-provider/src/util.c:554] p11prov_parse_uri(): ctx=0x55745bdc70 uri=pkcs11:token=device;object=myECkey;type=public?pin-value=1234) [../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [device] -> [device] [../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [myECkey] -> [myECkey] [../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [public] -> [public] [../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [1234] -> [1234] [../../../../../../../workspace/sources/pkcs11-provider/src/store.c:494] p11prov_store_set_ctx_params(): set ctx params (0x55745e47e0, 0x7ff8ac4278) [../../../../../../../workspace/sources/pkcs11-provider/src/store.c:494] p11prov_store_set_ctx_params(): set ctx params (0x55745e47e0, 0x7ff8ac4488) [../../../../../../../workspace/sources/pkcs11-provider/src/store.c:418] p11prov_store_eof(): store eof (0x55745e47e0) [../../../../../../../workspace/sources/pkcs11-provider/src/store.c:418] p11prov_store_eof(): store eof (0x55745e47e0) [../../../../../../../workspace/sources/pkcs11-provider/src/store.c:250] p11prov_store_load(): store load (0x55745e47e0) [../../../../../../../workspace/sources/pkcs11-provider/src/store.c:92] store_fetch(): called (store_ctx=0x55745e47e0) [../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:590] p11prov_ctx_login_behavior(): login_behavior = 0 [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:765] p11prov_get_session(): Get session on slot 18446744073709551615, reqlogin=false, rw=false [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:798] p11prov_get_session(): cycle through available slots [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=0, uri=0x55745c1d50, mechtype=ffffffffffffffff, rw=false) [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:834] p11prov_get_session(): Found a slot 0 [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:266] session_new(): Creating new P11PROV_SESSION session on pool 0x55745c1b00 [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:270] session_new(): Error: 0x000000B1; Max sessions (-1) exceeded [../../../../../../../workspace/sources/pkcs11-provider/src/store.c:126] store_fetch(): Failed to get session to load keys (slotid=0, ret=b1) [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:765] p11prov_get_session(): Get session on slot 0, reqlogin=false, rw=false [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:798] p11prov_get_session(): cycle through available slots [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=0, uri=0x55745c1d50, mechtype=ffffffffffffffff, rw=false) [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:834] p11prov_get_session(): Found a slot 0 [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:266] session_new(): Creating new P11PROV_SESSION session on pool 0x55745c1b00 [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:270] session_new(): Error: 0x000000B1; Max sessions (-1) exceeded [../../../../../../../workspace/sources/pkcs11-provider/src/store.c:126] store_fetch(): Failed to get session to load keys (slotid=0, ret=b1) [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:765] p11prov_get_session(): Get session on slot 0, reqlogin=false, rw=false [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:798] p11prov_get_session(): cycle through available slots [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=0, uri=0x55745c1d50, mechtype=ffffffffffffffff, rw=false) [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:834] p11prov_get_session(): Found a slot 0 [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:266] session_new(): Creating new P11PROV_SESSION session on pool 0x55745c1b00 [../../../../../../../workspace/sources/pkcs11-provider/src/session.c:270] session_new(): Error: 0x000000B1; Max sessions (-1) exceeded [../../../../../../../workspace/sources/pkcs11-provider/src/store.c:126] store_fetch(): Failed to get session to load keys (slotid=0, ret=b1) ...

**Expected behavior**
Would work like with libp11's pkcs#11 engine and we would get EC public key out.

**Operating environment (please complete the following information):**
 - OS: Yocto Project
 - Version kirkstone

**Token and application used (please complete the following information):**
 - Device:  qemuarm64-secureboot (yocto machine) / OP-TEE#master / libckteec.so
 - PKCS11 Driver version: [e.g. 1.3.4] (master)
 - Application [e.g. Apache Httpd] OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
 - Version [e.g. 22] master

**Additional context**
Note newer openssl 3.0.12 is available if I update my development environment to newer yocto#kirkstone.

[vesajaaskelainen]

Let's try to tackle 'session_new(): Error: 0x000000B1; Max sessions (-1) exceeded' first as that sound good starting point.

If I would have 32 bit machine then I suppose I would not even see this.

OP-TEE's PKCS#11 TA operates in 32 bit parameter passing mode. Eg. if your REE OS is 32 bit then you don't see a thing but if REE OS is 64bit then with CK_ULONG one may need to sign extend 32 bit value to 64 bit.

Here is one try to tackle C_GetTokenInfo()'s CK_ULONG for ulMaxSessionCount (and friends): https://github.com/OP-TEE/optee_client/commit/edeb46a7beeda838c2c259b883dece12598b411b

With this change I we do get out of infinite loop problem. (thou I suppose one should fix the infinite loop problem within pkcs11-provider.)

A bit further:

root@qemuarm64-secureboot:~# openssl pkey -propquery provider=pkcs11 -provider pkcs11 -in "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubin -pubout -out /tmp/myECkey.pem
root@qemuarm64-secureboot:~# cat /tmp/myECkey.pem 
root@qemuarm64-secureboot:~# ls -la /tmp/myECkey.pem 
-rw-r--r--    1 root     root             0 Nov 25 17:24 /tmp/myECkey.pem

Thou not the expected result.

If I add:

pkcs11-module-allow-export = 1

That does not seem to have an effect either.

Here are some log snippets:

[../../../../../../../workspace/sources/pkcs11-provider/src/random.c:85] p11prov_rand_generate(): rand: generate (add bytes: 0)
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:765] p11prov_get_session(): Get session on slot 18446744073709551615, reqlogin=false, rw=false
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:798] p11prov_get_session(): cycle through available slots
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=0, uri=(nil), mechtype=ffffffffffffffff, rw=false)
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:834] p11prov_get_session(): Found a slot 0
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:266] session_new(): Creating new P11PROV_SESSION session on pool 0x5562511b00
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:300] session_new(): Total sessions: 1
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:214] p11prov_OpenSession(): Calling C_OpenSession
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:73] token_session_open(): C_OpenSession ret:0 (session: 1)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:253] p11prov_GetSessionInfo(): Calling C_GetSessionInfo
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:883] p11prov_GenerateRandom(): Calling C_GenerateRandom
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:554] p11prov_parse_uri(): ctx=0x556250dc70 uri=pkcs11:token=device;object=myECkey;type=public?pin-value=1234)
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [device] -> [device]
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [myECkey] -> [myECkey]
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [public] -> [public]
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [1234] -> [1234]
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:494] p11prov_store_set_ctx_params(): set ctx params (0x5562534450, 0x7ff11ff768)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:494] p11prov_store_set_ctx_params(): set ctx params (0x5562534450, 0x7ff11ff978)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:418] p11prov_store_eof(): store eof (0x5562534450)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:418] p11prov_store_eof(): store eof (0x5562534450)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:250] p11prov_store_load(): store load (0x5562534450)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:92] store_fetch(): called (store_ctx=0x5562534450)
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:590] p11prov_ctx_login_behavior(): login_behavior = 0
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:765] p11prov_get_session(): Get session on slot 18446744073709551615, reqlogin=false, rw=false
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:798] p11prov_get_session(): cycle through available slots
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=0, uri=0x5562511d50, mechtype=ffffffffffffffff, rw=false)
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:834] p11prov_get_session(): Found a slot 0
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:253] p11prov_GetSessionInfo(): Calling C_GetSessionInfo
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:930] p11prov_obj_find(): Find objects [class=2, id-len=0, label=myECkey]
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:445] p11prov_FindObjectsInit(): Calling C_FindObjectsInit
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:467] p11prov_FindObjects(): Calling C_FindObjects
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:467] p11prov_FindObjects(): Calling C_FindObjects
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:487] p11prov_FindObjectsFinal(): Calling C_FindObjectsFinal
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (0): 0x00000000
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (1): 0x00000100
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (2): 0x00000171
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (3): 0x00000001
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:404] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000000 value:0x5562536430, len:8
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000100 value:0x5562536448, len:8
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000171 value:0x5562536440, len:1
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000001 value:0x5562536441, len:1
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (0): 0x00000180
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (1): 0x00000181
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (2): 0x00000102
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (3): 0x00000003
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:404] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:61] p11prov_fetch_attributes(): (Re)Fetching 4 attributes
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:404] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000180 value:0x5562520530, len:10
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000181 value:0x5562512970, len:67
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000102 value:0x55625209c0, len:0
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000003 value:0x55625212d0, len:7
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (0): 0x40000600
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:404] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:408] p11prov_GetAttributeValue(): Error: 0x00000012; Error returned by C_GetAttributeValue
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:382] p11prov_ctx_set_quirk(): Set quirk 'sup_attr_CKA_ALLOWED_MECHANISMS' of size 1
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:1011] p11prov_obj_find(): Find objects: found 1 objects; Returning 0
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:765] p11prov_get_session(): Get session on slot 1, reqlogin=false, rw=false
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:798] p11prov_get_session(): cycle through available slots
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=1, uri=0x5562511d50, mechtype=ffffffffffffffff, rw=false)
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=2, uri=0x5562511d50, mechtype=ffffffffffffffff, rw=false)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:126] store_fetch(): Failed to get session to load keys (slotid=1, ret=e0)
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1208] p11prov_ec_load(): ec load 0x5562536410, 112
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:400] p11prov_obj_ref_no_cache(): Ref Object: 0x5562536410 (handle:1)
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1363] p11prov_ec_get_params(): ec get params 0x5562536410
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1216] p11prov_ec_has(): ec has 0x5562536410 1
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1216] p11prov_ec_has(): ec has 0x5562536410 2
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:433] p11prov_store_close(): store close (0x5562534450)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:34] p11prov_store_ctx_free(): store ctx free (0x5562534450)
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:431] p11prov_obj_free(): Free Object: 0x5562536410 (handle:1)
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:438] p11prov_obj_free(): object free: reference held
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1202] p11prov_ec_free(): ec free 0x5562536410
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:431] p11prov_obj_free(): Free Object: 0x5562536410 (handle:1)
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:154] p11prov_session_pool_free(): Freeing session pool 0x5562511b00
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:351] session_free(): Session Free 0x55625343d0
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:102] token_session_close(): Closing session 1
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:233] p11prov_CloseSession(): Calling C_CloseSession
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:96] p11prov_obj_pool_free(): Freeing object pool 0x5562520400
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:154] p11prov_session_pool_free(): Freeing session pool 0x5562510340
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:96] p11prov_obj_pool_free(): Freeing object pool 0x55625366c0
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:154] p11prov_session_pool_free(): Freeing session pool 0x556250e8a0
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:96] p11prov_obj_pool_free(): Freeing object pool 0x55625211e0
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:31] p11prov_Finalize(): Calling C_Finalize

[vesajaaskelainen]

Upgraded to newer yocto#kirkstone with updated openssl:

root@qemuarm64-secureboot:~# openssl version
OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)

Did not help for public key export problem.

Let's try some other operations:

# Let's make a test file
root@qemuarm64-secureboot:~# echo "Hello World!" > /tmp/data.bin

# Make signature for it...
root@qemuarm64-secureboot:~# openssl dgst -provider pkcs11 -sign "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=private?pin-value=${PKCS11_USER_PIN}" -out /tmp/data.bin.sig -sha256 /tmp/data.bin
dgst: Unknown option or message digest: sha256
dgst: Use -help for summary.
207079B27F000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../openssl-3.0.12/crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (sha256 : 95), Properties (<null>)

# But that failed.

# Now lets use the pkeyutil method

# Calculate SHA256 manually
root@qemuarm64-secureboot:~# openssl dgst -sha256 -binary -out /tmp/data.bin.sha256 /tmp/data.bin

# Then use pkeytul to sign it
root@qemuarm64-secureboot:~# openssl pkeyutl -provider pkcs11 -sign -inkey "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=private?pin-value=${PKCS11_USER_PIN}" -in /tmp/data.bin.sha256 -out /tmp/data.bin.sig

# Extract public key with pkcs11-tool
root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --token-label ${PKCS11_TOKEN} --pin ${PKCS11_USER_PIN} --login --read-object --type pubkey --label myECkey -o /tmp/myECkey.der
root@qemuarm64-secureboot:~# openssl ec -pubin -in /tmp/myECkey.der -inform DER -pubout -out /tmp/myECkey.pem
read EC key
writing EC key

# And then test out the signature
root@qemuarm64-secureboot:~# openssl dgst -verify /tmp/myECkey.pem -signature /tmp/data.bin.sig -sha256 /tmp/data.bin
Verified OK

For some reason some of the commands are broken vs. engine usage.

Let's play around with "openssl ec":

root@qemuarm64-secureboot:~# openssl ec -provider pkcs11 -in "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubout -out /tmp/myECkey.pem
read EC key
Could not read private key from pkcs11:token=device;object=myECkey;type=public?pin-value=1234
unable to load Key

# For some reason it tried to get private key?

# Let's add -pubin to see if that helps
root@qemuarm64-secureboot:~# openssl ec -provider pkcs11 -in "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubin -pubout -out /tmp/myECkey.pem
read EC key
writing EC key
unable to write EC key
root@qemuarm64-secureboot:~# cat /tmp/myECkey.pem
root@qemuarm64-secureboot:~# ls -la /tmp/myECkey.pem 
-rw-r--r--    1 root     root             0 Nov 26 15:15 /tmp/myECkey.pem

RSA seems to work a bit better:

root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --token ${PKCS11_TOKEN} --login --pin ${PKCS11_USER_PIN} --keypairgen --key-type RSA:2048 --label myRSAkey
Key pair generated:
Private Key Object; RSA 
  label:      myRSAkey
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
  label:      myRSAkey
  Usage:      encrypt, verify
  Access:     local
root@qemuarm64-secureboot:~# openssl rsa -provider pkcs11 -in "pkcs11:token=${PKCS11_TOKEN};object=myRSAkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubin -pubout -out /tmp/myRSAkey.pem
writing RSA key
root@qemuarm64-secureboot:~# cat /tmp/myRSAkey.pem
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApW3C8HT7rFCAeycGG5N00BRAKdatYEqzplVe18p3TkpMRn42sopi
B4NDejxe3/Dq8NIVMkUE9wAepaym/PyQWoTwYWhQRV5n+rgwlp2FfRUDvxvJqydm
Dt/dxmcyQoOpf9NTiPkm64QJ9qEh0CDRS0w5lMNBDDwZXnlqCLkpE9z/KQfZMFkz
FmUPaQMoX02Wibz0aCvLoOKSM863vtD6LtxG04etyZJQs7b7LNmhYBnf/DS7N3mQ
J2i/67Woit1ehoG/Nnfkit9CuyOT1FWcF8NRp70bYV5g//S9ifUDyJw/AR0flUzu
MVnI5rtlwbAaM0Yj7NQLWhxTIhLnQsfq3QIDAQAB
-----END RSA PUBLIC KEY-----
root@qemuarm64-secureboot:~# openssl pkeyutl -provider pkcs11 -sign -inkey "pkcs11:token=${PKCS11_TOKEN};object=myRSAkey;type=private?pin-value=${PKCS11_USER_PIN}" -digest sha256 -rawin -in /tmp/data.bin -out /tmp/data.bin.sig
root@qemuarm64-secureboot:~# openssl dgst -verify /tmp/myRSAkey.pem -signature /tmp/data.bin.sig -sha256 /tmp/data.bin
Verified OK

[simo5]

If this kind of thing happens, it means the pkcs11 driver you are using is mal constructed. It uses openssl without creating a custom libctx, this is a bug for your driver vendor to deal with. If they need to use openssl from within a pkcs11 driver they have to either use a static build linked into it and hidden from the other libraries via appropriate RTLD linker flags, or they need to create a libctx that is separate from the application and use just the default provider in it.

Note that pkcs11-provider only makes this very evident, but a driver using the openssl default context will misbehave unpredictably as it shares the context with the main application that ends up using it through whatever chain of libraries that end up loading he pkcs11 driver.

The application can configure the default context in a way that will make the pkcs11 driver fail, or the driver can interfere with the application.

There is not much I can do in the pkcs11 provider to help that, as the pkcs11-provider can't influence what the pkcs11-driver does.

A possible workaround to break this loop, if you can't change the driver, is to remote it via p11kit proxy, so that the driver executes in a different context. However you will have to use care to provide a custom openssl configuration to the proxy daemon that excludes the use ok pkcs11-provider within that process.

[vesajaaskelainen]

@simo5 thanks for the reply.

However the library is not using openssl for its operations. It is making calls to Trusted Execution Environment and actual magic happens there.

I am also one of the authors of the library so the intent is to make it compatible ;)

Now there seems to be multiple problems so shall we handle them in this ticket or create individual tickets for each?

[simo5]

I guess I misunderstood the issue, sorry about that. I am not sure I understand why you thinkg 32bit vs 64bit makes a difference.

CK_ULONG in PKCS#11 is defined in a platform specific way, the pkcs#11 driver must provide the correct representation, it is not on the application to have to interpret or sign extend things.

It would be definitely best to tackle one issue at a time. I will take also a look at your code to check if I see anything immediately problematic

[simo5]

Could you please provide the debug log for the attempt to export the EC public key that produced an empty file?

[vesajaaskelainen]

@simo5 infinite loop before I fixed the ulMaxSessionCount to be 64 bit compliant got stuck in this continue: https://github.com/latchset/pkcs11-provider/blob/main/src/store.c#L136

There is no exit path in there in case it fails to get session. Might be a good idea to tackle that problem -- but after the fix in OP-TEE's libckteec.so this is not visible problem anymore. If you want to test out exit path for this I can undo my fix and test it out.

[vesajaaskelainen]

Could you please provide the debug log for the attempt to export the EC public key that produced an empty file?

Sure. A moment.

[vesajaaskelainen]

Ok. Cleared the tokens so initializing from empty state:

root@qemuarm64-secureboot:~# export PKCS11_MODULE=/usr/lib/libckteec.so.0
root@qemuarm64-secureboot:~# export PKCS11_SLOT=0
root@qemuarm64-secureboot:~# export PKCS11_TOKEN=device
root@qemuarm64-secureboot:~# export PKCS11_SO_PIN=1234567890
root@qemuarm64-secureboot:~# export PKCS11_USER_PIN=1234
root@qemuarm64-secureboot:~# export PKCS11_OBJECT_ID=112233
root@qemuarm64-secureboot:~# export PKCS11_OBJECT_LABEL=myImportedKey
root@qemuarm64-secureboot:~# 
root@qemuarm64-secureboot:~# export PKCS11_EC_OBJECT_ID=223344
root@qemuarm64-secureboot:~# export PKCS11_EC_OBJECT_LABEL=myECImportedKey
root@qemuarm64-secureboot:~# 
root@qemuarm64-secureboot:~# export PKCS11_ED_OBJECT_ID=5566777
root@qemuarm64-secureboot:~# export PKCS11_ED_OBJECT_LABEL=myEDImportedKey
root@qemuarm64-secureboot:~# 
root@qemuarm64-secureboot:~# export PKCS11_PROVIDER_DEBUG=file:/run/pkcs11-provider.log,level:2
root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --slot-index ${PKCS11_SLOT} --init-token --label ${PKCS11_TOKEN} --so-pin ${PKCS11_SO_PIN}
Using slot with index 0 (0x0)
Token successfully initialized
root@qemuarm64-secureboot:~# 
root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --slot-index ${PKCS11_SLOT} --init-pin --login --so-pin ${PKCS11_SO_PIN} --new-pin ${PKCS11_USER_PIN}
Using slot with index 0 (0x0)
User PIN successfully initialized
root@qemuarm64-secureboot:~# 
root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --list-slots
Available slots:
Slot 0 (0x0): OP-TEE PKCS11 TA - TEE UUID 94e9ab89-4c43-56ea-8b35-45dc07226830
  token label        : device
  token manufacturer : Linaro
  token model        : OP-TEE TA
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.1
  serial num         : 0000000000000000
  pin min/max        : 4/128
Slot 1 (0x1): OP-TEE PKCS11 TA - TEE UUID 94e9ab89-4c43-56ea-8b35-45dc07226830
  token state:   uninitialized
Slot 2 (0x2): OP-TEE PKCS11 TA - TEE UUID 94e9ab89-4c43-56ea-8b35-45dc07226830
  token state:   uninitialized
root@qemuarm64-secureboot:~# 
root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --token ${PKCS11_TOKEN} --login --pin ${PKCS11_USER_PIN} --list-objects
root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --token ${PKCS11_TOKEN} --login --pin ${PKCS11_USER_PIN} --keypairgen --key-type EC:prime256v1 --label myECkey
Key pair generated:
Private Key Object; EC
  label:      myECkey
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104929ba199146132c00cbfc1ce195711d3d2e456c5bb2da5a370f885ea41e9aa2729ab33b8eaaa3f65bfca44aed858f728a7d59212262d232bfb98852bbc0b6bf0
  EC_PARAMS:  06082a8648ce3d030107
  label:      myECkey
  Usage:      verify, derive
  Access:     local
root@qemuarm64-secureboot:~# pkcs11-tool --module ${PKCS11_MODULE} --token ${PKCS11_TOKEN} --login --pin ${PKCS11_USER_PIN} --list-objects
Private Key Object; EC
  label:      myECkey
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104929ba199146132c00cbfc1ce195711d3d2e456c5bb2da5a370f885ea41e9aa2729ab33b8eaaa3f65bfca44aed858f728a7d59212262d232bfb98852bbc0b6bf0
  EC_PARAMS:  06082a8648ce3d030107
  label:      myECkey
  Usage:      verify, derive
  Access:     local
root@qemuarm64-secureboot:~# openssl pkey -propquery provider=pkcs11 -provider pkcs11 -in "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubin -pubout -out /tmp/myECkey.pem
root@qemuarm64-secureboot:~# cat /tmp/myECkey.pem 
root@qemuarm64-secureboot:~# ls -la /tmp/myECkey.pem 
-rw-r--r--    1 root     root             0 Nov 27 17:42 /tmp/myECkey.pem

And then the log:

root@qemuarm64-secureboot:~# cat /run/pkcs11-provider.log 
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1341] OSSL_provider_init(): Provided config params:
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1351] OSSL_provider_init():   pkcs11-module-path: /usr/lib/libckteec.so.0
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1351] OSSL_provider_init():   pkcs11-module-init-args: [none]
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1351] OSSL_provider_init():   pkcs11-module-token-pin: [****]
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1351] OSSL_provider_init():   pkcs11-module-allow-export: [none]
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1351] OSSL_provider_init():   pkcs11-module-login-behavior: [none]
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1351] OSSL_provider_init():   pkcs11-module-load-behavior: [none]
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1351] OSSL_provider_init():   pkcs11-module-cache-pins: [none]
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1351] OSSL_provider_init():   pkcs11-module-cache-keys: [none]
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1351] OSSL_provider_init():   pkcs11-module-quirks: [none]
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1351] OSSL_provider_init():   pkcs11-module-cache-sessions: [none]
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1370] OSSL_provider_init(): PIN not available
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1384] OSSL_provider_init(): Export allowed
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1403] OSSL_provider_init(): Login behavior: auto
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1420] OSSL_provider_init(): PINs will not be cached
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1437] OSSL_provider_init(): Key caching: in session object
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1478] OSSL_provider_init(): No quirks
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1497] OSSL_provider_init(): Cache Sessions: 5
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:1509] OSSL_provider_init(): Load behavior: default
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:197] p11prov_store_open(): object open (0x558835fb50, pkcs11:token=device;object=myECkey;type=public?pin-value=1234)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.c:291] p11prov_module_init(): PKCS#11: Initializing the module: /usr/lib/libckteec.so.0
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.c:172] p11prov_interface_init(): C_GetInterface() not available. Falling back to C_GetFunctionList(): /usr/lib/libckteec.so.0: undefined symbol: C_GetInterface
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.c:100] populate_interface(): Populating Interfaces with 'Internal defaults', version 2.40
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:12] p11prov_Initialize(): Calling C_Initialize
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:50] p11prov_GetInfo(): Calling C_GetInfo
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.c:321] p11prov_module_init(): Module Info: ck_ver:2.40 lib: 'Linaro' 'OP-TEE PKCS11 Cryptoki library' ver:0.1
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:111] p11prov_GetSlotList(): Calling C_GetSlotList
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:111] p11prov_GetSlotList(): Calling C_GetSlotList
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:131] p11prov_GetSlotInfo(): Calling C_GetSlotInfo
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:151] p11prov_GetTokenInfo(): Calling C_GetTokenInfo
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:117] p11prov_session_pool_init(): Creating new session pool
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:608] p11prov_ctx_cache_sessions(): cache_sessions = 5
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:144] p11prov_session_pool_init(): New session pool 0x5588362b30 created
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:73] p11prov_obj_pool_init(): Creating new object pool
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:88] p11prov_obj_pool_init(): New object pool 0x5588371410 created
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:214] p11prov_OpenSession(): Calling C_OpenSession
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:445] p11prov_FindObjectsInit(): Calling C_FindObjectsInit
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:449] p11prov_FindObjectsInit(): Error: 0x00000007; Error returned by C_FindObjectsInit
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:233] p11prov_CloseSession(): Calling C_CloseSession
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:172] p11prov_GetMechanismList(): Calling C_GetMechanismList
[../../../../../../../workspace/sources/pkcs11-provider/src/slot.c:100] get_slot_mechanisms(): Slot(0) mechs found: 54
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:172] p11prov_GetMechanismList(): Calling C_GetMechanismList
Slot Info:
  ID: 0
  Description:      [OP-TEE PKCS11 TA - TEE UUID 94e9ab89-4c43-56ea-8b35-45dc07226830]
  Manufacturer ID:  [Linaro]
  Flags (0x000001):

    CKF_TOKEN_PRESENT         (0x000001)
  Hardware Version: 0.0
  Firmware Version: 0.1

Token Info:
  Label:            [device]
  Manufacturer ID:  [Linaro]
  Model:            [OP-TEE TA]
  Serial Number:    [0000000000000000]
  Flags (0x00040d):

    CKF_RNG                             (0x000001)
    CKF_LOGIN_REQUIRED                  (0x000004)
    CKF_USER_PIN_INITIALIZED            (0x000008)
    CKF_TOKEN_INITIALIZED               (0x000400)
  Session Count      Max: 18446744073709551615  Current:   0
  R/W Session Count  Max: 18446744073709551615  Current:   0
  Pin Len Range: 4-128
  Public  Memory  Total: 18446744073709551615  Free: 18446744073709551615
  Private Memory  Total: 18446744073709551615  Free: 18446744073709551615
  Hardware Version: 0.0
  Firmware Version: 0.1
  UTC Time: []

[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_RSA_PKCS_PSS (71):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_RSA_PKCS (70):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_RSA_PKCS_PSS (69):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_RSA_PKCS_PSS (68):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_RSA_PKCS_PSS (67):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_RSA_PKCS (66):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_RSA_PKCS (65):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_RSA_PKCS (64):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA1_RSA_PKCS_PSS (14):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_OAEP (9):
  min key length: 256
  max key length: 4096
  flags (0x000300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA1_RSA_PKCS (6):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5_RSA_PKCS (5):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_PSS (13):
  min key length: 0
  max key length: 0
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS (1):
  min key length: 256
  max key length: 4096
  flags (0x002b00):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_KEY_PAIR_GEN (0):
  min key length: 256
  max key length: 4096
  flags (0x010000):

    CKF_GENERATE_KEY_PAIR     (0x010000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_AES_KEY_WRAP (4180):
  min key length: 0
  max key length: 0
  flags (0x060300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_WRAP                  (0x020000)
    CKF_UNWRAP                (0x040000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_EDDSA (4183):
  min key length: 256
  max key length: 448
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA512 (4166):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA384 (4165):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA256 (4164):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA224 (4163):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA1 (4162):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA (4161):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_EC_EDWARDS_KEY_PAIR_GEN (4181):
  min key length: 256
  max key length: 448
  flags (0x010000):

    CKF_GENERATE_KEY_PAIR     (0x010000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_EC_KEY_PAIR_GEN (4160):
  min key length: 160
  max key length: 521
  flags (0x010000):

    CKF_GENERATE_KEY_PAIR     (0x010000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_HMAC_GENERAL (626):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_HMAC_GENERAL (610):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_HMAC_GENERAL (594):
  min key length: 24
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_HMAC_GENERAL (599):
  min key length: 14
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1_HMAC_GENERAL (546):
  min key length: 10
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5_HMAC_GENERAL (530):
  min key length: 8
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_HMAC (625):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_HMAC (609):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_HMAC (593):
  min key length: 24
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_HMAC (598):
  min key length: 14
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1_HMAC (545):
  min key length: 10
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5_HMAC (529):
  min key length: 8
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512 (624):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384 (608):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256 (592):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224 (597):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1 (544):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5 (528):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_GENERIC_SECRET_KEY_GEN (848):
  min key length: 1
  max key length: 4096
  flags (0x008000):

    CKF_GENERATE              (0x008000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_KEY_GEN (4224):
  min key length: 16
  max key length: 32
  flags (0x008000):

    CKF_GENERATE              (0x008000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDH1_DERIVE (4176):
  min key length: 160
  max key length: 521
  flags (0x080000):

    CKF_DERIVE                (0x080000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CBC_ENCRYPT_DATA (4357):
  min key length: 0
  max key length: 0
  flags (0x080000):

    CKF_DERIVE                (0x080000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_ECB_ENCRYPT_DATA (4356):
  min key length: 0
  max key length: 0
  flags (0x080000):

    CKF_DERIVE                (0x080000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CMAC_GENERAL (4235):
  min key length: 16
  max key length: 32
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CMAC (4234):
  min key length: 16
  max key length: 32
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CTS (4233):
  min key length: 16
  max key length: 32
  flags (0x000300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CTR (4230):
  min key length: 16
  max key length: 32
  flags (0x000300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CBC (4226):
  min key length: 16
  max key length: 32
  flags (0x060300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_WRAP                  (0x020000)
    CKF_UNWRAP                (0x040000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_ECB (4225):
  min key length: 16
  max key length: 32
  flags (0x060300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_WRAP                  (0x020000)
    CKF_UNWRAP                (0x040000)
  No profiles specified

[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:131] p11prov_GetSlotInfo(): Calling C_GetSlotInfo
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:151] p11prov_GetTokenInfo(): Calling C_GetTokenInfo
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:117] p11prov_session_pool_init(): Creating new session pool
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:608] p11prov_ctx_cache_sessions(): cache_sessions = 5
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:144] p11prov_session_pool_init(): New session pool 0x5588361370 created
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:73] p11prov_obj_pool_init(): Creating new object pool
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:88] p11prov_obj_pool_init(): New object pool 0x5588387690 created
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:214] p11prov_OpenSession(): Calling C_OpenSession
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:445] p11prov_FindObjectsInit(): Calling C_FindObjectsInit
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:449] p11prov_FindObjectsInit(): Error: 0x00000007; Error returned by C_FindObjectsInit
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:233] p11prov_CloseSession(): Calling C_CloseSession
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:172] p11prov_GetMechanismList(): Calling C_GetMechanismList
[../../../../../../../workspace/sources/pkcs11-provider/src/slot.c:100] get_slot_mechanisms(): Slot(1) mechs found: 54
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:172] p11prov_GetMechanismList(): Calling C_GetMechanismList
Slot Info:
  ID: 1
  Description:      [OP-TEE PKCS11 TA - TEE UUID 94e9ab89-4c43-56ea-8b35-45dc07226830]
  Manufacturer ID:  [Linaro]
  Flags (0x000001):

    CKF_TOKEN_PRESENT         (0x000001)
  Hardware Version: 0.0
  Firmware Version: 0.1

Token Info:
  Label:            [********************************]
  Manufacturer ID:  [Linaro]
  Model:            [OP-TEE TA]
  Serial Number:    [0000000000000001]
  Flags (0x880005):

    CKF_RNG                             (0x000001)
    CKF_LOGIN_REQUIRED                  (0x000004)
    CKF_USER_PIN_TO_BE_CHANGED          (0x080000)
    CKF_SO_PIN_TO_BE_CHANGED            (0x800000)
  Session Count      Max: 18446744073709551615  Current:   0
  R/W Session Count  Max: 18446744073709551615  Current:   0
  Pin Len Range: 4-128
  Public  Memory  Total: 18446744073709551615  Free: 18446744073709551615
  Private Memory  Total: 18446744073709551615  Free: 18446744073709551615
  Hardware Version: 0.0
  Firmware Version: 0.1
  UTC Time: []

[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_RSA_PKCS_PSS (71):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_RSA_PKCS (70):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_RSA_PKCS_PSS (69):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_RSA_PKCS_PSS (68):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_RSA_PKCS_PSS (67):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_RSA_PKCS (66):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_RSA_PKCS (65):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_RSA_PKCS (64):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA1_RSA_PKCS_PSS (14):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_OAEP (9):
  min key length: 256
  max key length: 4096
  flags (0x000300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA1_RSA_PKCS (6):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5_RSA_PKCS (5):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_PSS (13):
  min key length: 0
  max key length: 0
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS (1):
  min key length: 256
  max key length: 4096
  flags (0x002b00):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_KEY_PAIR_GEN (0):
  min key length: 256
  max key length: 4096
  flags (0x010000):

    CKF_GENERATE_KEY_PAIR     (0x010000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_AES_KEY_WRAP (4180):
  min key length: 0
  max key length: 0
  flags (0x060300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_WRAP                  (0x020000)
    CKF_UNWRAP                (0x040000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_EDDSA (4183):
  min key length: 256
  max key length: 448
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA512 (4166):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA384 (4165):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA256 (4164):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA224 (4163):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA1 (4162):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA (4161):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_EC_EDWARDS_KEY_PAIR_GEN (4181):
  min key length: 256
  max key length: 448
  flags (0x010000):

    CKF_GENERATE_KEY_PAIR     (0x010000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_EC_KEY_PAIR_GEN (4160):
  min key length: 160
  max key length: 521
  flags (0x010000):

    CKF_GENERATE_KEY_PAIR     (0x010000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_HMAC_GENERAL (626):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_HMAC_GENERAL (610):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_HMAC_GENERAL (594):
  min key length: 24
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_HMAC_GENERAL (599):
  min key length: 14
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1_HMAC_GENERAL (546):
  min key length: 10
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5_HMAC_GENERAL (530):
  min key length: 8
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_HMAC (625):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_HMAC (609):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_HMAC (593):
  min key length: 24
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_HMAC (598):
  min key length: 14
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1_HMAC (545):
  min key length: 10
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5_HMAC (529):
  min key length: 8
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512 (624):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384 (608):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256 (592):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224 (597):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1 (544):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5 (528):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_GENERIC_SECRET_KEY_GEN (848):
  min key length: 1
  max key length: 4096
  flags (0x008000):

    CKF_GENERATE              (0x008000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_KEY_GEN (4224):
  min key length: 16
  max key length: 32
  flags (0x008000):

    CKF_GENERATE              (0x008000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDH1_DERIVE (4176):
  min key length: 160
  max key length: 521
  flags (0x080000):

    CKF_DERIVE                (0x080000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CBC_ENCRYPT_DATA (4357):
  min key length: 0
  max key length: 0
  flags (0x080000):

    CKF_DERIVE                (0x080000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_ECB_ENCRYPT_DATA (4356):
  min key length: 0
  max key length: 0
  flags (0x080000):

    CKF_DERIVE                (0x080000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CMAC_GENERAL (4235):
  min key length: 16
  max key length: 32
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CMAC (4234):
  min key length: 16
  max key length: 32
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CTS (4233):
  min key length: 16
  max key length: 32
  flags (0x000300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CTR (4230):
  min key length: 16
  max key length: 32
  flags (0x000300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CBC (4226):
  min key length: 16
  max key length: 32
  flags (0x060300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_WRAP                  (0x020000)
    CKF_UNWRAP                (0x040000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_ECB (4225):
  min key length: 16
  max key length: 32
  flags (0x060300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_WRAP                  (0x020000)
    CKF_UNWRAP                (0x040000)
  No profiles specified

[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:131] p11prov_GetSlotInfo(): Calling C_GetSlotInfo
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:151] p11prov_GetTokenInfo(): Calling C_GetTokenInfo
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:117] p11prov_session_pool_init(): Creating new session pool
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:608] p11prov_ctx_cache_sessions(): cache_sessions = 5
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:144] p11prov_session_pool_init(): New session pool 0x558835f8d0 created
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:73] p11prov_obj_pool_init(): Creating new object pool
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:88] p11prov_obj_pool_init(): New object pool 0x5588371fe0 created
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:214] p11prov_OpenSession(): Calling C_OpenSession
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:445] p11prov_FindObjectsInit(): Calling C_FindObjectsInit
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:449] p11prov_FindObjectsInit(): Error: 0x00000007; Error returned by C_FindObjectsInit
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:233] p11prov_CloseSession(): Calling C_CloseSession
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:172] p11prov_GetMechanismList(): Calling C_GetMechanismList
[../../../../../../../workspace/sources/pkcs11-provider/src/slot.c:100] get_slot_mechanisms(): Slot(2) mechs found: 54
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:172] p11prov_GetMechanismList(): Calling C_GetMechanismList
Slot Info:
  ID: 2
  Description:      [OP-TEE PKCS11 TA - TEE UUID 94e9ab89-4c43-56ea-8b35-45dc07226830]
  Manufacturer ID:  [Linaro]
  Flags (0x000001):

    CKF_TOKEN_PRESENT         (0x000001)
  Hardware Version: 0.0
  Firmware Version: 0.1

Token Info:
  Label:            [********************************]
  Manufacturer ID:  [Linaro]
  Model:            [OP-TEE TA]
  Serial Number:    [0000000000000002]
  Flags (0x880005):

    CKF_RNG                             (0x000001)
    CKF_LOGIN_REQUIRED                  (0x000004)
    CKF_USER_PIN_TO_BE_CHANGED          (0x080000)
    CKF_SO_PIN_TO_BE_CHANGED            (0x800000)
  Session Count      Max: 18446744073709551615  Current:   0
  R/W Session Count  Max: 18446744073709551615  Current:   0
  Pin Len Range: 4-128
  Public  Memory  Total: 18446744073709551615  Free: 18446744073709551615
  Private Memory  Total: 18446744073709551615  Free: 18446744073709551615
  Hardware Version: 0.0
  Firmware Version: 0.1
  UTC Time: []

[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_RSA_PKCS_PSS (71):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_RSA_PKCS (70):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_RSA_PKCS_PSS (69):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_RSA_PKCS_PSS (68):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_RSA_PKCS_PSS (67):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_RSA_PKCS (66):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_RSA_PKCS (65):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_RSA_PKCS (64):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA1_RSA_PKCS_PSS (14):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_OAEP (9):
  min key length: 256
  max key length: 4096
  flags (0x000300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA1_RSA_PKCS (6):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5_RSA_PKCS (5):
  min key length: 256
  max key length: 4096
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_PSS (13):
  min key length: 0
  max key length: 0
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS (1):
  min key length: 256
  max key length: 4096
  flags (0x002b00):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_PKCS_KEY_PAIR_GEN (0):
  min key length: 256
  max key length: 4096
  flags (0x010000):

    CKF_GENERATE_KEY_PAIR     (0x010000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_RSA_AES_KEY_WRAP (4180):
  min key length: 0
  max key length: 0
  flags (0x060300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_WRAP                  (0x020000)
    CKF_UNWRAP                (0x040000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_EDDSA (4183):
  min key length: 256
  max key length: 448
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA512 (4166):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA384 (4165):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA256 (4164):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA224 (4163):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA_SHA1 (4162):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDSA (4161):
  min key length: 160
  max key length: 521
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_EC_EDWARDS_KEY_PAIR_GEN (4181):
  min key length: 256
  max key length: 448
  flags (0x010000):

    CKF_GENERATE_KEY_PAIR     (0x010000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_EC_KEY_PAIR_GEN (4160):
  min key length: 160
  max key length: 521
  flags (0x010000):

    CKF_GENERATE_KEY_PAIR     (0x010000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_HMAC_GENERAL (626):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_HMAC_GENERAL (610):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_HMAC_GENERAL (594):
  min key length: 24
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_HMAC_GENERAL (599):
  min key length: 14
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1_HMAC_GENERAL (546):
  min key length: 10
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5_HMAC_GENERAL (530):
  min key length: 8
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512_HMAC (625):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384_HMAC (609):
  min key length: 32
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256_HMAC (593):
  min key length: 24
  max key length: 128
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224_HMAC (598):
  min key length: 14
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1_HMAC (545):
  min key length: 10
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5_HMAC (529):
  min key length: 8
  max key length: 64
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA512 (624):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA384 (608):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA256 (592):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA224 (597):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_SHA_1 (544):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_MD5 (528):
  min key length: 0
  max key length: 0
  flags (0x000400):

    CKF_DIGEST                (0x000400)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_GENERIC_SECRET_KEY_GEN (848):
  min key length: 1
  max key length: 4096
  flags (0x008000):

    CKF_GENERATE              (0x008000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_KEY_GEN (4224):
  min key length: 16
  max key length: 32
  flags (0x008000):

    CKF_GENERATE              (0x008000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_ECDH1_DERIVE (4176):
  min key length: 160
  max key length: 521
  flags (0x080000):

    CKF_DERIVE                (0x080000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CBC_ENCRYPT_DATA (4357):
  min key length: 0
  max key length: 0
  flags (0x080000):

    CKF_DERIVE                (0x080000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_ECB_ENCRYPT_DATA (4356):
  min key length: 0
  max key length: 0
  flags (0x080000):

    CKF_DERIVE                (0x080000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CMAC_GENERAL (4235):
  min key length: 16
  max key length: 32
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CMAC (4234):
  min key length: 16
  max key length: 32
  flags (0x002800):

    CKF_SIGN                  (0x000800)
    CKF_VERIFY                (0x002000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CTS (4233):
  min key length: 16
  max key length: 32
  flags (0x000300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CTR (4230):
  min key length: 16
  max key length: 32
  flags (0x000300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_CBC (4226):
  min key length: 16
  max key length: 32
  flags (0x060300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_WRAP                  (0x020000)
    CKF_UNWRAP                (0x040000)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:193] p11prov_GetMechanismInfo(): Calling C_GetMechanismInfo
Mechanism Info:
  name: CKM_AES_ECB (4225):
  min key length: 16
  max key length: 32
  flags (0x060300):

    CKF_ENCRYPT               (0x000100)
    CKF_DECRYPT               (0x000200)
    CKF_WRAP                  (0x020000)
    CKF_UNWRAP                (0x040000)
  No profiles specified

[../../../../../../../workspace/sources/pkcs11-provider/src/random.c:85] p11prov_rand_generate(): rand: generate (add bytes: 0)
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:765] p11prov_get_session(): Get session on slot 18446744073709551615, reqlogin=false, rw=false
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:798] p11prov_get_session(): cycle through available slots
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=0, uri=(nil), mechtype=ffffffffffffffff, rw=false)
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:834] p11prov_get_session(): Found a slot 0
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:266] session_new(): Creating new P11PROV_SESSION session on pool 0x5588362b30
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:300] session_new(): Total sessions: 1
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:214] p11prov_OpenSession(): Calling C_OpenSession
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:73] token_session_open(): C_OpenSession ret:0 (session: 1)
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:253] p11prov_GetSessionInfo(): Calling C_GetSessionInfo
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:883] p11prov_GenerateRandom(): Calling C_GenerateRandom
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:554] p11prov_parse_uri(): ctx=0x558835fb50 uri=pkcs11:token=device;object=myECkey;type=public?pin-value=1234)
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [device] -> [device]
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [myECkey] -> [myECkey]
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [public] -> [public]
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:360] parse_utf8str(): String [1234] -> [1234]
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:494] p11prov_store_set_ctx_params(): set ctx params (0x5588385460, 0x7fd39f8e28)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:494] p11prov_store_set_ctx_params(): set ctx params (0x5588385460, 0x7fd39f9048)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:418] p11prov_store_eof(): store eof (0x5588385460)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:418] p11prov_store_eof(): store eof (0x5588385460)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:250] p11prov_store_load(): store load (0x5588385460)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:92] store_fetch(): called (store_ctx=0x5588385460)
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:590] p11prov_ctx_login_behavior(): login_behavior = 0
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:765] p11prov_get_session(): Get session on slot 18446744073709551615, reqlogin=false, rw=false
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:798] p11prov_get_session(): cycle through available slots
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=0, uri=0x5588362d80, mechtype=ffffffffffffffff, rw=false)
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:834] p11prov_get_session(): Found a slot 0
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:253] p11prov_GetSessionInfo(): Calling C_GetSessionInfo
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:930] p11prov_obj_find(): Find objects [class=2, id-len=0, label=myECkey]
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:445] p11prov_FindObjectsInit(): Calling C_FindObjectsInit
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:467] p11prov_FindObjects(): Calling C_FindObjects
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:467] p11prov_FindObjects(): Calling C_FindObjects
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:487] p11prov_FindObjectsFinal(): Calling C_FindObjectsFinal
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (0): 0x00000000
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (1): 0x00000100
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (2): 0x00000171
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (3): 0x00000001
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:404] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000000 value:0x5588385630, len:8
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000100 value:0x5588385648, len:8
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000171 value:0x5588385640, len:1
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000001 value:0x5588385641, len:1
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (0): 0x00000180
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (1): 0x00000181
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (2): 0x00000102
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (3): 0x00000003
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:404] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:61] p11prov_fetch_attributes(): (Re)Fetching 4 attributes
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:404] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000180 value:0x5588371540, len:10
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000181 value:0x55883639a0, len:67
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000102 value:0x5588371bd0, len:0
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:65] p11prov_fetch_attributes(): Attribute| type:0x00000003 value:0x55883720d0, len:7
[../../../../../../../workspace/sources/pkcs11-provider/src/util.c:23] p11prov_fetch_attributes(): Fetching attributes (0): 0x40000600
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:404] p11prov_GetAttributeValue(): Calling C_GetAttributeValue
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:408] p11prov_GetAttributeValue(): Error: 0x00000012; Error returned by C_GetAttributeValue
[../../../../../../../workspace/sources/pkcs11-provider/src/provider.c:382] p11prov_ctx_set_quirk(): Set quirk 'sup_attr_CKA_ALLOWED_MECHANISMS' of size 1
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:1011] p11prov_obj_find(): Find objects: found 1 objects; Returning 0
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:765] p11prov_get_session(): Get session on slot 1, reqlogin=false, rw=false
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:798] p11prov_get_session(): cycle through available slots
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=1, uri=0x5588362d80, mechtype=ffffffffffffffff, rw=false)
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=2, uri=0x5588362d80, mechtype=ffffffffffffffff, rw=false)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:126] store_fetch(): Failed to get session to load keys (slotid=1, ret=e0)
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1208] p11prov_ec_load(): ec load 0x5588385610, 112
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:400] p11prov_obj_ref_no_cache(): Ref Object: 0x5588385610 (handle:1)
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1363] p11prov_ec_get_params(): ec get params 0x5588385610
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1216] p11prov_ec_has(): ec has 0x5588385610 1
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1216] p11prov_ec_has(): ec has 0x5588385610 2
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:433] p11prov_store_close(): store close (0x5588385460)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:34] p11prov_store_ctx_free(): store ctx free (0x5588385460)
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:431] p11prov_obj_free(): Free Object: 0x5588385610 (handle:1)
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:438] p11prov_obj_free(): object free: reference held
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1202] p11prov_ec_free(): ec free 0x5588385610
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:431] p11prov_obj_free(): Free Object: 0x5588385610 (handle:1)
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:154] p11prov_session_pool_free(): Freeing session pool 0x5588362b30
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:351] session_free(): Session Free 0x55883853e0
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:102] token_session_close(): Closing session 1
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:233] p11prov_CloseSession(): Calling C_CloseSession
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:96] p11prov_obj_pool_free(): Freeing object pool 0x5588371410
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:154] p11prov_session_pool_free(): Freeing session pool 0x5588361370
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:96] p11prov_obj_pool_free(): Freeing object pool 0x5588387690
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:154] p11prov_session_pool_free(): Freeing session pool 0x558835f8d0
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:96] p11prov_obj_pool_free(): Freeing object pool 0x5588371fe0
[../../../../../../../workspace/sources/pkcs11-provider/src/interface.gen.c:31] p11prov_Finalize(): Calling C_Finalize

[vesajaaskelainen]

I guess I misunderstood the issue, sorry about that. I am not sure I understand why you thinkg 32bit vs 64bit makes a difference.

CK_ULONG in PKCS#11 is defined in a platform specific way, the pkcs#11 driver must provide the correct representation, it is not on the application to have to interpret or sign extend things.

About the CK_ULONG. We have implemented most of the functionality inside the Trusted Execution Environment eg. the user space library is very thin wrapper.

As part of design choices interface between Trusted Execution Environment vs. Linux user space is using 32 bit unsigned integer for CK_ULONG. So it was returning ulMaxSessionCount with value (uint32_t)~0 instead of (uint64_t)~0. And define within pkcs11-provider was expecting value of (uint64_t)~0. Now what was a bit strange pkcs11-provider treated the value as -1 and got into trouble.

[simo5]

On a 64bit OS you need to make sure all structures have 64 bit members, and not 32bit ones or things will go south quick, also no packing is "whatever gcc does byd efault" ... so you need to align all members structures the way GCC would do it sadly on the arch where you run the driver. For some reason on Windows traditionally pkcs#11 used pragma pack 1, but on Linux it never did, so in terms of structure passing you need to be extra careful and potentially adjust as needed as the packings are different between 64 bit and 32bit ...

[simo5]

Are you intentionally limiting yourself to implement PKCS#11 2.40 ? I see you return CKR_BAD_ARGUMENTS when I search for CKO_PROFILE objects on initialization.

[vesajaaskelainen]

Packing should be OK and user space structure should also be OK: https://github.com/OP-TEE/optee_client/blob/master/libckteec/include/pkcs11.h#L697-L716

But what was not OK was blindly copying uint32_t values to CK_ULONG values in here: https://github.com/OP-TEE/optee_client/blob/master/libckteec/src/pkcs11_token.c#L235-L244

For that I have a patch and will make PR later for OP-TEE side.

This has been working so far nicely with all other software ;)... so there should not be too much wrong in OP-TEE's implementation.

[vesajaaskelainen]

Are you intentionally limiting yourself to implement PKCS#11 2.40 ? I see you return CKR_BAD_ARGUMENTS when I search for CKO_PROFILE objects on initialization.

It was latest release at the time when we started.

At the moment we do not support CKO_PROFILE.

[simo5]

Are you intentionally limiting yourself to implement PKCS#11 2.40 ? I see you return CKR_BAD_ARGUMENTS when I search for CKO_PROFILE objects on initialization.

It was latest release at the time when we started.

At the moment we do not support CKO_PROFILE.

ok you may want to look here if you want updated headers: https://github.com/latchset/pkcs11-headers/

[simo5]

Trying to figure out why you are getting this:

[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:1011] p11prov_obj_find(): Find objects: found 1 objects; Returning 0

[vesajaaskelainen]

Trying to figure out why you are getting this:

[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:1011] p11prov_obj_find(): Find objects: found 1 objects; Returning 0

I suppose "Returning 0 == CKR_OK" and 1 object was found. What is a bit odd it continues its trek to uninitialized tokens and fails there.

[simo5]

Oh that is actually correct, now that I looked at the code, for some reason I assume it meant we returned 0 objects, but the return code 0 is fine.

[simo5]

As far as I can tell pkcs11-provider responds positively when openssl asks if the object return has a public key (after failing when it asked for a private key which is odd if you passed -pubin). But then does not proceed further trying to export it to save it into a file.

[vesajaaskelainen]

As far as I can tell pkcs11-provider responds positively when openssl asks if the object return has a public key (after failing when it asked for a private key which is odd if you passed -pubin). But then does not proceed further trying to export it to save it into a file.

RSA public key export seems to make a file:

root@qemuarm64-secureboot:~# openssl rsa -provider pkcs11 -in "pkcs11:token=${PKCS11_TOKEN};object=myRSAkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubin -pubout -out /tmp/myRSAkey.pem
writing RSA key
root@qemuarm64-secureboot:~# cat /tmp/myRSAkey.pem
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApW3C8HT7rFCAeycGG5N00BRAKdatYEqzplVe18p3TkpMRn42sopi
B4NDejxe3/Dq8NIVMkUE9wAepaym/PyQWoTwYWhQRV5n+rgwlp2FfRUDvxvJqydm
Dt/dxmcyQoOpf9NTiPkm64QJ9qEh0CDRS0w5lMNBDDwZXnlqCLkpE9z/KQfZMFkz
FmUPaQMoX02Wibz0aCvLoOKSM863vtD6LtxG04etyZJQs7b7LNmhYBnf/DS7N3mQ
J2i/67Woit1ehoG/Nnfkit9CuyOT1FWcF8NRp70bYV5g//S9ifUDyJw/AR0flUzu
MVnI5rtlwbAaM0Yj7NQLWhxTIhLnQsfq3QIDAQAB
-----END RSA PUBLIC KEY-----

If I understood what you said is that the problem would be in openssl's support for EC keys when using provider? (engine works)

[simo5]

Yes there seem to be an issue with exporting public EC keys. It is probably in pkcs11-provider, given RSA works fine. We have been working around the EC case (se recent PRs/bugs, I guess there is some case we are still not handling right

[simo5]

What kind of EC key is this? I think we recently noticed a bug with Edwards keys (Ed25519/Ed448).

[vesajaaskelainen]

Something works in here ;)

root@qemuarm64-secureboot:~# openssl storeutl -provider pkcs11 -noout -text pkcs11:?pin-value=${PKCS11_USER_PIN}
0: Pkey
PKCS11 EC Private Key (256 bits)
[Can't export and print private key data]
URI pkcs11:model=OP-TEE%20TA;manufacturer=Linaro;serial=0000000000000000;token=device;object=myECkey;type=private
1: Public key
PKCS11 EC Public Key (256 bits)
Pub:
    04:92:9b:a1:99:14:61:32:c0:0c:bf:c1:ce:19:57:
    11:d3:d2:e4:56:c5:bb:2d:a5:a3:70:f8:85:ea:41:
    e9:aa:27:29:ab:33:b8:ea:aa:3f:65:bf:ca:44:ae:
    d8:58:f7:28:a7:d5:92:12:26:2d:23:2b:fb:98:85:
    2b:bc:0b:6b:f0
ASN1 OID: prime256v1
NIST CURVE: P-256
URI pkcs11:model=OP-TEE%20TA;manufacturer=Linaro;serial=0000000000000000;token=device;object=myECkey;type=public
Total found: 2

[vesajaaskelainen]

What kind of EC key is this? I think we recently noticed a bug with Edwards keys (Ed25519/Ed448).

This key was P-256 as seen in previous comment.

Edwards curve support is somewhat broken in PKCS#11 specifications: https://lists.oasis-open.org/archives/pkcs11-comment/202309/msg00000.html

[simo5]

Yes the previous log showed that the key was found, and the p11prov_ec_has() calls told me the openssl store code was returned the key object, which was identified as a public key. (See try_key() in crypto/store_store_result.c), but I do not have any further calls coming from openssl in the log, so I can't tell what it balked on. The fact the file was created I think means openssl got to the point where the PEM encoding functions are called, and only then it failed, but I have no idea why at the moment.

[vesajaaskelainen]

Some extra debugs:

[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:1011] p11prov_obj_find(): Find objects: found 1 objects; Returning 0
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:765] p11prov_get_session(): Get session on slot 1, reqlogin=false, rw=false
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:798] p11prov_get_session(): cycle through available slots
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=1, uri=0x558da62d80, mechtype=ffffffffffffffff, rw=false)
[../../../../../../../workspace/sources/pkcs11-provider/src/session.c:494] check_slot(): Checking Slot id=2, uri=0x558da62d80, mechtype=ffffffffffffffff, rw=false)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:126] store_fetch(): Failed to get session to load keys (slotid=1, ret=e0)
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1208] p11prov_ec_load(): ec load 0x558da85610, 112
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:400] p11prov_obj_ref_no_cache(): Ref Object: 0x558da85610 (handle:1)
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1366] p11prov_ec_get_params(): ec get params 0x558da85610
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1216] p11prov_ec_has(): ec has 0x558da85610 1
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1225] p11prov_ec_has(): ec has OSSL_KEYMGMT_SELECT_PRIVATE_KEY but != CKO_PRIVATE_KEY 0x558da85610 1
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1216] p11prov_ec_has(): ec has 0x558da85610 2
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1234] p11prov_ec_has(): ec has OK 0x558da85610 2
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:433] p11prov_store_close(): store close (0x558da85460)
[../../../../../../../workspace/sources/pkcs11-provider/src/store.c:34] p11prov_store_ctx_free(): store ctx free (0x558da85460)
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:431] p11prov_obj_free(): Free Object: 0x558da85610 (handle:1)
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:438] p11prov_obj_free(): object free: reference held
[../../../../../../../workspace/sources/pkcs11-provider/src/keymgmt.c:1202] p11prov_ec_free(): ec free 0x558da85610
[../../../../../../../workspace/sources/pkcs11-provider/src/objects.c:431] p11prov_obj_free(): Free Object: 0x558da85610 (handle:1)

And the diff:

diff --git a/src/keymgmt.c b/src/keymgmt.c
index 26abd04..4e460cb 100644
--- a/src/keymgmt.c
+++ b/src/keymgmt.c
@@ -1216,11 +1216,13 @@ static int p11prov_ec_has(const void *keydata, int selection)
     P11PROV_debug("ec has %p %d", key, selection);

     if (key == NULL) {
+        P11PROV_debug("ec has 'key == NULL' %p %d", key, selection);
         return RET_OSSL_ERR;
     }

     if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) {
         if (p11prov_obj_get_class(key) != CKO_PRIVATE_KEY) {
+            P11PROV_debug("ec has OSSL_KEYMGMT_SELECT_PRIVATE_KEY but != CKO_PRIVATE_KEY %p %d", key, selection);
             return RET_OSSL_ERR;
         }
     }
@@ -1229,6 +1231,7 @@ static int p11prov_ec_has(const void *keydata, int selection)
      * private key, as we can try to fetch the associated public key as needed
      * if asked for an export (main reason to do this), or other operations */

+    P11PROV_debug("ec has OK %p %d", key, selection);
     return RET_OSSL_OK;
 }

[simo5]

This part is working as expected, its what happens later in openssl that makes it fail. But I do not know why.

[vesajaaskelainen]

I could re-produce the 0 size EC public key export problem on my desktop with softhsmv2 (segfault fixed) too so should not be related to OP-TEE's PKCS#11 support. (unless both have the same bug)

Now I have openssl 3.0.12 compiled with debugs and can continue later to also debug the problem in easier debugging environment. (modifying openssl within yocto can cause quite a bit stuff the be re-built)

[simo5]

If you can give me instructions on how to reproduce with softhsm2 I should be able to find the cause.

[vesajaaskelainen]

This is quite connected to my debug setup but I suppose you can adapt it to your system:

$ cat setup.source 
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/openssl-3.0.12/lib64
export PATH=/opt/openssl-3.0.12/bin:/opt/softhsm2/bin:$PATH
export SOFTHSM2_CONF=/opt/softhsm2/softhsm2.conf
export PKCS11_MODULE=/opt/softhsm2/lib/softhsm/libsofthsm2.so

$ cat setup-pkcs11-provider.source 
#export PKCS11_MODULE=/usr/lib/libckteec.so.0
export PKCS11_SLOT=0
export PKCS11_TOKEN=device
export PKCS11_SO_PIN=1234567890
export PKCS11_USER_PIN=1234
export PKCS11_OBJECT_ID=112233
export PKCS11_OBJECT_LABEL=myImportedKey

export PKCS11_EC_OBJECT_ID=223344
export PKCS11_EC_OBJECT_LABEL=myECImportedKey

export PKCS11_ED_OBJECT_ID=5566777
export PKCS11_ED_OBJECT_LABEL=myEDImportedKey

export PKCS11_PROVIDER_DEBUG=file:/tmp/pkcs11-provider.log,level:2

$ cat setup-softhsm2-token.sh 
softhsm2-util --module ${PKCS11_MODULE} --delete-token --token ${PKCS11_TOKEN}
softhsm2-util --module ${PKCS11_MODULE} --init-token --so-pin ${PKCS11_SO_PIN} --pin ${PKCS11_USER_PIN} --slot ${PKCS11_SLOT} --label ${PKCS11_TOKEN}

After this you can just run then commands I used eg:

$ pkcs11-tool --module ${PKCS11_MODULE} --token ${PKCS11_TOKEN} --login --pin ${PKCS11_USER_PIN} --keypairgen --key-type EC:prime256v1 --label myECkey
$ openssl pkey -propquery provider=pkcs11 -provider pkcs11 -in "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubin -pubout -out /tmp/myECkey.pem

Just say if you need more details :)

[simo5]

@vesajaaskelainen ok so now I wonder why you would see this problem but it doesn't show up here: https://github.com/latchset/pkcs11-provider/blob/b4728fa3521a53d56602fb0b0c3b7b2a0b703324/tests/tbasic#L127 What in your custom setup differs from our tests when using softhsm2 ?

[vesajaaskelainen]

@vesajaaskelainen ok so now I wonder why you would see this problem but it doesn't show up here:

https://github.com/latchset/pkcs11-provider/blob/b4728fa3521a53d56602fb0b0c3b7b2a0b703324/tests/tbasic#L127

What in your custom setup differs from our tests when using softhsm2 ?

I'll get back to that in near future.

In meanwhile I did following:

• Upgraded test bed for openssl 3.2.0 that was just released -> no change
• Added pkcs11-spy.so to the picture (thou needed to re-compile OpenSC from master)

With pkcs11-spy I can see that it does query public key from token -> good. With additional debug I can see that it does not export that in p11prov_ec_get_params().

Only this part gets values out: https://github.com/latchset/pkcs11-provider/blob/main/src/keymgmt.c#L1356-L1398

[vesajaaskelainen]

@vesajaaskelainen ok so now I wonder why you would see this problem but it doesn't show up here:

https://github.com/latchset/pkcs11-provider/blob/b4728fa3521a53d56602fb0b0c3b7b2a0b703324/tests/tbasic#L127

What in your custom setup differs from our tests when using softhsm2 ?

Figured this out.

[default_sect] needs to have activate = 1.

Now patch for openssl.cnf is:

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 12bc408..958dd63 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -56,6 +56,8 @@ providers = provider_sect
 # List of providers to load
 [provider_sect]
 default = default_sect
+pkcs11 = pkcs11_sect
+
 # The fips section name should match the section name inside the
 # included fipsmodule.cnf.
 # fips = fips_sect
@@ -71,6 +73,9 @@ default = default_sect
 [default_sect]
-# activate = 1
+activate = 1

+[pkcs11_sect]
+module = /usr/lib/ossl-modules/pkcs11.so
+pkcs11-module-path = /usr/lib/libckteec.so.0

 ####################################################################
 [ ca ]

openssl version:

root@qemuarm64-secureboot:~# openssl version
OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)

Then testing it out:

root@qemuarm64-secureboot:~# openssl pkey -provider pkcs11 -in "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubin -pubout -out /tmp/myECkey.pem
root@qemuarm64-secureboot:~# cat /tmp/myECkey.pem 
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJjjHwvxXzZgjv0AVAMp/xvda8sIi
RQeefhiVZ1GoqAwvl6zsV+tEUNFDY1EA1xLdds3pG5xUogsyqhkDTQP5ag==
-----END PUBLIC KEY-----

Thou there may be some issues with openssl CLI itself in example following does not work:

root@qemuarm64-secureboot:~# openssl ec -provider pkcs11 -in "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubout -out /tmp/myECkey.pem
read EC key
Could not read private key from pkcs11:token=device;object=myECkey;type=public?pin-value=1234
unable to load Key
root@qemuarm64-secureboot:~# openssl ec -provider pkcs11 -inform engine -in "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubout -out /tmp/myECkey.pem
read EC key
No engine specified for loading private key
^C

openssl dgst works OK now:

root@qemuarm64-secureboot:~# openssl dgst -provider pkcs11 -sign "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=private?pin-value=${PKCS11_USER_PIN}" -out /tmp/data.bin.sig -sha256 /tmp/data.bin
root@qemuarm64-secureboot:~# openssl dgst -provider pkcs11 -verify "pkcs11:token=${PKCS11_TOKEN};object=myECkey;type=public?pin-value=${PKCS11_USER_PIN}" -signature /tmp/data.bin.sig -sha256 /tmp/data.bin
Verified OK
root@qemuarm64-secureboot:~# openssl dgst -verify /tmp/myECkey.pem -signature /tmp/data.bin.sig -sha256 /tmp/data.bin
Verified OK

RSA seems to still work:

root@qemuarm64-secureboot:~# openssl rsa -provider pkcs11 -in "pkcs11:token=${PKCS11_TOKEN};object=myRSAkey;type=public?pin-value=${PKCS11_USER_PIN}" -pubin -pubout -out /tmp/myRSAkey.pem
writing RSA key
root@qemuarm64-secureboot:~# cat /tmp/myRSAkey.pem 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwMiD2Y5jmMNdQYVABi/r
Jytw6V9+VTX/ixd5UxD6fPc9bmM1VVAh85/SxqQwWMJjFr9L9PZ0dXeILI+tjfi9
ErvxoJHLugvK5tKYEssU6KZp+ELoFCPoc47nDHDR5O86ZbxYhPTz/VPv6Zq0lkTI
lEnrVpjU891zicKMuft64e1NhrtetUTVSqKud/TQJlCilUc8UF986p8+SxSXp+AL
cT8LSWvqhp5F/bJZ1TNpnnv6LA/sTDcwaqxx7LmaQRLpj9hy8CoYXmrWOBvPdJfp
1W3LvcbEy2subeGDC0eTQm1XFUkT0G5Lu0o5G1PMH0D3eDtuMsJh7WtfuP1eUUyN
3wIDAQAB
-----END PUBLIC KEY-----
root@qemuarm64-secureboot:~# openssl dgst -provider pkcs11 -sign "pkcs11:token=${PKCS11_TOKEN};object=myRSAkey;type=private?pin-value=${PKCS11_USER_PIN}" -out /tmp/data.bin.sig -sha256 /tmp/data.bin
root@qemuarm64-secureboot:~# openssl dgst -verify /tmp/myRSAkey.pem -signature /tmp/data.bin.sig -sha256 /tmp/data.bin
Verified OK
root@qemuarm64-secureboot:~# openssl dgst -provider pkcs11 -verify "pkcs11:token=${PKCS11_TOKEN};object=myRSAkey;type=public?pin-value=${PKCS11_USER_PIN}" -signature /tmp/data.bin.sig -sha256 /tmp/data.bin
Verified OK

Even thou it was setting that changed the behavior it still smells like openssl issue. Especially as RSA was working fine without any changes. But as I am no expert in this provider interface cannot really say one way or other.

[simo5]

We are aware that openssl command line has gaps in using the -provider option, please report to openssl for specific command issues.

Given this looks like ity is not an issue in pkcs11-provider itself I am going to close this. Feel free to comment/reopen if I misunderstood.