Closed kkeane closed 7 years ago
bellgrim
commented
7 years ago Yes, but as an application (softhsm2-util loads libsofthsm2.so (or any other PKCS#11 library if you use --module)) you will not get more error info from the PKCS#11 library than e.g. CKA_GENERAL_ERROR.
In the case with SoftHSM, you will find more info in syslog. This is where the library can display its output.
Could you check syslog and see if you get the desired error message?
kkeane
commented
7 years ago Well, this error message doesn't even indicate that the problem is with the PKCS#11 library or that the error is CKA_GENERAL_ERROR! If somebody uses multiple repositories, it wouldn't even tell you WHICH one was the problem. Incidentally, another related problem is terminology: what is called "library" in this error message is called "module" in the command line argument.
Based on the message, I actually assumed that it was a problem with dynamic linking and was chasing my tail for a while until I looked at the source code.
A more useful, and still doable, message might be "ERROR: initialization of PKCS#11 library /usr/lib/softhsm/libsofthsm2.so failed. Is your configuration file correct?" - specific enough to be helpful, yet generic enough to apply to softhsm as well as other libraries. Of course, the actual path to the library should be substituted.
I didn't see anything useful in syslog, either (and looking at the source code for libsofthsm2.so suggests that there isn't all that much logging).
BTW, the actual problem turned out to be that I had used a version 1 softhsm.conf file with version 2.2.0 - doh, but not surprising given what I am working on (compiling OpenDNSSEC from scratch on Alpine Linux to put into a docker container). I also later got the exact same message (also without helpful syslog messages) when the token directory didn't exist.
bellgrim
commented
7 years ago Thanks for making this more clear. We will review and update relevant code, when it comes to reading the configuration and accessing the token directory.
cryptohat
commented
7 years ago Just built on CentOS 7. Passed test but softhsm2-util is reporting the library not found. Would love to get this working but not a C++ dev so digging into code is less than helpful. No errors or details in /var/logs/messages. Hopefully there is a better place to look. Please advise.
bellgrim
commented
7 years ago I will give this some attention next time I am working on SoftHSM.
bellgrim
commented
7 years ago Is it better with #304 ?
bellgrim
commented
7 years ago Fixed in #304
shuchivt
commented
7 years ago how should the following statement change if softhsm is installed on windows 10 pkcs11.load("/usr/local/lib/softhsm/libsofthsm2.so");
bellgrim
commented
7 years ago This is not related to the current issue, please open a new one.
gaia
commented
6 years ago For reference, I got this on Debian 9 (Raspian) and a simple mkdir -p /var/lib/softhsm/tokens/ fixed it.
avastmick
commented
5 years ago @gaia - I can confirm that the /var/lib/softhsm/tokens dir is not created on install on Ubuntu 18.04.1. The mkdir fix resolves the error.
exoosh
commented
1 year ago Yes, but as an application (softhsm2-util loads libsofthsm2.so (or any other PKCS#11 library if you use --module)) you will not get more error info from the PKCS#11 library than e.g. CKA_GENERAL_ERROR.
In the case with SoftHSM, you will find more info in syslog. This is where the library can display its output.
Could you check syslog and see if you get the desired error message?
You could also use pkcs-11-spy which comes installed alongside OpenSC. If you use that, you will get detailed information about each step. However, as long as it's not related to any PKCS#11 module but the config of SoftHSMv2 itself, it's unlikely to be of help.
Example, I've been using it like this (paths may vary depending on your setup):
export SOPIN=...
export USERPIN=...
export TOKLABEL="softhsm2 test"
mkdir -p $HOME/softhsm; sed 's|/var/lib/softhsm|'$HOME'/softhsm|' /usr/share/doc/softhsm2-common/examples/softhsm2.conf.sample|tee $HOME/softhsm/softhsm2.conf
env SOFTHSM2_CONF=$HOME/softhsm/softhsm2.conf softhsm2-util --init-token --slot 0 "--label=$TOKLABEL" --so-pin=$SOPIN --pin=$USERPIN
env SOFTHSM2_CONF=$HOME/softhsm/softhsm2.conf PKCS11SPY=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/pkcs11-spy.so --login --pin=$USERPIN --keypairgen --key-type rsa:4096 --id 0 "--label=$TOKLABEL"Please note that the output can be quite verbose.
If there is a problem with softhsm2.conf, softhsm2-util will produce an error message that really tells nothing about the problem, and in fact sent me on a wild goose chase for a while:
ERROR: Could not initialize the library.
I had to search through the source code to find that "the library" seems to refer to the PKCS11 library, and dig again to find that it probably is related to an error in my softhsm2.conf.
It would be helpful if the error message included: