root@ca-user:/home/sanaullah# PKCS11SPY=/usr/lunasa/lib/libCryptoki2_64.so
root@ca-user:/home/sanaullah# export PKCS11SPY
Loading PKCS11 engine to openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/ssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11-spy.so
(dynamic) Dynamic engine loading support

Loaded: (pkcs11) pkcs11 engine

***************Creating a certificate request using the key label rsa2048_2 ***

OpenSSL> req -engine pkcs11 -new -key slot_1-label_rsa2048_2 -keyform engine -out cert.pem -text -x509 -days 3640 -subj "/CN=TestCA"

*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/lunasa/lib/libCryptoki2_64.so"

0: C_GetFunctionList
Returned: 0 CKR_OK

1: C_Initialize
[in] pInitArgs = 0x7fff31a8d0f0
Returned: 0 CKR_OK

2: C_GetInfo
[out] pInfo:
cryptokiVersion: 2.20
manufacturerID: ' SafeNet, Inc. '
flags: 0
libraryDescription: ' Chrystoki '
libraryVersion: 5.1
Returned: 0 CKR_OK
engine "pkcs11" set.

3: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 4
[out] *pulCount = 0x4
Returned: 0 CKR_OK

4: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 1
Slot 2
Slot 3
Slot 4
[out] *pulCount = 0x4
Returned: 0 CKR_OK

5: C_GetSlotInfo
[in] slotID = 0x1
[out] pInfo:
slotDescription: 'LunaNet Slot '
' '
manufacturerID: 'Unknown '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 7
CKF_TOKEN_PRESENT
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK

6: C_GetTokenInfo
[in] slotID = 0x1
[out] pInfo:
label: 'CAUser '
manufacturerID: 'Safenet, Inc. '
model: 'LunaSA '
serialNumber: '154839010 '
ulMaxSessionCount: 0
ulSessionCount: 1
ulMaxRwSessionCount: 0
ulRwSessionCount: 1
ulMaxPinLen: 255
ulMinPinLen: 7
ulTotalPublicMemory: 16776568
ulFreePublicMemory: 16690200
ulTotalPrivateMemory: 16776704
ulFreePrivateMemory: 16754744
hardwareVersion: 0.0
firmwareVersion: 6.21
time: ' '
flags: 42d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK

7: C_GetSlotInfo
[in] slotID = 0x2
[out] pInfo:
slotDescription: 'Luna UHD Slot '
' '
manufacturerID: 'Unknown '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 6
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK

8: C_GetSlotInfo
[in] slotID = 0x3
[out] pInfo:
slotDescription: 'Luna UHD Slot '
' '
manufacturerID: 'Unknown '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 6
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK

9: C_GetSlotInfo
[in] slotID = 0x4
[out] pInfo:
slotDescription: 'Luna UHD Slot '
' '
manufacturerID: 'Unknown '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 6
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK

10: C_OpenSession
[in] slotID = 0x1
[in] flags = 0x4
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x1
Returned: 0 CKR_OK

11: C_FindObjectsInit
[in] hSession = 0x1
[in] pTemplate[1]:
CKA_CLASS CKO_CERTIFICATE
Returned: 0 CKR_OK

12: C_FindObjects
[in] hSession = 0x1
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned: 0 CKR_OK

13: C_FindObjectsFinal
[in] hSession = 0x1
Returned: 0 CKR_OK
PKCS#11 token PIN:

14: C_Login
[in] hSession = 0x1
[in] userType = CKU_USER
[in] pPin[ulPinLen] 0000000000e90720 / 24
71753378 51743430 2F336655 6269446E 52713770 70496F30
Returned: 0 CKR_OK

15: C_FindObjectsInit
[in] hSession = 0x1
[in] pTemplate[1]:
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK

16: C_FindObjects
[in] hSession = 0x1
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x12 matches
Returned: 0 CKR_OK

17: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x12
[in] pTemplate[1]:
CKA_KEY_TYPE 00007fff31a8cfa0 / 8
[out] pTemplate[1]:
CKA_KEY_TYPE CKK_RSA
Returned: 0 CKR_OK

18: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x12
[in] pTemplate[1]:
CKA_LABEL 00007fff31a8cd50 / 256
Segmentation fault (core dumped)

I am trying to compile the engine but I found this issue, I have installed the libssl-dev package version: 3.0.2-0ubuntu1.9, that is a possible solution.

What I am missing there?

Any help is welcome, thanks!

OS: ubuntu 22.04 (KDE neon 5.27)

See:
https://www.mail-archive.com/[email protected]/msg41245.html

The parse_pkcs11_uri in engine_pkcs11.c does not parse all the possible options even if they are to be ignored.
In particular, type= is ignored, but only if it has 2 of the 5 possible values. type=public produces an error:
"The key ID is not a valid PKCS#11 URI as defined by RFC7512"

it looks like type could be "public" / "private" / "cert" / "secret-key" / "data"
It also looks like parse_pkcs11_uri will fail to parse the "library-", "slot-", "model-"
and "'pin-source" attributes.

The above message is very misleading, as it imples it is parsing according to RFC 7512
but it is not.

I have no good way to test this.

Hi,

Does anyone have any instructions on building engine_pkcs11 and libp11 on Windows besides using cygwin? Anyone have experience with building in a VS2013 environment? The goal is to build dlls.

line 11 configure.ac
sed -r -i 's/^AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' configure.ac

For an unknown reason, the PKCS11_enumerate_certs() call is failing inside pkcs11_load_key() when I attempt a signing operation using a SafeNet eToken 510x. After downloading the source and removing the check that this enumerate call was successful, the signing completes successfully.

It seems unnecessary for the enumerate call to succeed given that the only reason this call is made is to print the distinguished names of certificates on the device when in verbose mode. If there is any opportunity to get the error code from the P11D provider then it would be good to include this also in the pkcs11 error string.

https://github.com/OpenSC/engine_pkcs11/releases
states 0.2.1 but points to 0.2.2 in source; Seems to be wrong title version

This is on Linux Ubuntu 14.04 LTS, with softhsm installed via apt-get.

......
make[2]: Nothing to be done for `softhsm'.
make[2]: Leaving directory `/media/uri/Src/engine_pkcs11/tests'
make  check-TESTS
make[2]: Entering directory `/media/uri/Src/engine_pkcs11/tests'
make[3]: Entering directory `/media/uri/Src/engine_pkcs11/tests'
SKIP: softhsm
make[4]: Entering directory `/media/uri/Src/engine_pkcs11/tests'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/media/uri/Src/engine_pkcs11/tests'
============================================================================
Testsuite summary for engine_pkcs11 0.2.0
============================================================================
# TOTAL: 1
# PASS:  0
# SKIP:  1
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
......

Hi,

What is the syntax (if it exists) to extract an RSA or ECDSA public key, in conjunction with openssl command line?

-Ivan

Version: 0.1.9_git
Libraries: /usr/local/lib
Hi,
My engine_pkcs11 has been configured with the following options:

Host: i686-pc-linux-gnu
Compiler: gcc
Preprocessor flags:
Compiler flags: -g -O2
Linker flags:
Libraries:

enginesdir $(libdir)/engines

LIBP11_CFLAGS: -I/usr/local/include
LIBP11_LIBS: -L/usr/local/lib -lp11
OPENSSL_CFLAGS:
OPENSSL_LIBS: -lcrypto
OPENSSL_EXTRA_LDFLAGS:
ENGINE_LINK:

Here is the output of make and make install commands.

root@nilotpal:/engine_pkcs11# make
make all-recursive
make[1]: Entering directory /home/sarat/engine_pkcs11' Making all in src make[2]: Entering directory/home/sarat/engine_pkcs11/src'
/bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-hw_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-hw_pkcs11.Tpo -c -o engine_pkcs11_la-hw_pkcs11.lo test -f 'hw_pkcs11.c' || echo './'hw_pkcs11.c
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-hw_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-hw_pkcs11.Tpo -c hw_pkcs11.c -fPIC -DPIC -o .libs/engine_pkcs11_la-hw_pkcs11.o
hw_pkcs11.c: In function 'bind_helper':
hw_pkcs11.c:202:3: warning: passing argument 2 of 'ENGINE_set_ECDSA' makes pointer from integer without a cast [enabled by default]
!ENGINE_set_ECDSA(e, PKCS11_get_ecdsa_method()) ||
^
In file included from hw_pkcs11.c:69:0:
/usr/include/openssl/engine.h:480:5: note: expected 'const struct ECDSA_METHOD ' but argument is of type 'int'
int ENGINE_set_ECDSA(ENGINE *e, const ECDSA_METHOD *ecdsa_meth);
^
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-hw_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-hw_pkcs11.Tpo -c hw_pkcs11.c -o engine_pkcs11_la-hw_pkcs11.o >/dev/null 2>&1
mv -f .deps/engine_pkcs11_la-hw_pkcs11.Tpo .deps/engine_pkcs11_la-hw_pkcs11.Plo
/bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-engine_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-engine_pkcs11.Tpo -c -o engine_pkcs11_la-engine_pkcs11.lo test -f 'engine_pkcs11.c' || echo './'engine_pkcs11.c
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-engine_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-engine_pkcs11.Tpo -c engine_pkcs11.c -fPIC -DPIC -o .libs/engine_pkcs11_la-engine_pkcs11.o
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-engine_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-engine_pkcs11.Tpo -c engine_pkcs11.c -o engine_pkcs11_la-engine_pkcs11.o >/dev/null 2>&1
mv -f .deps/engine_pkcs11_la-engine_pkcs11.Tpo .deps/engine_pkcs11_la-engine_pkcs11.Plo
/bin/bash ../libtool --tag=CC --mode=link gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -module -shared -avoid-version -export-symbols "./engine_pkcs11.exports" -no-undefined -o engine_pkcs11.la -rpath /usr/local/lib/engines engine_pkcs11_la-hw_pkcs11.lo engine_pkcs11_la-engine_pkcs11.lo -lcrypto -L/usr/local/lib -lp11
libtool: link: echo "{ global:" > .libs/engine_pkcs11.ver
libtool: link: cat ./engine_pkcs11.exports | sed -e "s/(.)/\1;/" >> .libs/engine_pkcs11.ver
libtool: link: echo "local: *; };" >> .libs/engine_pkcs11.ver
libtool: link: gcc -shared -fPIC -DPIC .libs/engine_pkcs11_la-hw_pkcs11.o .libs/engine_pkcs11_la-engine_pkcs11.o -lcrypto -L/usr/local/lib /usr/local/lib/libp11.so -O2 -Wl,-soname -Wl,engine_pkcs11.so -Wl,-version-script -Wl,.libs/engine_pkcs11.ver -o .libs/engine_pkcs11.so
libtool: link: ( cd ".libs" && rm -f "engine_pkcs11.la" && ln -s "../engine_pkcs11.la" "engine_pkcs11.la" )
make[2]: Leaving directory /home/sarat/engine_pkcs11/src' make[2]: Entering directory/home/sarat/engine_pkcs11'
make[2]: Leaving directory /home/sarat/engine_pkcs11' make[1]: Leaving directory/home/sarat/engine_pkcs11'
root@nilotpal:/engine_pkcs11# make install
Making install in src
make[1]: Entering directory /home/sarat/engine_pkcs11/src' make[2]: Entering directory/home/sarat/engine_pkcs11/src'
make[2]: Nothing to be done for `install-exec-am'.
/bin/mkdir -p '/usr/local/lib/engines'
/bin/bash ../libtool --mode=install /usr/bin/install -c engine_pkcs11.la '/usr/local/lib/engines'
libtool: install: /usr/bin/install -c .libs/engine_pkcs11.so /usr/local/lib/engines/engine_pkcs11.so
libtool: install: /usr/bin/install -c .libs/engine_pkcs11.lai /usr/local/lib/engines/engine_pkcs11.la

libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/sbin" ldconfig -n /usr/local/lib/engines

Libraries have been installed in:
/usr/local/lib/engines

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:

• add LIBDIR to the `LD_LIBRARY_PATH' environment variable
  during execution
• add LIBDIR to the `LD_RUN_PATH' environment variable
  during linking
• use the `-Wl,-rpath -Wl,LIBDIR' linker flag
• have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for

more information, such as the ld(1) and ld.so(8) manual pages.

make[2]: Leaving directory /home/sarat/engine_pkcs11/src' make[1]: Leaving directory/home/sarat/engine_pkcs11/src'
make[1]: Entering directory /home/sarat/engine_pkcs11' make[2]: Entering directory/home/sarat/engine_pkcs11'
make[2]: Nothing to be done for install-exec-am'. /bin/mkdir -p '/usr/local/share/doc/engine_pkcs11' /usr/bin/install -c -m 644 NEWS '/usr/local/share/doc/engine_pkcs11' make[2]: Leaving directory/home/sarat/engine_pkcs11'
make[1]: Leaving directory /home/sarat/engine_pkcs11' root@nilotpal:~/engine_pkcs11# clear root@nilotpal:~/engine_pkcs11# make clean Making clean in src make[1]: Entering directory/home/sarat/engine_pkcs11/src'
test -z "engine_pkcs11.la" || rm -f engine_pkcs11.la
rm -f ./so_locations
rm -rf .libs _libs
rm -f _.o
rm -f *.lo
make[1]: Leaving directory /home/sarat/engine_pkcs11/src' make[1]: Entering directory/home/sarat/engine_pkcs11'
rm -rf .libs _libs
rm -f *.lo
make[1]: Leaving directory /home/sarat/engine_pkcs11' root@nilotpal:~/engine_pkcs11# clear root@nilotpal:~/engine_pkcs11# make make all-recursive make[1]: Entering directory/home/sarat/engine_pkcs11'
Making all in src
make[2]: Entering directory /home/sarat/engine_pkcs11/src' /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-hw_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-hw_pkcs11.Tpo -c -o engine_pkcs11_la-hw_pkcs11.lotest -f 'hw_pkcs11.c' || echo './'hw_pkcs11.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-hw_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-hw_pkcs11.Tpo -c hw_pkcs11.c -fPIC -DPIC -o .libs/engine_pkcs11_la-hw_pkcs11.o hw_pkcs11.c: In function 'bind_helper': hw_pkcs11.c:202:3: warning: passing argument 2 of 'ENGINE_set_ECDSA' makes pointer from integer without a cast [enabled by default] !ENGINE_set_ECDSA(e, PKCS11_get_ecdsa_method()) || ^ In file included from hw_pkcs11.c:69:0: /usr/include/openssl/engine.h:480:5: note: expected 'const struct ECDSA_METHOD *' but argument is of type 'int' int ENGINE_set_ECDSA(ENGINE *e, const ECDSA_METHOD *ecdsa_meth); ^ libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-hw_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-hw_pkcs11.Tpo -c hw_pkcs11.c -o engine_pkcs11_la-hw_pkcs11.o >/dev/null 2>&1 mv -f .deps/engine_pkcs11_la-hw_pkcs11.Tpo .deps/engine_pkcs11_la-hw_pkcs11.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-engine_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-engine_pkcs11.Tpo -c -o engine_pkcs11_la-engine_pkcs11.lotest -f 'engine_pkcs11.c' || echo './'engine_pkcs11.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-engine_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-engine_pkcs11.Tpo -c engine_pkcs11.c -fPIC -DPIC -o .libs/engine_pkcs11_la-engine_pkcs11.o libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -MT engine_pkcs11_la-engine_pkcs11.lo -MD -MP -MF .deps/engine_pkcs11_la-engine_pkcs11.Tpo -c engine_pkcs11.c -o engine_pkcs11_la-engine_pkcs11.o >/dev/null 2>&1 mv -f .deps/engine_pkcs11_la-engine_pkcs11.Tpo .deps/engine_pkcs11_la-engine_pkcs11.Plo /bin/bash ../libtool --tag=CC --mode=link gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -I/usr/local/include -g -O2 -module -shared -avoid-version -export-symbols "./engine_pkcs11.exports" -no-undefined -o engine_pkcs11.la -rpath /usr/local/lib/engines engine_pkcs11_la-hw_pkcs11.lo engine_pkcs11_la-engine_pkcs11.lo -lcrypto -L/usr/local/lib -lp11 libtool: link: echo "{ global:" > .libs/engine_pkcs11.ver libtool: link: cat ./engine_pkcs11.exports | sed -e "s/(._)/\1;/" >> .libs/engine_pkcs11.ver libtool: link: echo "local: *; };" >> .libs/engine_pkcs11.ver libtool: link: gcc -shared -fPIC -DPIC .libs/engine_pkcs11_la-hw_pkcs11.o .libs/engine_pkcs11_la-engine_pkcs11.o -lcrypto -L/usr/local/lib /usr/local/lib/libp11.so -O2 -Wl,-soname -Wl,engine_pkcs11.so -Wl,-version-script -Wl,.libs/engine_pkcs11.ver -o .libs/engine_pkcs11.so libtool: link: ( cd ".libs" && rm -f "engine_pkcs11.la" && ln -s "../engine_pkcs11.la" "engine_pkcs11.la" ) make[2]: Leaving directory /home/sarat/engine_pkcs11/src'
make[2]: Entering directory/home/sarat/engine_pkcs11' make[2]: Leaving directory /home/sarat/engine_pkcs11'
make[1]: Leaving directory/home/sarat/engine_pkcs11' root@nilotpal:~/engine_pkcs11# make install Making install in src make[1]: Entering directory /home/sarat/engine_pkcs11/src'
make[2]: Entering directory/home/sarat/engine_pkcs11/src' make[2]: Nothing to be done for install-exec-am'.
/bin/mkdir -p '/usr/local/lib/engines'
/bin/bash ../libtool --mode=install /usr/bin/install -c engine_pkcs11.la '/usr/local/lib/engines'
libtool: install: /usr/bin/install -c .libs/engine_pkcs11.so /usr/local/lib/engines/engine_pkcs11.so
libtool: install: /usr/bin/install -c .libs/engine_pkcs11.lai /usr/local/lib/engines/engine_pkcs11.la

libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/sbin" ldconfig -n /usr/local/lib/engines

Libraries have been installed in:
/usr/local/lib/engines

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:

• add LIBDIR to the `LD_LIBRARY_PATH' environment variable
  during execution
• add LIBDIR to the `LD_RUN_PATH' environment variable
  during linking
• use the `-Wl,-rpath -Wl,LIBDIR' linker flag
• have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for

more information, such as the ld(1) and ld.so(8) manual pages.

make[2]: Leaving directory /home/sarat/engine_pkcs11/src' make[1]: Leaving directory/home/sarat/engine_pkcs11/src'
make[1]: Entering directory /home/sarat/engine_pkcs11' make[2]: Entering directory/home/sarat/engine_pkcs11'
make[2]: Nothing to be done for install-exec-am'. /bin/mkdir -p '/usr/local/share/doc/engine_pkcs11' /usr/bin/install -c -m 644 NEWS '/usr/local/share/doc/engine_pkcs11' make[2]: Leaving directory/home/sarat/engine_pkcs11'
make[1]: Leaving directory `/home/sarat/engine_pkcs11'
root@nilotpal:~/engine_pkcs11#

After this I couldn't find that engine_pkcs11 is running. Please have a look into the below output.
root@nilotpal:~/engine_pkcs11# openssl
OpenSSL> engine
(dynamic) Dynamic engine loading support
OpenSSL>

Can some one please help me in resolving this issue, and also please let me know how to install engine_pkcs11 step by step and to verify whether it's working fine.

Thanks and Regards,
Sarat G

Hi,

I am getting segmentation fault 11 when trying to load the engine on El Capitan 10.11.1. I installed engine_pkcs11 via brew along with the dependencies. I also have OpenSC 0.15.

The following line produces segmentation fault:
engine dynamic -pre SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/Library/OpenSC/lib/pkcs11/opensc-pkcs11.so

However, the following line executes ok:
engine dynamic -pre SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD

Subsequently trying to make a certificate request again results in segmentation fault.

Any help will be appreciated!

File src/engine_pkcs11.c, around line 989:

    /* Make sure there is at least one private key on the token */
    if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
        fail("unable to enumerate keys\n");
    }
    if (key_count == 0) {
        fail("No keys found.\n");
    }

    if (verbose) {
        fprintf(stderr, "Found %u key%s:\n", key_count,
            (key_count <= 1) ? "" : "s");
    }

Call to PKCS11_enumerate_keys() returns only the private keys. I think it should include public keys as well.

If this function/method is unable to do so, what are the alternatives?

Moving from openssl 0.9.8h to openssl 1.0.0.e, using engine_pkcs11 and libp11 from the opensc project repositories.

When I try the digest command which is OK with 0.9.8(e.g.):

openssl dgst -engine pkcs11 -keyform engine -binary -sha1 -sign 10:a93d76ef41f5bb08f17cff81479a664646f66362 file 

I now get the following errors:

3085010592:error:260C0065:engine routines:ENGINE_get_pkey_meth:unimplemented public key method:tb_pkmeth.c:127: 
3085010592:error:0609D09C:digital envelope routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:164: 

It appears that the openssl engine interface has evolved & engine_pkcs11 is not currently compatible

I've looked at the code here
https://github.com/OpenSC/engine_pkcs11/blob/master/src/engine_pkcs11.c#L1003
I find that there is no difference between pkcs11_load_public_key and pkcs11_load_private_key. because whether isPrivate is 0 or 1 we execute the same code. Is it a bug? Thanks in advance for your reply.

Allow OpenSSL to automatically select the client certificate and authenticate with the corresponding private key.

Currently I have to manually edit config.h to make this:

/* p11-kit proxy */
#define DEFAULT_PKCS11_MODULE "/Library/OpenSC/lib/opensc-pkcs11.dylib"

It would be nice if either the config script could figure it out by itself, or I could point it at the correct library at the configuration time (rather than editing the config file).

The page needs updateing because the name of engine has changed names.

https://github.com/OpenSC/OpenSC/wiki/Engine-pkcs11-quickstart

Xcode-7.2 (latest)

./configure.py --prefix=/opt/local --with-boost --with-bzip2 --with-lzma --with-openssl --with-zlib --with-sqlite3 --with-python-version=2.7 --with-sphinx --cc=clang --cc-abi-flags='-maes -mpclmul -mssse3 -msse4.2 -mrdrnd -I/opt/local/include'
   INFO: Platform: OS="Darwin" machine="x86_64" proc="i386"
   INFO: Guessing target OS is darwin (use --os to set)
   INFO: Guessing target processor is a x86_64/x86_64 (use --cpu to set)
   INFO: Target is clang-darwin-x86_64-x86_64
   INFO: Skipping, by request only - cvc
   INFO: Skipping, incompatible CPU - mp_x86_32 simd_altivec
   INFO: Skipping, incompatible OS - beos_stats cryptoapi_rng dyn_load win32_stats
   INFO: Skipping, incompatible compiler - mp_x86_32_msvc
# Compiler Options
   INFO: Skipping, loaded only if needed by dependency - mp_generic simd_scalar
   INFO: Skipping, requires external dependency - tpm
   INFO: Using MP module mp_x86_64
   INFO: Using SIMD module simd_sse2
   INFO: Loading modules adler32 aead aes aes_ni aes_ssse3 aont asn1 auto_rng base base64 bcrypt bigint block blowfish boost bzip2 camellia cascade cast cbc cbc_mac ccm cfb chacha chacha20poly1305 clmul cmac codec_filt comb4p compression crc24 crc32 cryptobox ctr curve25519 darwin_secrandom datastor des dev_random dh dl_algo dl_group dlies dsa eax ec_gfp ec_group ecb ecc_key ecdh ecdsa egd elgamal eme_oaep eme_pkcs1 eme_raw emsa1 emsa1_bsi emsa_pkcs1 emsa_pssr emsa_raw emsa_x931 entropy fd_unix ffi filters fpe_fe1 gcm gost_28147 gost_3410 gost_3411 has160 hash hash_id hex hkdf hmac hmac_drbg hmac_rng hres_timer http_util idea idea_sse2 if_algo kasumi kdf kdf1 kdf2 keccak keypair lion locking_allocator lzma mac mars mce mceies md2 md4 md5 mdx_hash mgf1 misty1 mode_pad modes mp mp_x86_64 noekeon noekeon_simd nr numbertheory ocb ofb oid_lookup openpgp openssl par_hash passhash9 pbes2 pbkdf pbkdf1 pbkdf2 pem pk_pad poly1305 prf_tls prf_x942 proc_walk pubkey rc2 rc4 rc5 rc6 rdrand rdseed rfc3394 rfc6979 rmd128 rmd160 rng rsa rw safer salsa20 seed serpent serpent_simd sessions_sql sessions_sqlite3 sha1 sha1_sse2 sha2_32 sha2_64 simd simd_sse2 siphash siv skein sqlite3 srp6 stream system_rng tea threefish threefish_avx2 tiger tls tss twofish unix_procs utils whirlpool x509 x919_mac x931_rng xtea xtea_simd xts zlib
   INFO: Enabling use of external dependency boost
   INFO: Enabling use of external dependency bzip2
   INFO: Enabling use of external dependency lzma
   INFO: Enabling use of external dependency openssl
   INFO: Enabling use of external dependency sqlite3
   INFO: Enabling use of external dependency zlib
   INFO: Assuming CPU is little endian
   INFO: Assuming unaligned memory access works
   INFO: Using symlink to link files into build dir (use --link-method to change)
   INFO: Botan 1.11.26 (unreleased undated) build setup is complete
$ make
clang++  -m64 -pthread -maes -mpclmul -mssse3 -msse4.2 -mrdrnd -I/opt/local/include -fPIC -fvisibility=hidden -std=c++11 -D_REENTRANT -fstack-protector -O3 -Wall -Wextra -Wstrict-aliasing -Wstrict-overflow=5 -Wcast-align -Wmissing-declarations -Wpointer-arith -Wcast-qual -Wunreachable-code -Ibuild/include -c ./src/lib/asn1/alg_id.cpp -o build/obj/lib/asn1_alg_id.o
clang++  -m64 -pthread -maes -mpclmul -mssse3 -msse4.2 -mrdrnd -I/opt/local/include -fPIC -fvisibility=hidden -std=c++11 -D_REENTRANT -fstack-protector -O3 -Wall -Wextra -Wstrict-aliasing -Wstrict-overflow=5 -Wcast-align -Wmissing-declarations -Wpointer-arith -Wcast-qual -Wunreachable-code -Ibuild/include -c ./src/lib/asn1/asn1_alt_name.cpp -o build/obj/lib/asn1_alt_name.o
clang++  -m64 -pthread -maes -mpclmul -mssse3 -msse4.2 -mrdrnd -I/opt/local/include -fPIC -fvisibility=hidden -std=c++11 -D_REENTRANT -fstack-protector -O3 -Wall -Wextra -Wstrict-aliasing -Wstrict-overflow=5 -Wcast-align -Wmissing-declarations -Wpointer-arith -Wcast-qual -Wunreachable-code -Ibuild/include -c ./src/lib/asn1/asn1_attribute.cpp -o build/obj/lib/asn1_attribute.o
.........
clang: warning: argument unused during compilation: '-pthread'
ln -fs libbotan-1.11.26.26.dylib ./libbotan-1.11.26.dylib
ln -fs libbotan-1.11.26.26.dylib ./libbotan-1.11.dylib
clang++  -m64 -pthread -maes -mpclmul -mssse3 -msse4.2 -mrdrnd -I/opt/local/include -std=c++11 -D_REENTRANT -fstack-protector -O3 -Wall -Wextra -Wstrict-aliasing -Wstrict-overflow=5 -Wcast-align -Wmissing-declarations -Wpointer-arith -Wcast-qual -Wunreachable-code -Ibuild/include -c ./src/cli/asn1.cpp -o build/obj/cli/asn1.o
clang++  -m64 -pthread -maes -mpclmul -mssse3 -msse4.2 -mrdrnd -I/opt/local/include -std=c++11 -D_REENTRANT -fstack-protector -O3 -Wall -Wextra -Wstrict-aliasing -Wstrict-overflow=5 -Wcast-align -Wmissing-declarations -Wpointer-arith -Wcast-qual -Wunreachable-code -Ibuild/include -c ./src/cli/bench.cpp -o build/obj/cli/bench.o
clang++  -m64 -pthread -maes -mpclmul -mssse3 -msse4.2 -mrdrnd -I/opt/local/include -std=c++11 -D_REENTRANT -fstack-protector -O3 -Wall -Wextra -Wstrict-aliasing -Wstrict-overflow=5 -Wcast-align -Wmissing-declarations -Wpointer-arith -Wcast-qual -Wunreachable-code -Ibuild/include -c ./src/cli/cc_enc.cpp -o build/obj/cli/cc_enc.o
clang++  -m64 -pthread -maes -mpclmul -mssse3 -msse4.2 -mrdrnd -I/opt/local/include -std=c++11 -D_REENTRANT -fstack-protector -O3 -Wall -Wextra -Wstrict-aliasing -Wstrict-overflow=5 -Wcast-align -Wmissing-declarations -Wpointer-arith -Wcast-qual -Wunreachable-code -Ibuild/include -c ./src/cli/compress.cpp -o build/obj/cli/compress.o
clang++  -m64 -pthread -maes -mpclmul -mssse3 -msse4.2 -mrdrnd -I/opt/local/include -std=c++11 -D_REENTRANT -fstack-protector -O3 -Wall -Wextra -Wstrict-aliasing -Wstrict-overflow=5 -Wcast-align -Wmissing-declarations -Wpointer-arith -Wcast-qual -Wunreachable-code -Ibuild/include -c ./src/cli/main.cpp -o build/obj/cli/main.o
clang++  -m64 -pthread -maes -mpclmul -mssse3 -msse4.2 -mrdrnd -I/opt/local/include -std=c++11 -D_REENTRANT -fstack-protector -O3 -Wall -Wextra -Wstrict-aliasing -Wstrict-overflow=5 -Wcast-align -Wmissing-declarations -Wpointer-arith -Wcast-qual -Wunreachable-code -Ibuild/include -c ./src/cli/math.cpp -o build/obj/cli/math.o
clang++  -m64 -pthread -maes -mpclmul -mssse3 -msse4.2 -mrdrnd -I/opt/local/include -std=c++11 -D_REENTRANT -fstack-protector -O3 -Wall -Wextra -Wstrict-aliasing -Wstrict-overflow=5 -Wcast-align -Wmissing-declarations -Wpointer-arith -Wcast-qual -Wunreachable-code -Ibuild/include -c ./src/cli/pubkey.cpp -o build/obj/cli/pubkey.o
./src/cli/pubkey.cpp:132:60: error: reference to non-static member function must be
      called; did you mean to call it with no arguments?
               write_output(Botan::PKCS8::BER_encode(*key, rng, pass, pbe_mi...
                                                           ^~~
                                                              ()
./src/cli/pubkey.cpp:143:59: error: reference to non-static member function must be
      called; did you mean to call it with no arguments?
               output() << Botan::PKCS8::PEM_encode(*key, rng, pass, pbe_mil...
                                                          ^~~
                                                             ()
./src/cli/pubkey.cpp:189:60: error: reference to non-static member function must be
      called; did you mean to call it with no arguments?
         output() << Botan::base64_encode(signer.signature(rng)) << "\n";
                                                           ^~~
                                                              ()
3 errors generated.
make: *** [build/obj/cli/pubkey.o] Error 1

Mac OS X 10.10.5, Xcode-7.2.

$ type -all pkcs11-tool
pkcs11-tool is /usr/local/bin/pkcs11-tool
$ ls -l /opt/local/lib/softhsm
total 7480
drwxr-xr-x    5 root      staff      170 Jan  6 16:34 ./
drwxr-xr-x  756 macports  staff    25704 Jan  6 16:34 ../
-rw-r--r--    1 root      staff  2552912 Jan  6 16:34 libsofthsm2.a
-rwxr-xr-x    1 root      staff      955 Jan  6 16:34 libsofthsm2.la*
-rwxr-xr-x    1 root      staff  1268976 Jan  6 16:34 libsofthsm2.so*
$ make check
Making check in src
make[1]: Nothing to be done for `check'.
Making check in tests
/Applications/Xcode.app/Contents/Developer/usr/bin/make  evp-sign \
      softhsm
clang -DHAVE_CONFIG_H -I. -I..  -I../ -I../  -I/opt/local/include -maes -mpclmul -mrdrnd -msse2 -mssse3 -msse4 -msse4.2 -maes -mpclmul -mrdrnd -msse2 -mssse3 -msse4 -msse4.2 -MT evp-sign.o -MD -MP -MF .deps/evp-sign.Tpo -c -o evp-sign.o evp-sign.c
evp-sign.c:211:10: warning: enumeration value 'NONE' not handled in switch [-Wswitch]
        switch (pin_method) {
                ^
1 warning generated.
mv -f .deps/evp-sign.Tpo .deps/evp-sign.Po
/bin/sh ../libtool  --tag=CC   --mode=link clang -I/opt/local/include -maes -mpclmul -mrdrnd -msse2 -mssse3 -msse4 -msse4.2 -maes -mpclmul -mrdrnd -msse2 -mssse3 -msse4 -msse4.2 -no-install  -o evp-sign evp-sign.o -L/opt/local/lib -lssl -lcrypto 
libtool: warning: '-no-install' is ignored for x86_64-apple-darwin14.5.0
libtool: warning: assuming '-no-fast-install' instead
libtool: link: clang -I/opt/local/include -maes -mpclmul -mrdrnd -msse2 -mssse3 -msse4 -msse4.2 -maes -mpclmul -mrdrnd -msse2 -mssse3 -msse4 -msse4.2 -o evp-sign evp-sign.o  -L/opt/local/lib -lssl -lcrypto
make[2]: Nothing to be done for `softhsm'.
/Applications/Xcode.app/Contents/Developer/usr/bin/make  check-TESTS
FAIL: softhsm
============================================================================
Testsuite summary for engine_pkcs11 0.2.1_git
============================================================================
# TOTAL: 1
# PASS:  0
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0
============================================================================
See tests/test-suite.log
============================================================================
make[3]: *** [test-suite.log] Error 1
make[2]: *** [check-TESTS] Error 2
make[1]: *** [check-am] Error 2
make: *** [check-recursive] Error 1
$ cat tests/test-suite.log
===================================================
   engine_pkcs11 0.2.1_git: tests/test-suite.log
===================================================

# TOTAL: 1
# PASS:  0
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: softhsm
=============

-n * Initializing smart card... 
ok
Using slot 0 with a present token (0x0)
Using slot 0 with a present token (0x0)
Using slot 0 with a present token (0x0)
***************
Listing objects
***************
Using slot 0 with a present token (0x0)
Private Key Object; RSA 
  label:      server-key
  ID:         00010203
  Usage:      decrypt, sign, unwrap
Certificate Object, type = X.509 cert
  label:      server-key
  ID:         00010203
Public Key Object; RSA 2048 bits
  label:      server-key
  ID:         00010203
  Usage:      encrypt, verify, wrap
At main.c:197:
- SSL error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library: dso_dlfcn.c:187
- SSL error:25070067:DSO support routines:DSO_load:could not load the shared library: dso_lib.c:232
- SSL error:260B6084:engine routines:DYNAMIC_LOAD:dso not found: eng_dyn.c:465
- SSL error:2606A074:engine routines:ENGINE_by_id:no such engine: eng_list.c:390
Basic PKCS #11 test, using ctrl failed
FAIL softhsm (exit status: 1)

Is it planned to add the random number generation functionality to the engine?

Regards,

File src/engine_pkcs11.c around line 983.

It appears that it always requests to perform login, which in turn (function pkcs11_login(), line 753) only checks whether the token requires login. I think it should do that only for private keys, or when the key is marked CKR_ATTRIBUTE_SENSITIVE.

Hello,
The last release of this project is 5 years old, and the changes since then are quite significant. Please consider making an official release.

What is the recommended approach to handle applications that initialize the engine and then fork()? As it is now these applications simply fail to operate. A small example that fails after fork is shown below. Run it as "a.out pkcs11:url PIN"

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <assert.h>
#include <string.h>
#include <getopt.h>
#include <err.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <arpa/inet.h>
#include <openssl/bio.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/pkcs7.h>
#include <openssl/err.h>
#include <openssl/engine.h>

int main(int argc, char **argv)
{
    char *private_key_name;
    unsigned char buf[4096];
    EVP_PKEY *private_key;
    EVP_MD_CTX ctx;
    int rc;
    unsigned int sig_len;
    char *key_pass;
    pid_t pid;
    int status = 0;
    ENGINE *e;

    OpenSSL_add_all_algorithms();
    ERR_load_crypto_strings();
    ERR_clear_error();

    ENGINE_load_builtin_engines();

    e = ENGINE_by_id("pkcs11");
    if (!e) abort();


    if (argc < 3) {
        fprintf(stderr, "usage: tool key pass\n");
        exit(1);
    }
    private_key_name = argv[1];
    key_pass = argv[2];


    if (!ENGINE_init(e))
        abort();
    ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0);
    private_key = ENGINE_load_private_key(e, private_key_name, NULL,
                          NULL);
    if (!private_key)
        abort();

    /* Digest the module data. */
    OpenSSL_add_all_digests();
#if 1
    pid = fork();
    if (pid == -1)
        abort();

    if (pid != 0) {
        waitpid(pid, &status, 0);

        if (WIFEXITED(status)) {
            printf("ok");
            return 0;
        } else {
            return 1;
        }
    }
#endif

    rc = EVP_SignInit(&ctx, EVP_get_digestbyname("SHA1"));
    assert(rc == 1);

    rc = EVP_SignUpdate(&ctx, "hellothere", 8);
    assert(rc == 1);

    sig_len = sizeof(buf);
    rc = EVP_SignFinal(&ctx, buf, &sig_len, private_key);
    assert(rc == 1);


    printf("sign-ok\n");

    return 0;
}