1

I'm trying to run openssl in combination with a PKCS#11 hardware security module (currently trying with Yubikey 5). All documentation and tutorials I find tell me that I have to use OpenSC as "engine", and the openssl command always look something like this:

OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so
         -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD 
         -pre MODULE_PATH:opensc-pkcs11.so

But where do I get this engine_pkcs11.so from? I cannot find it in any package of any distribution. I found the OpenSC/engine_pkcs11 repo, but the README states that this library has been merged into OpenSC/libp11. But the latter also doesn't seem to provide this library after compiling it.

Is it named differently now? Which .so file shall I provide to the -pre SO_PATH: argument of openssl engine?

Georg P.
  • 2,785
  • 2
  • 27
  • 53
  • According to https://github.com/OpenSC/libp11#copying-the-engine-shared-object-to-the-proper-location the 'recommended' name in the engines directory is `libpkcs11.so` -- and in Ubuntu (20.04 focal, yeah I'm lazy) it's actually `pkcs11.so` plus a _symlink_ from `libpkcs11.so` in [`libengine-pkcs11-openssl`](https://packages.ubuntu.com/focal/libengine-pkcs11-openssl) – dave_thompson_085 Jul 25 '23 at 01:34
  • Keep in mind the way this works, is that there are two .so files in play -- the first is the engine, provided by OpenSC, which is really just a shim/wrapper around the second, and bridges "openssl" semantics to "pkcs11" function calls into the provider. The SO_PATH variable is the engine. The second .so is usually going to be provided by the HSM/token vendor. The Utimaco SecurityServer provider is called "libcs_pkcs11_R3.so", so the MODULE_PATH would point to that. I don't know what Yubi's provider is called, sorry. – rip... Jul 25 '23 at 16:10
  • Thanks dave, that solved it! I can't understand though why all documentation is wrong... Anyway, if you add your comment as answer, I'll happily mark it as answer. – Georg P. Jul 25 '23 at 17:08
  • @rip..., thanks for the explanation. Yubico suggests to use opensc-pkcs11.so (see https://developers.yubico.com/PIV/Guides/Certificate_authority.html). So there must be some generic interface also between the second library and the hardware. – Georg P. Jul 25 '23 at 17:21

0 Answers0