Bug with OpenSSL engine initialization in tls_engine_load_dynamic_generic

David Woodhouse dwmw2 at infradead.org
Mon Jun 6 05:34:34 PDT 2016


On Mon, 2016-06-06 at 14:13 +0200, Michael Schaller wrote:
> David explains correctly what happens. This started happening for us
> on Debian testing with the release of the libengine-pkcs11-openssl
> package version 0.2.1-2 in March 2016 and it took us a while to
> analyze the issue. The package had changed the libpkcs11.so location
> from /usr/lib/ssl/engines/libpkcs11.so to
> /usr/lib/x86_64-linux-gnu/openssl-1.0.2/engines/libpkcs11.so. Since
> this move the autoload of the pkcs11 engine on the ENGINE_by_id call
> works and we get a pkcs11 engine initialized for the use of p11-kit
> instead of the expected initialization for the specified opencryptoki
> module. We initialize the pkcs11 engine and module path via D-Bus via
> the SetPKCS11EngineAndModulePath method.
> 
> David, is the general recommendation to switch over to p11-kit?

Yes, definitely.

With p11-kit you get a system-wide configuration for which modules to
load into which applications, with a per-user override:
https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html

This is honoured directly by GnuTLS applications because GnuTLS uses
libp11-kit directly. For other crypto libraries (OpenSSL, NSS, etc.) it
can be achieved just by loading the p11-kit-proxy.so module — which
loads all the modules specified by the p11-kit configuration, as
"slots" of its own.

In Fedora it is now considered a bug if any packaged software *doesn't*
automatically load the tokens specified by the p11-kit configuration,
and allow you to use a RFC7512 PKCS#11 URI in any place you would have
been able to use a filename to specify a certificate or key. 

So to go back to what you said above...

> we get a pkcs11 engine initialized for the use of p11-kit instead of 
> the expected initialization for the specified opencryptoki> module.

It's not supposed to be "instead of". Your p11-kit configuration is
supposed to say what modules you want loaded, and then they're visible.

(Yes, it would be nicer if OpenSSL and the engine would use libp11-kit
directly instead of the trick of loading p11-kit-proxy.so, but we'll
work on that for OpenSSL 1.3 where we turn PKCS#11 into a proper first-
class citizen and we'll be able to use it for trust and all kinds of
other things properly.)

>  We initialize the pkcs11 engine and module path via D-Bus via> the
> SetPKCS11EngineAndModulePath method.

You shouldn't need to do that. If the 'filename' you pass starts with
'pkcs11:' then it gets done automatically. And if you are referencing
objects in the PKCS#11 token by the horrid old crufty ID string that
predated RFC7512, then don't :)

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20160606/8282f3a5/attachment-0001.bin>


More information about the Hostap mailing list