PKCS#11 engine does not work in openssl on centos 6

StackOverflow https://stackoverflow.com/questions/15052171

Question

I want to add a PKCS#11 engine to OpenSSL and I use CentOS 6.2. I actually load engine with no problem as you can see below:

[root@localhost 05:06:18  openssl-1.0.1e]$ openssl engine -t dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/libsst.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/local/lib/libsst.so
Loaded: (pkcs11) pkcs11 engine
    [ available ]

but when I use OpenSSL option to see the loaded engine, the pkcs11 engine isn't in the list:

[root@localhost 05:19:58  openssl-1.0.1e]$ openssl engine -v -t 
(aesni) Intel AES-NI engine (no-aesni)
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
     SO_PATH, NO_VCHECK, ID, LIST_ADD, DIR_LOAD, DIR_ADD, LOAD

and when I want to use the engine, I see this error:

[root@localhost 05:20:04  openssl-1.0.1e]$ openssl genrsa -engine pkcs11 -out priv.key 1024
invalid engine "pkcs11"
3078776556:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(/usr/lib/openssl/engines/libpkcs11.so):   /usr/lib/openssl/engines/libpkcs11.so: cannot open shared object file: No such file or   directory
3078776556:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
3078776556:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
3078776556:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=pkcs11
3078776556:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libpkcs11.so): libpkcs11.so: cannot open shared object file: No such file or directory
3078776556:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
3078776556:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
Generating RSA private key, 1024 bit long modulus
.......++++++
.......++++++
e is 65537 (0x10001)

I can't figure out what the problem could be...

Was it helpful?

Solution

This problem is because OpenSSL load the library just for one time and after that it does not keep the state, so if we want to keep the state we must use the following commands:

[root@localhost 04:58:25  home]$ openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/libsst.so
 (dynamic) Dynamic engine loading support
 [Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so
 [Success]: ID:pkcs11
 [Success]: LIST_ADD:1
 [Success]: LOAD
 [Success]: MODULE_PATH:/usr/local/lib/libsst.so
 Loaded: (pkcs11) pkcs11 engine
      [ available ]
OpenSSL> engine
 (aesni) Intel AES-NI engine (no-aesni)
 (dynamic) Dynamic engine loading support
 (pkcs11) pkcs11 engine
OpenSSL>

OTHER TIPS

Indeed, as mentioned in one of the comments above, for repeated use it's more convenient to include the engine's parameters in the respective OpenSSL config file. For the given example, you would add the line 

openssl_conf  = openssl_def

before the first section (which starts with a '[' character at line begin) and add a section marked [openssl_def], for simplicity at the end of the file:

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section] 
engine_id = pkcs11
dynamic_path = /usr/lib/openssl/engines/engine_pkcs11.so
MODULE_PATH = /usr/local/lib/libsst.so
init = 0
# adapt as desired:  PIN = 1234
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top