Troubleshooting PKCS#11 for OpenSSL
- To verify that the provider is loaded correctly, use the command
openssl list -providersto list the active providers. If the OpenSSL PKCS#11 provider has been activated successfully, it should appear in the list.
Additionally, you can check the available signature algorithms with the command openssl list -signature-algorithms, which should display algorithms with @pkcs11 appended.
openssl list -signature-algorithms
{ 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
{ 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default
{ 1.3.101.112, ED25519 } @ default
{ 1.3.101.113, ED448 } @ default
{ 1.2.156.10197.1.301, SM2 } @ default
ECDSA @ default
HMAC @ default
SIPHASH @ default
POLY1305 @ default
CMAC @ default
{ 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ pkcs11
{ 1.3.101.112, ED25519 } @ pkcs11
{ 1.3.101.113, ED448 } @ pkcs11
ECDSA @ pkcs11
-
The pkcs11-provider implements a lazy load behavior by default. At the moment we recommend to change the load behavior by setting
pkcs11-module-load-behavior = earlyin the [pkcs11_sect] section of your OpenSSL configuration file. -
Check the pkcs11-provider logs. The logs can be controlled with the
PKCS11_PROVIDER_DEBUGenvironment variable. For instancePKCS11_PROVIDER_DEBUG=file:/tmp/p11prov-debug.log,level=5. Will send the logs to /tmp/p11prov-debug.log. The logs will tell you ifpkcs11-module-pathpoints to a valid provider library and if the interaction with it is successful. Below, the (abbreviated) content of p11prov-debug.log provider logs just after starting openssl is shown. The lines to look out for when analyzing the logs are highlighted. The table contains a brief description of the action that is related to the log entry.
| Line-# | Corresponding action |
|---|---|
| 1-2 | Dump of the configuration the pkcs11-provider received. |
| 4 | Initializing of the Securosys PKCS#11 provider library. |
| 9 | The Securosys PKCS#11 provider was successfully loaded. |
| 18-30 | Dump of the slot/token information received from the HSM. |
[../../../../src/provider.c:1347] OSSL_provider_init(): Provided config params:
[../../../../src/provider.c:1357] OSSL_provider_init(): pkcs11-module-path: /usr/local/primus/lib/libprimusP11.so
...
[../../../../src/interface.c:291] p11prov_module_init(): PKCS#11: Initializing the module: /usr/local/primus/lib/libprimusP11.so
[../../../../src/interface.c:175] p11prov_interface_init(): C_GetInterface() not available. Falling back to C_GetFunctionList(): usr/local/primus/lib/libprimusP11.so: undefined symbol: C_GetInterface
[../../../../src/interface.c:102] populate_interface(): Populating Interfaces with 'Internal defaults', version 2.20
[../../../../src/interface.gen.c:13] p11prov_Initialize(): Calling C_Initialize
[../../../../src/interface.gen.c:51] p11prov_GetInfo(): Calling C_GetInfo
[../../../../src/interface.c:327] p11prov_module_init(): Module Info: ck_ver:3.0 lib: 'Securosys SA' 'PKCS#11 Library' ver:2.1
...
[../../../../src/interface.gen.c:468] p11prov_FindObjects(): Calling C_FindObjects
[../../../../src/interface.gen.c:488] p11prov_FindObjectsFinal(): Calling C_FindObjectsFinal
[../../../../src/slot.c:68] get_slot_profiles(): No profiles for slot 1
[../../../../src/interface.gen.c:234] p11prov_CloseSession(): Calling C_CloseSession
[../../../../src/interface.gen.c:173] p11prov_GetMechanismList(): Calling C_GetMechanismList
[../../../../src/slot.c:100] get_slot_mechanisms(): Slot(1) mechs found: 105
[../../../../src/interface.gen.c:173] p11prov_GetMechanismList(): Calling C_GetMechanismList
Slot Info:
ID: 1
Description: [OPENSSL_PKCS11_INT_TEST]
Manufacturer ID: [Securosys SA]
Flags (0x000005):
CKF_TOKEN_PRESENT (0x000001)
CKF_HW_SLOT (0x000004)
Hardware Version: 2.11
Firmware Version: 2.1
Token Info:
Label: [OPENSSL_PKCS11_INT_TEST]
Manufacturer ID: [Securosys SA]
Model: [Primus HSM]
...
- If OpenSSL still only lists the provider but no algorithms it is possible that the token is not set-up correctly. Have a look at the Troubleshooting section in the PKCS#11 Documentation.