OpenSSL 3.0: PKCS#11 general provider

You can use a general provider called pkcs11-provider to use keys and cryptographic operations from a hardware or software token via their PKCS#11 driver and the use of PKCS#11 URIs. This provider is available in some Linux® distributions, or can be retrieved as source from https://github.com/latchset/pkcs11-provider.

Description

In contrast to the pkcs11-sign-provider, the pkcs11-provider supports more than just signing operations. It supports a wide range of crypto operations, given that the PKCS#11 implementation used to back the provider supports them.

Similar to the pkcs11-sign-provider, keys used by OpenSSL applications must be referenced by a PKCS#11 URI according to the scheme as specified in RFC 7512.

For PINs, which are required to access key objects in PKCS#11 tokens, the pkcs11-provider supports PINs in the PKCS#11 URI by value (pin-value) or by reference to a file (pin-source).

PKCS#11 provider configuration

The OpenSSL configuration of the application must refer to a provider section for the pkcs11-provider. This can be in the system-wide OpenSSL configuration file (for example, /etc/ssl/openssl.conf) or in an application-specific OpenSSL configuration file (referenced by the environment variable OPENSSL_CONF). Mandatory parameters in the provider section for the pkcs11-provider are:

  • path to the pkcs11-provider module
  • shared object name of the PKCS#11 library, for example, libopencryptoki.so or libpkcs11.so, or path to it for use with openCryptoki.

Optionally, the provider section for the pkcs11-provider can specify initialization arguments for the PKCS#11 library, as well as other parameters that influence the behavior of the provider.

An important parameter is pkcs11-module-load-behavior which in most cases should be set to this value: early. This means that the pkcs11-provider loads and initializes the PKCS#11 implementation as soon as OpenSSL loads the provider (generally at application startup). Not specifying this option means that the PKCS#11 implementation is loaded and initialized only the first time a PKCS#11 key is loaded or used. This can lead to situations where the provider does not properly report its capabilities to OpenSSL, dependent on when the capabilities are queried by OpenSSL or the applications using OpenSSL.

For a list of all options see https://github.com/latchset/pkcs11-provider/blob/main/docs/provider-pkcs11.7.md.

To use the pkcs11-provider, specify it in the application's property query. You achieve this either by specifying the default property query in the algorithm section of the OpenSSL configuration file, or by setting it in the provider context.

The key references must follow the PKCS#11 URI as specified in RFC 7512: The PKCS #11 URI Scheme. A key URI must also contain the PIN for the PKCS#11 token by value or by reference to a file (recommended).

For more information about the configuration file, see https://github.com/latchset/pkcs11-provider/blob/main/HOWTO.md.