Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Where is pkcs11.so / libpkcs11.so

  1. #11

    Default Re: Where is pkcs11.so / libpkcs11.so

    Quote Originally Posted by malcolmlewis View Post
    Hi
    I suggest if you want help, then tone it down a bit...

    Looking at the error, "cannot load CA private key from engine" or "ENGINE_load_private_key:failed", indicates a configuration issue.

    In the initial install on Leap 15.0 did you change/re-configure any of the system files (pam etc), if so they could have been over written, but should have the old files in the directory.

    Changes in the openSSL or openSC library that are not compatible after the upgrade.

    I see this user has the same issue: https://support.nitrokey.com/t/self-...d-openssl/1855

    My tone was perfectly civil until you started repeatedly going on about certficiates, a matter that was obviously completely and utterly irrelevant to the issue at heart.

    If you had any PKCS11 experience, you easily would know that "could not load private key" could almost certainly mean openssl was rightly denied access to and/or was unable to talk to the PKCS11 token. In my case pkcs11-tool and pkcs15-tool are able to talk to the PKCS11 without problems (indeed, I showed pkcs11-tool talking earlier in this thread). So its something to do with openssl in 15.1.

    Anyway, I think I've made my point more than enough now. So how about we draw a line in the sand and proceed down a more sensible route of thought that doesn't mention certificates or lack thereof ever again !

    So, in answer to your question my Leap 15 install was a standard install, I used nothing other than packages available through the standard repos, no third-party. The upgrade to 15.1 was performed as per the docs (https://en.opensuse.org/SDB:System_upgrade) and completed without issue.

  2. #12
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,853
    Blog Entries
    2

    Default Re: Where is pkcs11.so / libpkcs11.so

    Recently upgraded 15.0->15.1 and an application that depends on libpkcs11 has stopped working.

    <snip>

    Here's the error (it originates from a bash script that calls openssl) :

    Code:
    140486549489472:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:113:filename(/usr/lib64/engines-1.1/pkcs11.so): /usr/lib64/engines-1.1/pkcs11.so: cannot open shared object file: No such file or directory
    140486549489472:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:161:
    140486549489472:error:260B6084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:414:
    140486549489472:error:2606A074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:339:id=pkcs11
    140486549489472:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:113:filename(libpkcs11.so): libpkcs11.so: cannot open shared object file: No such file or directory
    140486549489472:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:161:
    140486549489472:error:260B6084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:414:
    [/QUOTE]

    In my experience,
    pkcs is commonly used to access as well as to prepare keys to/from a repository or for transfer to another system
    To me, a certificate is a type of token, people who are deeper into the creation and use of tokens might have a different opinion but from a practical point of view I've never seen much difference in how something called a token or a certificate can be used.
    Seems to me I remember that pkcs may also specify a particular format, so for instance when a particular token has been operated on, it may be recommended to name the file with "pkcs" in the name to provide hints on how to decode.

    And, the above is <only> based on my experience and not on anything I've read.
    In fact, the Wikipedia entry for pkcs describes it slightly differently but I don't think conflicts witht my uneducated concept.
    https://en.wikipedia.org/wiki/PKCS_11

    Back to the original post,
    I'd expect that the most important and telling error is the "no such file or directory" in the highlight in the quote above.
    That to me suggests the following possibilities, all based on the fact that the expected file isn't where it's expected to be...
    - The app is looking in the wrong place (has the app changed?)
    - The file or directory really isn't at the location (Is a file or directory really there or not?)
    - Is the File there but not read by the app? (Permissions problem?)

    Some things to consider, if the file is supposed to be there and the location is correct, then how is the file at that location generated? Short of reading code, typically some educated guesses can be made like verifying another app properly did whatever it does that should have created the file in that location. Logical possibilities are that the dependency app failed or the content the dependency was working on doesn't exist.
    Of course, besides the content it's always possible that the library that provides the functionality might also have changed how the content was operated on... like applying a new and different path/location of the file. You wouldn't expect it when a library should provide standardized functionality but the possibility has to be considered.

    Usually one of the first things I do when I run into this kind of error (file or directory not found) is to use "locate" (or Find) to see if the file exists <anywhere> on my machine. If the path has just changed, then the file will be found. If not found at all, then I'm looking at a function problem.

    Anyway...
    Sure, it might be a configuration error but I agree that if this was working before, then unless the configuration was changed somehow, it's an unlikely cause.
    But those other ways I described how to look at this error and consider possibilities can be run down to try determine what actually happened.

    IMO,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #13
    Join Date
    Sep 2012
    Posts
    5,325

    Default Re: Where is pkcs11.so / libpkcs11.so

    Quote Originally Posted by devrandom View Post
    zypper found openssl-engine-libp11, OpenSSL is still complaining though:
    Code:
    engine "pkcs11" set.
    Unable to load module (null)
    pkcs11 is software API to access cryptographic card content. It needs module that interacts with your card hardware. For OpenSC this would be /usr/lib64/opensc-pkcs11.so. Or it may come together with your card. This is likely the same module you normally use with "pkcs11-tool --module" parameter.

    It works for me with OpenSC and (emulated) card in QEMU using
    Code:
    openssl
    OpenSSL> engine dynamic -pre SO_PATH:/usr/lib64/engines-1.1/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so

  4. #14

    Default Re: Where is pkcs11.so / libpkcs11.so

    Quote Originally Posted by arvidjaar View Post
    pkcs11 is software API to access cryptographic card content. It needs module that interacts with your card hardware. For OpenSC this would be /usr/lib64/opensc-pkcs11.so. Or it may come together with your card. This is likely the same module you normally use with "pkcs11-tool --module" parameter.

    It works for me with OpenSC and (emulated) card in QEMU using
    Code:
    openssl
    OpenSSL> engine dynamic -pre SO_PATH:/usr/lib64/engines-1.1/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so

    @arvidjaar, I think you might be onto something here.

    Although OpenSSL no longer works via my bash script (it worked perfectly under LEAP 15, not under 15.1), your line :

    Code:
    openssl
    OpenSSL> engine dynamic -pre SO_PATH:/usr/lib64/engines-1.1/pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre  MODULE_PATH:opensc-pkcs11.so
    Completes without complaining.

    However, the suggestions you make are already integrated in my openssl.conf (which is unchanged since LEAP15) :
    Code:
    [openssl_def]
    engines = engine_section
    
    [engine_section]
    pkcs11 = pkcs11_section
    
    [pkcs11_section]
    engine_id = pkcs11
    dynamic_path= /usr/lib64/engines-1.1/pkcs11.so
    MODULE_PATH = /usr/lib64/opensc-pkcs11.so
    Openssl returns:
    Code:
    engine "pkcs11" set.                                                                                                                                                                  
    Using configuration from /etc/foobar/foobar_ca/intermediate/openssl.conf                                                                                                              
    Unable to load module (null)                                                                                                                                                          
    Unable to load module (null)                                                                                                                                                          
    PKCS11_get_private_key returned NULL                                                                                                                                                  
    cannot load CA private key from engine                                                                                                                                                
    140296005211968:error:81065401:libp11:pkcs11_CTX_load:Unable to load PKCS#11 module:p11_load.c:77:                                                                                    
    140296005211968:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:

    Indeed, I have already mentioned all of this in my post earler this thread (#3)

  5. #15

    Default Re: Where is pkcs11.so / libpkcs11.so

    Quote Originally Posted by tsu2 View Post
    Recently upgraded 15.0->15.1 and an application that depends on libpkcs11 has stopped working.

    <snip>

    Here's the error (it originates from a bash script that calls openssl) :

    Code:
    140486549489472:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:113:filename(/usr/lib64/engines-1.1/pkcs11.so): /usr/lib64/engines-1.1/pkcs11.so: cannot open shared object file: No such file or directory
    140486549489472:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:161:
    140486549489472:error:260B6084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:414:
    140486549489472:error:2606A074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:339:id=pkcs11
    140486549489472:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:113:filename(libpkcs11.so): libpkcs11.so: cannot open shared object file: No such file or directory
    140486549489472:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:161:
    140486549489472:error:260B6084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:414:
    [/QUOTE]

    @tsu2 thanks BUT you are selectively quoting me !! Specifically you are quoting from my post #1 when things changed afterwards, see post #3

  6. #16
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,853
    Blog Entries
    2

    Default Re: Where is pkcs11.so / libpkcs11.so

    @tsu2 thanks BUT you are selectively quoting me !! Specifically you are quoting from my post #1 when things changed afterwards, see post #3
    Actually,
    Although the error reads differently, the problem is still the same when the error is
    Code:
    PKCS11_get_private_key returned NULL
    When something is null, it's the same thing as saying that something just isn't there.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #17
    Join Date
    Sep 2012
    Posts
    5,325

    Default Re: Where is pkcs11.so / libpkcs11.so

    Quote Originally Posted by devrandom View Post
    However, the suggestions you make are already integrated in my openssl.conf (which is unchanged since LEAP15)
    Default OpenSSL configuration file is openssl.cnf, not openssl.conf.
    Indeed, I have already mentioned all of this in my post earler this thread (#3)
    I do not see there any description of OpenSSL configuration you performed, nor did you even now provide any information allowing to reproduce your issue (you show random output of unknown command and random file content of unknown file).

    Anyway, given that you apparently know better than anyone else trying to help you, I guess you are perfectly capable of solving this yourself.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •