Re: [Opensc-devel] How to build OpenSC/libp11 ?

[Ben C. <Ben...@no...>]

Hi Jana,

On Thu, 24 Aug 2017 14:01:41 -0700, Jana Nguyen wrote:
> Thanks, running the tarball seems to run without error.  Following the
> README.md, I tried to locate
> 
> opensc-pkcs11.so and libpkcs11.so
> 
> None was found. Am I suppose to also install the "engine_pkcs11" ? I
> want to use p11 and OpenSSL from the command line.

Are you on a Mac? The files may be called .dylib instead of .so.

Here's my notes for running openssl from the command line:

1. You need to be using openssl commands that allow -engine and
   -keyform flags to be passed in. Not all openssl commands do. If
   you need to use a command that doesn't, you're out of luck :-(

2. You need to use openssl in interactive mode, by typing
   "openssl" and then entering commands into the prompt. (Or by
   doing the equivalent from a shell script using a here-document.)
   This is because the openssl "engine" command is stateful. It
   sets up state which is used later by the actual command you're
   trying to run. Trying to run "openssl engine ..." from your shell,
   and then trying to run "openssl whatever ...", will lose state
   between the two invocations.

Here's an example of a pair of commands that can be typed into an
interactive openssl session:

engine dynamic -pre SO_PATH:/path/to/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/path/to/hsm/library.so -pre VERBOSE

req -new -keyform engine -engine pkcs11 -key "pkcs11:type=private;object=foo;token=bar" -out myreq.csr -subj "/C=US/ST=CA/CN=localhost" -days 10000

(The /path/to/pkcs11.so may be .dylib if you're on a Mac, as noted above)

The first "engine" command sets up an engine and names it "pkcs11" (the ID:
is what associates it with a name).

The -engine flag in the second command refers to the engine by the name we
gave it. Then "-keyform engine" says that the key we pass in should be
interpreted by the engine, not treated as the name of a file on disk. Then
finally the -key flag can be passed as a PKCS11 URL, which works because we
did the "-keyform engine".

See https://www.ietf.org/rfc/rfc7512.txt for a description of the
PKCS11 URI format.

Hope this helps! I went through the same process of discovery you're
going through, earlier this year.

	~Ben