Skip to content
This repository has been archived by the owner on Feb 2, 2023. It is now read-only.

Unexpected error: PKCS11_GET_PKCS11_CIPHERS:No slot selected, please add SLOT_ID=<num> to your openssl.cnf #18

Open
jrgh0 opened this issue Sep 3, 2019 · 19 comments

Comments

@jrgh0
Copy link

jrgh0 commented Sep 3, 2019

Hello,

First of all, thank you for maintaining this project. I post here after solving token configuration for TPM issues in the opencryptoki repo issues section.

Having the TPM token correctly configurated and present in the SLOT 0, now I'm facing engine error complaint for not having configured SLOT_ID in openssl.cnf:

$ openssl engine ibmpkcs11 -t
(ibmpkcs11) PKCS#11 hardware engine support
     [ available ]

$ openssl engine ibmpkcs11 -c
(ibmpkcs11) PKCS#11 hardware engine support
 [RSA, RAND]
3069965984:error:80083099:lib(128):PKCS11_GET_PKCS11_CIPHERS:No slot selected, please add SLOT_ID=<num> to your openssl.cnf ibmpkcs11_section:e_pkcs11.c:937:
3069965984:error:80082099:lib(128):PKCS11_GET_PKCS11_DIGESTS:No slot selected, please add SLOT_ID=<num> to your openssl.cnf ibmpkcs11_section:e_pkcs11.c:963:

But there is properly configured as you can see below.

This is my configuration of slots in the opencryptoki library, only TPM slot is configured:

slot 0                          
{        
 stdll = libpkcs11_tpm.so                              
 description = "TPM chip"                              
 manufacturer = "IFX"    
 hwversion = 1.2     
}                        

This is my configuration of engine section in the openssl.cnf:

[ibmpkcs11_section]
engine_id = ibmpkcs11
SLOT_ID=0
dynamic_path = /usr/lib/engines/ibmpkcs11.so

So now I'm wondering if here is any issue with the openssl engine and TPM slots.

Thank you & best regards
J.R.

@jrgh0
Copy link
Author

jrgh0 commented Sep 25, 2019

Hello,

Could you, please, tell me if this project is being maintained? I've posted three weeks ago and no one reacted since then.

Thank you very much
J.R.

@p-steuer
Copy link

Hi,

sorry for the late reply. This project is not actively maintained at the moment.

I suggest to use the pkcs11 engine which is part of lib p11:
https://github.com/OpenSC/libp11

There is also a pkcs11 engine WIP by the openssl project:
openssl/openssl#8200

@jrgh0
Copy link
Author

jrgh0 commented Sep 25, 2019

Thank you for your answer Patrick,

I've tested recently libp11 with openssl engine for cryptoauthlib, the Microchip crypto chips library, but I've not yet loaded certs into the chips (any mistake could result in a brick of the chip due the OTP feature) and, by now, I only know it compiles well and openssl engine -t works with it.

So I think I can use libp11 with p11-kit in order to setup and use modules for opencriptoki and cryptoauthlib.

About closing this issue, as the project's still alive and downloadable, I think it should remain opened.

Regards
J.R.

@p-steuer
Copy link

p-steuer commented Sep 25, 2019

Yes, as you can see, i leave all issues open but right now theres nobody who has time to look into it. This sub-project is maintained on a "best-can-do" basis.

@jrgh0
Copy link
Author

jrgh0 commented Oct 2, 2019

Hello,

I post here the link to the issue opnened at libp11 project, in order to announce other people with same trouble that maybe isn't a good idea to go to that project:

OpenSC/libp11#307

J.R.

@jrgh0
Copy link
Author

jrgh0 commented Oct 3, 2019

Hello again Patrick,

I'm not an experienced C developper, also OpenSSL is so complex for me but, after bad result moving to libp11, I've decided to try to find the cause of the error.

Almost everyone can easily find in e_pkcs11.c that the error is launched because pkcs11_token object is NULL:

static int
get_pkcs11_ciphers(const int **retnids)
{
	static int nids[PKCS11_MAX_ALGS];
	int i, count = 0, *pkcs11_implemented_ciphers;

	if (pkcs11_token)
		pkcs11_implemented_ciphers = pkcs11_token->pkcs11_implemented_ciphers;
	else {
		PKCS11err(PKCS11_F_GET_PKCS11_CIPHERS, PKCS11_R_NO_SLOT_SELECTED);
		return 0;
	}

This leads to the next function: static int pkcs11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()), where pkcs11_token is initiated by SLOT_ID command:

		case PKCS11_CMD_SLOT_ID:
			tok = pkcs11_token_list;
			while (tok) {
				printf("slot %lu processed\n", tok->slot_id);
				if (tok->slot_id == i) {
					pkcs11_token = tok;
					DBG_fprintf("slot %ld selected\n", i);
					return 1;
				}
				tok = tok->token_next;
			}

I've added debug messages to the code of the above function and now I can say that is not being called when engine is loaded and initiated.

As the above function is assigned in the bind_pkcs11(ENGINE *e) function as the control function of the engine, it should work but it isn't:

static int bind_pkcs11(ENGINE *e)
{
	printf("binding pkcs11 engine...\n");
	
	DBG_fprintf("%s\n", __FUNCTION__);

	if (!ENGINE_set_id(e, engine_pkcs11_id) ||
	    !ENGINE_set_name(e, engine_pkcs11_name) ||
	    !ENGINE_set_RAND(e, &pkcs11_random) ||
	    !ENGINE_set_init_function(e, pkcs11_init) ||
	    !ENGINE_set_ciphers(e, pkcs11_engine_ciphers) ||
	    !ENGINE_set_digests(e, pkcs11_engine_digests) ||
	    !ENGINE_set_destroy_function(e, pkcs11_destroy) ||
	    !ENGINE_set_finish_function(e, pkcs11_finish) ||
	    !ENGINE_set_ctrl_function(e, pkcs11_ctrl) ||
	    !ENGINE_set_cmd_defns(e, pkcs11_cmd_defns))
		return 0;

From this point on, reading OpenSSL related stuff it seems the problem is in the OpenSSL API functions for engine calls and, maybe, could be outside of this project.

So, please, could you confirm to me my above conclusion? If yes, opencryptoki could be the cause or we must point to OpenSSL 1.0.2q?

Thank you & kind regards
J.R.

@p-steuer
Copy link

p-steuer commented Oct 4, 2019

hi

i just tried it with soft token and ciphers and digests were loaded correctly.

My setup is as follows...

engine installed in /usr/local/lib/:

# ls -la /usr/local/lib/ibmpkcs11.so 
-rwxr-xr-x. 1 root root 136704 Oct  4 13:51 /usr/local/lib/ibmpkcs11.so

token correctly initialized in slot 3:

# pkcsconf -s
Slot #3 Info
	Description: Linux                                                           
	Manufacturer: IBM                             
	Flags: 0x1 (TOKEN_PRESENT)
	Hardware Version: 0.0
	Firmware Version: 0.0

# pkcsconf -t
Token #3 Info:
	Label: soft                            
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 2019100413563300

my custom openssl.cnf:

openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
ibmpkcs11 = ibmpkcs11_section

[ibmpkcs11_section]
dynamic_path = /usr/local/lib/ibmpkcs11.so
SLOT_ID=3
default_algorithms = ALL
init = 1

# OPENSSL_CONF=</path/to/my/openssl.cnf> openssl engine ibmpkcs11 -c
(ibmpkcs11) PKCS#11 hardware engine support
 [RSA, RAND, DES-ECB, DES-CBC, DES-EDE3, DES-EDE3-CBC, AES-128-ECB, AES-128-CBC, AES-192-ECB, AES-192-CBC, AES-256-ECB, AES-256-CBC, MD5, SHA1, RSA-SHA1, hmacWithSHA1, SHA256, SHA384, SHA512, SHA224]

Does it not work for you only with tpm token or do the other tokens return the same errors ?

@jrgh0
Copy link
Author

jrgh0 commented Oct 4, 2019

Hello Patrick,

Thanks for your feedback. I can only test with TPM token because I've not compiled the software token. It gave me compile errors the first time I compiled version 3.10.0 of opencryptoki, so I've discarded since then.

I can change SLOT_ID value to set higher than 0 to see what happens. Now I remember vaguely an older bug with token in Slot 0. I've searched for but don't find now.

I'll try and report the result here.

@jrgh0
Copy link
Author

jrgh0 commented Oct 4, 2019

Hello again,

I've changed the slot to 1 and get same results. Then I've initialized the token again with solt 1, loaded a key with p11tool without problem but get same bad results too with the engine (you can see also debug messages I've added to the code):

$ pkcsconf -t
Token #1 Info:
        Label: ifx                             
        Manufacturer: IBM Corp.                       
        Model: TPM v1.1 Token  
        Serial Number: 123             
        Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED)
        Sessions: 0/4294967294
        R/W Sessions: 4294967295/4294967294
        PIN Length: 4-8
        Public Memory: 0xFFFFFFFF/0xFFFFFFFF
        Private Memory: 0xFFFFFFFF/0xFFFFFFFF
        Hardware Version: 1.0
        Firmware Version: 1.0
        Time: 2019100417170200

$ p11tool --login --write "pkcs11:model=TPM%20v1.1%20Token;manufacturer=IBM%20Corp.;serial=123;token=ifx;id=CA_delegada"   --load-privkey subCA.key --label "subCA"
p11-kit: couldn't find C_GetFunctionList entry point in module: /lib/libp11.so: /lib/libp11.so: undefined symbol: C_GetFunctionList
p11-kit: cryptoauth: module failed to initialize, skipping: An error occurred on the device
Token '' with URL 'key:' requires user PIN
Enter PIN: 
Enter password: 
Token 'ifx' with URL 'pkcs11:model=TPM%20v1.1%20Token;manufacturer=IBM%20Corp.;serial=123;token=ifx' requires user PIN
Enter PIN: 

$ p11tool --login --list-all pkcs11:model=TPM%20v1.1%20Token;manufacturer=IBM%20Corp.;serial=123;token=ifx"p11-kit: couldn't find C_GetFunctionList entry point in module: /lib/libp11.so: /lib/libp11.so: undefined symbol: C_GetFunctionList
p11-kit: cryptoauth: module failed to initialize, skipping: An error occurred on the device
Enter PIN:
Object 0:
        URL: pkcs11:model=TPM%20v1.1%20Token;manufacturer=IBM%20Corp.;serial=123;token=ifx;id=%15%1f%2d%9b%2d%5f%68%fa%9f%a4%a6%4a%09%d0%ff%1e%8a%42%50%96;object=subCA;type=private
        Type: Private key
        Label: subCA
        Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; 
        ID: 15:1f:2d:9b:2d:5f:68:fa:9f:a4:a6:4a:09:d0:ff:1e:8a:42:50:96

$ openssl engine -c -pre SO_PATH:/usr/lib/engines/ibmpkcs11.so -pre ID:ibmpkcs11 -pre LIST_ADD:1 -pre LOAD
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/ibmpkcs11.so
[Success]: ID:ibmpkcs11
[Success]: LIST_ADD:1
binding pkcs11 engine...
pre_init of pkcs11 engine...
processing slotID 1...
new token, slotID 1 
pkcs11_regToken
registering Token with SLOT_ID = 1...
[Success]: LOAD
Loaded: (ibmpkcs11) PKCS#11 hardware engine support
DIGESTS: token SLOT_ID = 100 /*This is returned by ? operator: (pkcs11_token != NULL ? pkcs11_token->slot_id : 100) at static int get_pkcs11_digests(const int **retnids) function*/
 [RSA, RAND]
3070084768:error:80083099:lib(128):PKCS11_GET_PKCS11_CIPHERS:No slot selected, please add SLOT_ID=<num> to your openssl.cnf ibmpkcs11_section:e_pkcs11.c:941:
3070084768:error:80082099:lib(128):PKCS11_GET_PKCS11_DIGESTS:No slot selected, please add SLOT_ID=<num> to your openssl.cnf ibmpkcs11_section:e_pkcs11.c:969:

@jrgh0
Copy link
Author

jrgh0 commented Oct 8, 2019

Hello,

I've been reading OpenSSL engine documentation in order to be able to properly read the e_pkcs11.c file from this project and eng_ctrl.c file from OpenSSL project. Also I added more debug messages to e_pkcs11.c file in order to be able to trace initialization of engine.

The problem is clear: NULL pkcs11_token is obtained after being registered and added correctly from the slot that points to it. This happened while working with opencryptoki's TPM tokens, but works well with opencryptoki's software tokens. The cause maybe is that TPM tokens are stored in a per-user basis, while the rest aren't yet.

I'm wondering if the last commit done by @ifranzki in the opencryptoki project to fix lost per-user TPM tokens after I've reported an error initializing TPM tokens could be the starting point to solve this one about getting a non null token by the engine.

Regards
J.R.

@p-steuer
Copy link

p-steuer commented Oct 9, 2019

Do you include the commit which fixes the TPM token init in your tests ? If not that may be a good idea. I mean it seems to work with other tokens so it seems to be specific to TPM.

@jrgh0
Copy link
Author

jrgh0 commented Oct 9, 2019

Yes, of course I'm working with the version that includes the commit. If not, I wouldn't be able to do anything with the TPM token.

@p-steuer
Copy link

p-steuer commented Oct 9, 2019

since it seems to be opencryptoki tpm token fault, not the engine's, you could build opencryptoki with --enable-debug (-O0 -g) and run openssl engine ibmpkcs11 -t in the debugger after setting break points to the functions you identified to return NULL instead something valid (in case of other tokens).
You can also export OPENCRYTOKI_TRACE_LEVEL=4 and check the per-process trace files usually in /usr/local/var/log/opencryptoki .

@jrgh0
Copy link
Author

jrgh0 commented Oct 10, 2019

Hello Patrick,

I've compiled opencryptoki with --enable-debug option and issued commands after setting OPENCRYTOKI_TRACE_LEVEL=4 environment variable. Results are next ones:

Issuing:

$ openssl engine -c -pre SO_PATH:/usr/lib/engines/ibmpkcs11.so -pre ID:ibmpkcs11 -pre LIST_ADD:1 -pre LOAD

trace shows:

10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2518 api] INFO: C_Initialize
10/10/2019 09:41:19 [usr/lib/api/apiutil.c:392 api] DEVEL: API_Register MgrProcIndc 4872  pid 0
10/10/2019 09:41:19 [usr/lib/common/shared_memory.c:139 tpmtok] DEVEL: File path "/var/lib/opencryptoki/tpm/dmrl" converted to "/var.lib.opencryptoki.tpm.dmrl".
10/10/2019 09:41:19 [usr/lib/common/shared_memory.c:275 tpmtok] DEVEL: open: ref = 1
10/10/2019 09:41:19 [usr/lib/tpm_stdll/tpm_specific.c:185 tpmtok] INFO: tpm token_specific_init slot=1 running
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:1874 api] INFO: C_GetInfo
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2311 api] INFO: C_GetSlotList
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2324 api] DEVEL:  Present 1 Count 91
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2311 api] INFO: C_GetSlotList
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2324 api] DEVEL:  Present 1 Count 1
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2193 api] INFO: C_GetSlotInfo Slot=1  ptr=0xbecb2338
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:1958 api] INFO: C_GetMechanismList
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:1970 api] DEVEL: Slot 1 MechList (nil) Count 7152
10/10/2019 09:41:19 [usr/lib/common/new_host.c:391 tpmtok] INFO: C_GetMechanismList:  rc = 0x00000000, # mechanisms: 27
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:1991 api] DEVEL: fcn->ST_GetMechanismList returned: 0x0
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:1958 api] INFO: C_GetMechanismList
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:1970 api] DEVEL: Slot 1 MechList 0xaf898 Count 27
10/10/2019 09:41:19 [usr/lib/common/new_host.c:391 tpmtok] INFO: C_GetMechanismList:  rc = 0x00000000, # mechanisms: 27
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:1991 api] DEVEL: fcn->ST_GetMechanismList returned: 0x0
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[0] 0x00000000
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[1] 0x00000120
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[2] 0x00000131
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[3] 0x00000001
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[4] 0x00000005
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[5] 0x00000006                                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[6] 0x00000121                                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[7] 0x00000122                                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[8] 0x00000125                              
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[9] 0x00000132                              
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[10] 0x00000133                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[11] 0x00000136                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[12] 0x00000220                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[13] 0x00000221                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[14] 0x00000222                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[15] 0x00000210                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[16] 0x00000211                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[17] 0x00000212                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[18] 0x00000370                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[19] 0x00000371                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[20] 0x00000372                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[21] 0x00000380                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[22] 0x00000381                             
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[23] 0x00001080              
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[24] 0x00001081
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[25] 0x00001082
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[26] 0x00001085
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:1285 api] INFO: C_Finalize               
10/10/2019 09:41:19 [usr/lib/api/api_interface.c:114 api] INFO: CloseAllSessions          
10/10/2019 09:41:19 [usr/lib/common/shared_memory.c:304 tpmtok] DEVEL: close: ref = 0     
10/10/2019 09:41:19 [usr/lib/tpm_stdll/tpm_specific.c:2359 tpmtok] INFO: tpm token_specific_final running

And issuing:

openssl engine -t -pre SO_PATH:/usr/lib/engines/ibmpkcs11.so -pre ID:ibmpkcs11 -pre LIST_ADD:1 -pre LOAD

then trace shows:

10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2518 api] INFO: C_Initialize
10/10/2019 09:44:56 [usr/lib/api/apiutil.c:392 api] DEVEL: API_Register MgrProcIndc 4885  pid 0
10/10/2019 09:44:56 [usr/lib/common/shared_memory.c:139 tpmtok] DEVEL: File path "/var/lib/opencryptoki/tpm/dmrl" converted to "/var.lib.opencryptoki.tpm.dmrl".
10/10/2019 09:44:56 [usr/lib/common/shared_memory.c:275 tpmtok] DEVEL: open: ref = 1
10/10/2019 09:44:56 [usr/lib/tpm_stdll/tpm_specific.c:185 tpmtok] INFO: tpm token_specific_init slot=1 running
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:1874 api] INFO: C_GetInfo
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2311 api] INFO: C_GetSlotList
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2324 api] DEVEL:  Present 1 Count 91
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2311 api] INFO: C_GetSlotList
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2324 api] DEVEL:  Present 1 Count 1
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2193 api] INFO: C_GetSlotInfo Slot=1  ptr=0xbeeb8338
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:1958 api] INFO: C_GetMechanismList
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:1970 api] DEVEL: Slot 1 MechList (nil) Count 7152
10/10/2019 09:44:56 [usr/lib/common/new_host.c:391 tpmtok] INFO: C_GetMechanismList:  rc = 0x00000000, # mechanisms: 27
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:1991 api] DEVEL: fcn->ST_GetMechanismList returned: 0x0
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:1958 api] INFO: C_GetMechanismList
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:1970 api] DEVEL: Slot 1 MechList 0xaf898 Count 27
10/10/2019 09:44:56 [usr/lib/common/new_host.c:391 tpmtok] INFO: C_GetMechanismList:  rc = 0x00000000, # mechanisms: 27
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:1991 api] DEVEL: fcn->ST_GetMechanismList returned: 0x0
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[0] 0x00000000
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[1] 0x00000120
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[2] 0x00000131
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[3] 0x00000001
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[4] 0x00000005
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[5] 0x00000006                                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[6] 0x00000121                                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[7] 0x00000122                                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[8] 0x00000125                              
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[9] 0x00000132                              
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[10] 0x00000133                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[11] 0x00000136                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[12] 0x00000220                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[13] 0x00000221                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[14] 0x00000222                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[15] 0x00000210                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[16] 0x00000211                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[17] 0x00000212                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[18] 0x00000370                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[19] 0x00000371                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[20] 0x00000372                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[21] 0x00000380                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[22] 0x00000381                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[23] 0x00001080              
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[24] 0x00001081
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[25] 0x00001082
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2001 api] DEVEL: Mechanism[26] 0x00001085
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:1285 api] INFO: C_Finalize               
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:114 api] INFO: CloseAllSessions          
10/10/2019 09:44:56 [usr/lib/common/shared_memory.c:304 tpmtok] DEVEL: close: ref = 0                                  
10/10/2019 09:44:56 [usr/lib/tpm_stdll/tpm_specific.c:2359 tpmtok] INFO: tpm token_specific_final running              
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2518 api] INFO: C_Initialize                                          
10/10/2019 09:44:56 [usr/lib/api/apiutil.c:392 api] DEVEL: API_Register MgrProcIndc 4885  pid 0                        
10/10/2019 09:44:56 [usr/lib/common/shared_memory.c:139 tpmtok] DEVEL: File path "/var/lib/opencryptoki/tpm/dmrl" converted to "/var.l
10/10/2019 09:44:56 [usr/lib/common/shared_memory.c:275 tpmtok] DEVEL: open: ref = 1                                   
10/10/2019 09:44:56 [usr/lib/tpm_stdll/tpm_specific.c:185 tpmtok] INFO: tpm token_specific_init slot=1 running                        
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:1874 api] INFO: C_GetInfo                                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2311 api] INFO: C_GetSlotList                                         
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2324 api] DEVEL:  Present 1 Count 707484                                             
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2311 api] INFO: C_GetSlotList                                         
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2324 api] DEVEL:  Present 1 Count 1                          
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:2193 api] INFO: C_GetSlotInfo Slot=1  ptr=0xbeeb8560                                 
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:1285 api] INFO: C_Finalize               
10/10/2019 09:44:56 [usr/lib/api/api_interface.c:114 api] INFO: CloseAllSessions                              
10/10/2019 09:44:56 [usr/lib/common/shared_memory.c:304 tpmtok] DEVEL: close: ref = 0                                                 
10/10/2019 09:44:56 [usr/lib/tpm_stdll/tpm_specific.c:2359 tpmtok] INFO: tpm token_specific_final running

@p-steuer
Copy link

hmm looks good, no indication why SLOT_ID=0 is ignored.

From your initial post:

engine_id = ibmpkcs11
SLOT_ID=0
dynamic_path = /usr/lib/engines/ibmpkcs11.so

have you tried moving SLOT_ID=0 down ie

engine_id = ibmpkcs11
dynamic_path = /usr/lib/engines/ibmpkcs11.so
SLOT_ID=0

?

Order make s a difference in some cases for the config file parsing.

@jrgh0
Copy link
Author

jrgh0 commented Oct 10, 2019

These last tests are done with next configuration of engine:

[ibmpkcs11_section]                                                 
engine_id = ibmpkcs11                                               
dynamic_path = /usr/lib/engines/ibmpkcs11.so                        
SLOT_ID = 1                                                         
default_algorithms = ALL                                            
init = 1                                                            

opencryptoki is configured with:

slot 1                          
{        
 stdll = libpkcs11_tpm.so                              
 description = "TPM chip"                              
 manufacturer = "IFX"    
 hwversion = 1.2     
}                        

@jrgh0
Copy link
Author

jrgh0 commented Oct 30, 2019

Hello,

Has anyone been able to devote time to this case from the last entry?

Thank you & Best Regards

@p-steuer
Copy link

p-steuer commented Oct 31, 2019

If i had your hw setup, i would use a debugger, as described in #18 (comment) . It does not seem to be reproducible with the setups we have. So its up to you to debug it. We can only assist by looking at the code and answer your questions here. From looking at the code it looks like either the SLOT_ID=0 entry is somehow ignored or it has not been read at the time digests and ciphers are querried (race).
Did you try to run the engine command with -pre SLOT_ID:"your slot id" as the first option ?

@jrgh0
Copy link
Author

jrgh0 commented Nov 2, 2019

Patrick,

Thank you for your answer. You're still speaking about SLOT_ID with value 0 but, as I said before in this thread, I changed the configuration to SLOT_ID = 1 in order to determine if the value 0 was problematic. So the log was captured with SLOT_ID = 1 and TPM Token configured as slot 1, and trace messages are showing slot=1.

About issuing -pre SLOT_ID:1, I've done in the first place also after -pre SO_PATH:... with same results.

About debugging, I can try to compile and install gdb on the target. But, as I said I'm not an experienced C developer and I'm not familiar with C debuggers.

Best Regards

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants