13

Friends, I have a smart card, which I want to integrate OpenSSL. Plan to do this through a system of "ENGINE" in OpenSSL. However, I have a problem with understanding. The fact that there are such things as engine_pkcs11, opensc, libp11, pkcs11-helper. Can anyone explain the relationship? What is and what to compile in the first place?

Is it enough to write me a library with external PKCS # 11 functions to connect it to openssl? I have to take the source code of the library engine_pkcs11 and modify it to fit my card? Do I need this opensc, libp11, pkcs11-helper? Why, then, need these libraries?

Also, I should note that the smart card does not support RSA-algorithm, it will be a different algorithm!!!!

Really looking forward to your answers!

mpromonet
  • 11,326
  • 43
  • 62
  • 91
user1650740
  • 131
  • 1
  • 1
  • 5

3 Answers3

11

The openssl engine for pkcs#11 by OpenSC is needed to make interaction between openssl and smartcard by pkcs#11 possible.

The engine is built on top of libp11 by OpenSC, an abstraction/wrapper layer/interface, built on pkcs#11 standard API for utility purpose.

From top to bottom we have:

  • openssl (by Openssl)
  • openssl pkcs#11 engine (by OpenSC)
  • libp11 (by OpenSC)
  • pkcs#11 standard api (by RSA Laboratories)
  • pkcs#11 module (by Smartcard vendor)

So in an optimum case you have only to write the pkcs#11 module for you specific smartcard hardware and then load it using pkcs#11 engine.

The problem here is that pkcs#11 engine, at the moment, support only CKM_RSA_PKCS, so, probably, you have also to extend the current pkcs#11 openssl engine.

More info at https://github.com/OpenSC/OpenSC/wiki

lgaggini
  • 421
  • 4
  • 13
4

I add some recent information that can help for users that fall into this question.

  • opensc-pkcs11.so is the OpenSC module to implement the PKCS#11 API. It is inked with libopensc.so and other OpenSC libs.

  • libp11 is a helper library designed to make it easier to use PKCS#11 in applications without having to program to the PKCS#11 API. It will dlopen a pkcs#11 module.

  • engine_pkcs11 was an OpenSSL engine module that used libp11 it was so dependent on the versions of OpenSSL and libp11, that it is now included in libp11 as the libp11 can be uses as the engine too.

  • pkcs11-helper (Which I have never used) is another library to make using PKCS#11 "easier" to use.

  • pkcs11-spy is a PKCS#11 API module that traces all calls and returns of another PKCS#11 module that pkcs11-spy dlopens.

For more information

syedelec
  • 1,285
  • 2
  • 19
  • 30
1

And in addition:

Here a description for windows users

On windows it is needed to compile the engine_pkcs11.dll by yourself. It will not be delivered by the OpenSC installer anymore.

Instructions here: https://github.com/OpenSC/libp11/blob/master/INSTALL.md

Make sure you installed OpenSSL 64bit edition to C:\OpenSSL-Win64

download latest release from - https://github.com/OpenSC/libp11/releases) compile with x64 native command prompt for visual studio with

nmake -f Makefile.mak OPENSSL_DIR=C:\OpenSSL-Win64 BUILD_FOR=WIN64

Then you got the pkcs11.dll. Copy that and the opensc-pkcs11.dll to a directory (without blanks in the names) And now OpenSSL is able to load the dlls.

engine dynamic -pre ID:pkcs11 -pre SO_PATH:C:\Tools\pkcs11\pkcs11.dll -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:C:\Tools\pkcs11\opensc-pkcs11.dll

Now you can use your OpenSC device.

Markus
  • 1,360
  • 1
  • 16
  • 22
  • It isn't required to complie yourself, version 0.4.11 is available on the site, and the owner of the library is testing generating version 0.4.13 automatically. – jmd Oct 25 '22 at 15:25