Provided by: openssl-pkcs11-sign-provider_1.0.1-0ubuntu3_amd64 
NAME
pkcs11sign - OpenSSL PKCS#11 sign provider module
DESCRIPTION
The pkcs11-sign-provider implements the OpenSSL 3.0 provider interface and provides
cryptographic operation on asymmetric key material, available in PKCS#11 infrastructure
(e.g. opencryptoki). The pkcs11-sign-provider will register a key storage for PKCS#11 URIs
(RFC 7512). All keys which are referenced by a PKCS#11 URI will be handled by the
pkcs11-sign-provider. Other keys (e.g. file-based) are forwarded by the pkcs11-sign-
provider to another OpenSSL-Provider, e.g. the built-in OpenSSL default provider.
The pkcs11-sign-provider will only process algorithms with existing (private) asymmetric
keys in the related PKCS11-token. All other actions will be handled by the forward-
provider as clear-key operations.
The pkcs11-sign-provider does not support key creation or removal of PKCS#11 keys. For key
management, external tools are required.
Supported PKCS#11 mechanisms for RSA:
• CKM_RSA_PKCS
• CKM_RSA_PKCS_OAEP
• CKM_RSA_PSS
• CKM_RSA_X_509
Supported PKCS#11 mechanisms for EC:
• CKM_ECDSA
APPLICATION INTERFACE
An application, which should use asymmetric keys in PKCS#11 infrastructure, must use an
OpenSSL configuration for the pkcs11-sign-provider and refer to the keys by an PKCS#11
URI. The rest of the application should not need any changes.
Configuration
If the system-wide OpenSSL configuration does not configure the pkcs11-sign-provider, the
application can use its own OpenSSL configuration file and refer to it in its environment
variable OPENSSL_CONF. For more details about the configuration see pkcs11sign.cnf(5).
Key references
Instead of referring to a private key file (e.g. "file:/path/to/key.pem"), the application
should use the PKCS#11 URI of the key ("pkcs11:<path-attributes>?<queue-attributes>").
The PKCS#11 URI should specify path parameters of the key, at least the ID or label of the
key, as well as its type. The key reference should be unique.
Example for a PKCS#11 URI to a private key:
pkcs11:token=mytok;object=ec-key;type=private&pin-source=/path/to/token-pinfile.txt
Note The current version of pkcs11-sign-provider supports only the queue parameters pin-
value and pin-source. All other queue parameters are not yet supported.
PIN handling
The PIN is required to login to a PKCS#11 token, to manage or work with sensitive PKCS#11
objects (keys) and should not be proposed to anyone without a need-to-know.
An application, which is using key material in a PKCS#11 token, has such a need-to-know,
so the PIN should be under control of the application.
The pkcs11-sign-provider supports the PIN handling in the PKCS#11 URI with the queue
attributes pin-value and pin-source. While the first one contains the plain-text PIN, the
latter one refers to a file, which contains the PIN. It is highly recommended to use the
file reference and set the access permissions of the PIN file accordingly.
PIN file
The PIN gives access to a PKCS#11 token and its objects (keys, certificates, data). It
should be treated as a secret information and only the application should have access to
it. With the right setup, the usage of a PIN file provides the best protection for the
PIN.
Rules for the PIN file:
• one PIN per PIN file
• the PIN file must only contain the PIN, no comments, no linefeed or other characters
• the PIN file must be readable by the application
• the PIN file should not be writable by the application
• the PIN file must not be readable nor writable by other unprivileged users.
The following snippet shows, how to create a protected PIN file. It will prompt for the
PIN and write it to a file, which is only accessible for the user.
PINFILE="/path/to/my_pinfile.txt"
touch "${PINFILE}"
chmod u=rw,g=,o= "${PINFILE}"
(read -rsp "Enter PIN: " PIN; echo -n ${PIN}) > "${PINFILE}"
If required, the file ownership can later be changed to another user and group. This would
require extra capabilities (e.g. by using "sudo").
SEE ALSO
pkcs11sign.cnf(5), EVP(7)
Copyright
Copyright © International Business Machines Corp. 2022, 2023