Error Failed To Load Pkcs11 Module
Sign in Pricing Blog Support Search GitHub This repository Watch 99 Star 527 Fork 272 OpenSC/OpenSC Code Issues 20 Pull requests 7 Projects 0 Wiki Pulse Graphs New issue default module pkcs11 module path for pkcs11-tool #229 Closed eighthave opened this Issue Apr 1, 2014 · 39 comments firefox pkcs11 unable to add module Projects None yet Labels None yet Milestone No milestone Assignees No one assigned 7 participants eighthave commented failed to load pkcs#11 library please check your installation Apr 1, 2014 There are many little technical details in the whole process of setting up and using an HSM with opensc, one seems to have a pretty simple answer: providing a default module so pkcs11-tool --list-slots does something by default. From what I read, the concern was the way it was originally implemented, it could be exploited. How about instead hardcoding a default module, i.e. /usr/lib/opensc-pkcs11.so and using that by default if it exists. Distros could then modify that path to the relevant location, i.e. /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so. I'd happily submit a patch to do this if devs here are willing to accept it. I've been working to smooth out a lot of little details like this in the whole process, you can see the documentation of my efforts here: https://guardianproject.info/2014/03/28/security-in-a-thumb-drive-the-promise-and-pain-of-hardware-security-modules-take-one/ https://dev.guardianproject.info/projects/bazaar/wiki/Improving_the_APK_Signing_Procedure OpenSC team member alonbl commented Apr 1, 2014 There should be no default, module argument should be mandatory. But this default goes way into the past. eighthave commented Apr 1, 2014 why should there be no default? I found no reason for that besides the security issue mentioned in the thread where the default was removed. It makes things a lot easier for people getting started when little things like this are fixed. OpenSC team member alonbl commented Apr 1, 2014 There is no such thing as default PKCS#11 provider, the whole concept is that user should choose. eighthave commented Apr 1, 2014 The default would be the one most commonly used. From what I've seen, opensc-pkcs11.so is far and away the most common on Debian/Ubuntu/etc. In my process of working with a few different HSMs, I only ever saw opensc-pkcs11.so as an option, I don't think I can think of a single other PKCS11 provider that I needed or even saw documented. OpenSC team member alonbl commented Apr 1,
to load pkcs11 module Newsgroups: gmane.comp.encryption.opensc.devel Date: Monday 21st March 2011 15:09:55 UTC (over 5 years ago) Hello, On Mar 14, 2011, at 12:18 AM, Juan Antonio Martinez wrote: > Using opensc from svn: > > [[emailprotected] opensc]$ src/tools/pkcs11-tool -lO > error: Failed to load pkcs11 module > Aborting. > > Looking https://github.com/OpenSC/OpenSC/issues/229 at src/pkcs11/pkcs11-tool.c seems that "opt_module" > variable is not properly initialized thus C_LoadModule > is called with "NULL" as module name... I don't think it is a good idea to have a hardcoded module path in pkcs11-tool, see #307 [1] pkcs11-tool http://permalink.gmane.org/gmane.comp.encryption.opensc.devel/12237 could be a general PKCS#11 tool as the name implies, at the moment it has a lot of OpenSC specific trickery in it. Typing the full module path is a bit more work but makes it very explicit which module is intended to be used. There have been issues when somebody installs from source to /usr/local and then doesn't know which module actually gets loaded by pkcs11-tool and that the module he explicitly loaded into Firefox are different. I'd suggest requiring the path to the module as the first argument to pkcs11-tool (without --module) > Is a bug so strange.... no one has noticed it before? This was introduced by me lately [2] [1] http://www.opensc-project.org/opensc/ticket/307 [2] http://www.opensc-project.org/opensc/ticket/323#comment:7 CD: 3ms
by: "Jeffrey W. Baker"
of opensc? sure, use our installer with opensc, openssl, putty, engine_pkcs11 etc: http://www.opensc-project.org/scb/ Andreas Thread at a glance: Previous Message by Date: Further problems with openSC and aladdin eToken I've tried reinitializing my eToken with opensc and generating a key - all fine. The problems come when I try and generate a self-signed cert from that key under windows: --- OpenSSL> engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD: 1 -pre LOAD (dynamic) Dynamic engine loading support [Success]: SO_PATH:engine_pkcs11 [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD Loaded: (pkcs11) pkcs11 engine OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -x509 -out mycert.pe m -config "c:\program files\smart card bundle\openssl.cnf" -subj "/CN=Nick Johns on/emailAddress=arachnid@xxxxxxxxxx" unable to load module (null) can't use that engine 2124:error:80001401:Vendor defined:PKCS11_CTX_load:Unable to load PKCS#11 module :p11_load.c:57: 2124:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed:.\crypto\e ngine\eng_table.c:161: no engine specified unable to load Private Key error in req --- Anyone know why this is happening, and how I can fix it? Thanks, Nick Johnson Next Message by Date: Re: Further problems with openSC and aladdin eToken you did not specifiy the pkcs#11 module to load. take a look at http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart (oops, the scb side had the old/wrong commands, will fix that) Andreas Previous Message by Thread: Re: failed to load pkcs11 module Andreas Jellinghaus wrote: Am Mittwoch, 15. Februar 2006 19:07 schrieb Nick Johnson: I have a related question: I also have an eToken, which I initialised with the Aladdin software. I've been unable to get it working with Putty SC. If I reinitialise it with OpenSC, is there a (windows) driver I can use instead of etpkcs11.dll (that might give me better results)? if you format it (with aladdins tool) and initialize it with opensc, you can use it with putty + opensc-pkcs11.dll. should work, but I only tested other tokens so far. Good luck! Regards,