Pkcs11-tool Error Failed To Load Pkcs#11 Module
Sign in Pricing Blog Support Search GitHub This repository Watch 99 Star 534 Fork 276 OpenSC/OpenSC Code Issues 20 Pull requests 10 Projects 0 Wiki Pulse Graphs New issue pkcs11-tool fails to load default module failed to load pkcs#11 library please check your installation (opensc-pkcs11.dylib on Mac) #741 Closed mouse07410 opened this Issue Apr 21, 2016 · 11 opensc mac comments Projects None yet Labels None yet Milestone No milestone Assignees No one assigned 4 participants mouse07410 commented Apr 21, 2016 • edited Platform Mac OS X 10.11.4, Xcode-7.3. OpenSC - current (as of 2016-04-21) GitHub master branch. Expected behaviour Should work as shown below but without module explicitly specified: $ pkcs11-tool --module /Library/OpenSC/lib/opensc-pkcs11.dylib -I Cryptoki version 2.20 Manufacturer OpenSC Project Library OpenSC smartcard framework (ver 0.15) Using slot 1 with a present token (0x4) $ Actual behaviour $ pkcs11-tool -I sc_dlopen failed: dlopen(opensc-pkcs11.dylib, 1): image not found error: Failed to load pkcs11 module Aborting. $ The culprit is line 14 in config.h: #define DEFAULT_PKCS11_PROVIDER "opensc-pkcs11.dylib" that does not specify the complete path to /Library/OpenSC/lib/opensc-pkcs11.dylib. I could only track it back to commit c3527f4 of 2015-11-12 which did not go far enough (did not add the actual path). A fix would be to prepend the complete path (LIBDIR/LIB_PRE) to opensc-pkcs11${DYN_LIB_EXT}. A work-around would be to add /Library/OpenSC/lib to the default search path, or to sym-link opensc-pkcs11.dylib into a directory that already is on that path. But since by the time config.h is written to disk, LIBDDIR is known - it makes sense to just include it in the DEFAULT_PKCS11_PROVIDER. Steps to reproduce Insert your hardware token and type pkcs11-tool -I or pkcs11-tool -M. Logs Nothing gets logged because loading of the PKCS11 module fails (prior to any interactions with the token). OpenSC team member frankmorgner commented Apr 22, 2016 There is a problem in https://github.com/OpenSC/OpenSC/blob/master/MacOSX/scripts/postinstall#L5. Could you check whether if changing .so to .dylib the installer works properly? mouse07410 commented Apr 22, 2016 It probably would work properly - but wouldn't it be simpler and more correct to just include the full path in the default file name? OpenSC team member frankmorgner commented Apr 22, 2016 You'd need a bunch of magic code to make this work on every platform. Think of Windows, for example. mouse07410 commented Apr 22, 2016 I see... I personally would be happy if it could include the complete path on
Report Content as Inappropriate ♦ ♦ failed to load pkcs11 module Hi, I triying to get an aladdin etoken pro working on a macintosh met firefox as browser. After loading the opensc-pkcs11.so into firefox there is no token visible. (Also after rebooting the system there is nothing visible) When I use pcsctest I am able to see the token, so it is actually there. The only kind of error I can get is when using the command "./pkcs11-tool -I" The message is then: "Failed https://github.com/OpenSC/OpenSC/issues/741 to load pkcs11 module". Does anyone have any idea? I am using Mac OS 10.2 with firefox 1.5 Regards, John __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc-project.org/mailman/listinfo/opensc-user Martin Paljak-2 Reply | Threaded Open this post in threaded view ♦ ♦ | Report Content as http://opensc.1086184.n5.nabble.com/failed-to-load-pkcs11-module-td9996.html Inappropriate ♦ ♦ Re: failed to load pkcs11 module On 15.02.2006, at 9:49, W.B.V. FD wrote: > > I am using Mac OS 10.2 with firefox 1.5 You can't be using SCA installer, what is working on 10.4 only (or should at least check for it) -- Martin Paljak [hidden email] _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc-project.org/mailman/listinfo/opensc-user W.B.V. FD Reply | Threaded Open this post in threaded view ♦ ♦ | Report Content as Inappropriate ♦ ♦ Re: failed to load pkcs11 module My mistake. Sca version 0.1.8 and the Mac OS 10.4.4 --- Martin Paljak <[hidden email]> wrote: > > On 15.02.2006, at 9:49, W.B.V. FD wrote: > > > > > I am using Mac OS 10.2 with firefox 1.5 > > > You can't be using SCA installer, what is working on > 10.4 only (or > should at least check for it) > > > > -- > Martin Paljak > [hidden email] > > > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail
References & Guides Learning web development Tutorials References Developer Guides Accessibility Game development ...more docs Mozilla Docs Add-ons Firefox https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Installation Developer ToolsFeedback Get Firefox help Get web development help Join the MDN community Report a content problem Report a bug Search Search Languages No translations exist for https://www.tablix.org/~avian/blog/archives/2013/10/opensc_on_wheezy/ this article. Add a translation Edit Advanced Advanced History Print this article MDN Mozilla Projects Network Security Services PKCS11 PKCS11 Module Installation Your Search Results fkiefer fscholz BenjaminSmedberg failed to LudovicRousseau Nibbler Rasmus Faber PKCS11 Module Installation In This Article Using the Firefox Preferences Dialog to Install PKCS11 ModulesInstalling PKCS11 Modules Using nsIPKCS11 PKCS11 modules are external modules which provide access to smart-card readers, biometric security devices, or external certificate stores. There are two methods for installing PKCS11 modules into Firefox. Users can use the preferences failed to load dialog to install or remove PKCS11 module. Extensions can programmatically manage PKCS11 modules using the nsIPKCS11 programming interface. The information in this article is specific to Firefox 3.5 and newer. Older versions of Firefox may support the window.pkcs11 property for installing PKCS11 modules. Using the Firefox Preferences Dialog to Install PKCS11 Modules Save the PKCS11 module to a permanent location on your local computer Open the Firefox preferences dialog. Choose "Advanced" > "Encryption" > "Security Devices" Choose "Load" Enter a name for the security module, such as "My Client Database". NOTE: there is currently a bug in Firefox where international characters may cause problems. Choose "Browse..." to find the location of the PKCS11 module on your local computer, and choose "OK" when done. Installing PKCS11 Modules Using nsIPKCS11 Extensions can use the nsIPKCS11 interface to install PKCS11 modules: const nsIPKCS11 = Components.interfaces.nsIPKCS11; const nsPKCS11ContractID = "@mozilla.org/security/pkcs11;1"; var PKCS11 = Components.classes[nsPKCS11ContractID].getService(nsIPKCS11); PKCS11.addModule("Custom Module Name", "/path/to/module.dll"); Document Tags and Contributors Tags: NSS Contributors to this page: fk
USB key to authenticate on websites using client-side SSL certificates, so fixing this was kind of important to me. OpenSC documentation is a mess and from terse error messages it was hard to make heads or tails of what was actually broken. So here's what I had to do make authentication work again in the browser. First, fixing the most obvious thing: with the introduction of multiarch the PKCS #11 module has moved from /usr/lib/opensc-pkcs11.so to /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so. This means you have to correct the path in Iceweasel. Go to Preferences, Advanced, Certificates, Security Devices and select the OpenSC module there. Click Unload to remove the module and then Load to load the module from the new path. Also, you might have noticed that mozilla-opensc package was removed in Wheezy. I'm not sure if it was even required in the previous release, but it's definitely not needed now. Second, the version of OpenSC shipped with Wheezy only supports accessing the smartcard readers through the pcscd daemon. You have to install the pcscd package or OpenSC will not detect any readers. $ opensc-tool -l # Detected readers (pcsc) Nr. Card Features Name 0 Yes Axalto/Schlumberger/Gemalo egate token 00 00 Now for the tricky part. With the changes above, I still got a very helpful error message whenever I tried connecting to a secure website: A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred. (Error code: sec_error_pkcs11_general_error). Running a test with the pkcs11-tool showed that there was something wrong with the signing operation: $ OPENSC_DEBUG=9 pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -t -l Using slot 1 with a present token (0x1) Logging in to "OpenSC Card (tomaz)". Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OK Signatures (currently only RSA signatures) testing key 0 (Private Key) ... lots of debug output skipped ... iso7816.c:103:iso7816_check_sw: Command incompatible with file structure card-flex