details: http://freenginx.org/hg/nginx-tests/rev/f3f2fec834c4 branches: changeset: 2031:f3f2fec834c4 user: Maxim Dounin <[email protected]> date: Wed Oct 15 02:39:23 2025 +0300 description: Tests: loading keys from pkcs11-provider.
diffstat: ssl_store_pkcs11.t | 54 ++++++++++++++++++++++++++++++++++++++++-------------- 1 files changed, 40 insertions(+), 14 deletions(-) diffs (118 lines): diff --git a/ssl_store_libp11.t b/ssl_store_pkcs11.t copy from ssl_store_libp11.t copy to ssl_store_pkcs11.t --- a/ssl_store_libp11.t +++ b/ssl_store_pkcs11.t @@ -5,7 +5,7 @@ # (C) Nginx, Inc. # Tests for http ssl module, loading "store:..." certificates and keys -# from libp11 pkcs11prov OpenSSL provider (https://github.com/OpenSC/libp11). +# from pkcs11-provider (https://github.com/latchset/pkcs11-provider). ############################################################################### @@ -42,6 +42,11 @@ plan(skip_all => 'no store:... keys') daemon off; +# pkcs11-provider tries to reinitialize softhsm after fork(), +# so we need softhsm2 environment variable in worker processes + +env SOFTHSM2_CONF; + events { } @@ -87,14 +92,16 @@ http { EOF # Create a SoftHSM token with a secret key, and configure OpenSSL -# to access it using the libp11 pkcs11prov provider. See detailed example -# posted by Dmitrii Pichulin here: +# to access it using pkcs11-provider. See detailed example posted +# by Dmitrii Pichulin here: # # http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html # -# Adapted to provider usage based on libp11 documentation, see here: +# Adapted to provider usage based on libp11 documentation and +# pkcs11-provider documentation, see here: # # https://github.com/OpenSC/libp11 +# https://github.com/latchset/pkcs11-provider # # Note that library paths are different on different systems. We try # to detect some known ones. @@ -102,22 +109,41 @@ EOF # Still, detected libraries might not match OpenSSL library used when # building nginx, or the "openssl" tool in path, so everything will fail. # As such, this test is marked unsafe. +# +# Note well that pkcs11-provider asks for PIN after fork() via the default +# user interface (not the one explicitly passed to OSSL_STORE_open()) +# if PIN is not explicitly provided in the provider configuration with +# "pkcs11-module-token-pin = ..." and/or PIN caching is not explicitly +# enabled with "pkcs11-module-cache-pins = cache". Even "pin-value=..." in +# PKCS#11 URI is not enough. We use PIN in the configuration explicitly +# set with "pkcs11-module-token-pin = 1234". +# +# Additionally, old versions of pkcs11-provider need various quirks +# to work with SoftHSM. In particular, pkcs11-provider 0.3 as seen +# on Ubuntu 24.04 needs at least: +# +# pkcs11-module-load-behavior = early +# pkcs11-module-quirks = no-operation-state +# +# No quirks are needed with pkcs11-provider 1.0+. -# Libraries on various systems: FreeBSD, Alpine, Debian +# Libraries on various systems: FreeBSD, Alpine, Debian, Fedora my ($provider) = grep { -e $_ } qw! - /usr/local/lib/ossl-modules/pkcs11prov.so - /usr/lib/ossl-modules/pkcs11prov.so - /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11prov.so + /usr/local/lib/ossl-modules/pkcs11.so + /usr/lib/ossl-modules/pkcs11.so + /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so + /usr/lib64/ossl-modules/pkcs11.so !; my ($softhsm) = grep { -e $_ } qw! /usr/local/lib/softhsm/libsofthsm2.so /usr/lib/softhsm/libsofthsm2.so /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + /usr/lib64/pkcs11/libsofthsm2.so !; -plan(skip_all => 'no libp11 pkcs11prov provider') unless $provider; +plan(skip_all => 'no pkcs11-provider') unless $provider; plan(skip_all => 'no softhsm2') unless $softhsm; $t->write_file('openssl.conf', <<EOF); @@ -134,11 +160,11 @@ pkcs11 = pkcs11_sect activate = 1 [pkcs11_sect] -identity = pkcs11prov module = $provider -pkcs11_module = $softhsm -debug_level = 2 -pin = 1234 +pkcs11-module-path = $softhsm +pkcs11-module-token-pin = 1234 +pkcs11-module-load-behavior = early +pkcs11-module-quirks = no-operation-state activate = 1 [ req ] @@ -193,7 +219,7 @@ foreach my $name ('localhost') { ############################################################################### -like(http_get('/proxy'), qr/200 OK/, 'ssl store libp11 pkcs11prov'); +like(http_get('/proxy'), qr/200 OK/, 'ssl store pkcs11-provider'); like(http_get('/var'), qr/200 OK/, 'ssl_certificate with variable'); ###############################################################################
