Bug 1731497 - error when initializing ibmpkcs11 engine
Summary: error when initializing ibmpkcs11 engine
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssl-ibmpkcs11
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: 8.0
Assignee: Dan Horák
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-19 14:33 UTC by Karel Srot
Modified: 2021-02-01 07:42 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-01 07:42:18 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github opencryptoki openssl-ibmpkcs11 issues 15 0 'None' closed ibmpkcs11 engine not loaded 2021-02-01 08:46:58 UTC

Description Karel Srot 2019-07-19 14:33:45 UTC 
Description of problem:

# OPENSSL_CONF=openssl.cnf.sample.s390x openssl engine -c
(dynamic) Dynamic engine loading support
(ibmpkcs11) PKCS#11 hardware engine support
 [RSA, RAND, DES-ECB, DES-CBC, DES-EDE3, DES-EDE3-CBC, AES-128-ECB, AES-128-CBC, AES-192-ECB, AES-192-CBC, AES-256-ECB, AES-256-CBC, MD5, SHA1, RSA-SHA1, hmacWithSHA1, SHA256, SHA384, SHA512, SHA224]
4395914725152:error:26078067:engine routines:engine_list_add:conflicting engine id:crypto/engine/eng_list.c:65:
4395914725152:error:2606906E:engine routines:ENGINE_add:internal list error:crypto/engine/eng_list.c:225:
4395914725152:error:260B6067:engine routines:dynamic_load:conflicting engine id:crypto/engine/eng_dyn.c:502:
4395914725152:error:260BC066:engine routines:int_engine_configure:engine configuration error:crypto/engine/eng_cnf.c:141:section=ibmpkcs11_section, name=dynamic_path, value=/usr/lib64/engines-1.1/ibmpkcs11.so
4395914725152:error:0E07606D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:176:module=engines, value=engine_section, retcode=-1      

/var/log/messages contains:
Jul 19 10:15:09 ibm-z-143 pkcsconf[63118]: apiutil.c DL_Load: dlopen() failed for [libpkcs11_tpm.so]; dlerror = [libpkcs11_tpm.so: cannot open shared object file: No such file or directory]
Jul 19 10:15:09 ibm-z-143 pkcsconf[63118]: apiutil.c DL_Load: dlopen() failed for [libpkcs11_ica.so]; dlerror = [libpkcs11_ica.so: cannot open shared object file: No such file or directory]
Jul 19 10:15:09 ibm-z-143 pkcsconf[63118]: apiutil.c DL_Load: dlopen() failed for [libpkcs11_cca.so]; dlerror = [libpkcs11_cca.so: cannot open shared object file: No such file or directory]
Jul 19 10:15:09 ibm-z-143 pkcsconf[63118]: apiutil.c DL_Load: dlopen() failed for [libpkcs11_ep11.so]; dlerror = [libpkcs11_ep11.so: cannot open shared object file: No such file or directory]

I do not have other opencryptoki subpackages installed, only -libs and -swtok.
However even if the other subpackages are installed and pkcsslotd restarted, the error remains.

# rpm -q opencryptoki-swtok openssl openssl-ibmpkcs11
opencryptoki-swtok-3.10.0-3.el8.s390x
openssl-1.1.1-8.el8.s390x
openssl-ibmpkcs11-1.0.2-1.el8.s390x

# pkcsconf -t -c 3
Token #3 Info:
	Label: ibmtest                         
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 10:22:24

# pkcsconf -i
PKCS#11 Info
	Version 2.20 
	Manufacturer: IBM                              
	Flags: 0x0  
	Library Description: Meta PKCS11 LIBRARY              
	Library Version 3.10 
[root@ibm-z-143 tmp.AixJk5lsp8]# pkcsconf -s 3
Slot #3 Info
	Description: Linux
	Manufacturer: IBM
	Flags: 0x1 (TOKEN_PRESENT)
	Hardware Version: 0.0
	Firmware Version: 0.0

# cat openssl.cnf.sample.s390x
#
# OpenSSL example configuration file. This file will load the engine
# for all operations that the engine implements for all apps that
# have OpenSSL config support compiled into them.
#
# Adding OpenSSL config support is as simple as adding the following line to
# the app:
#
# #define OPENSSL_LOAD_CONF	1
#
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
ibmpkcs11 = ibmpkcs11_section

[ibmpkcs11_section]
SLOT_ID=3
dynamic_path = /usr/lib64/engines-1.1/ibmpkcs11.so
engine_id = ibmpkcs11
#
# The following algorithms will be enabled by these parameters
# to the default_algorithms line. Any combination of these is valid,
# with "ALL" denoting the same as all of them in a comma separated
# list.
#
# RSA
# - RSA encrypt, decrypt, sign and verify, key lengths 512-4096
#
# RAND
# - Hardware random number generation
#
# CIPHERS
# - DES-ECB, DES-CBC, DES-EDE3, DES-EDE3-CBC, AES-128-ECB, AES-128-CBC,
#   AES-192-ECB, AES-192-CBC, AES-256-ECB, AES-256-CBC symmetric crypto
#
# DIGESTS
# - SHA1, SHA256 digests
#
default_algorithms = ALL
#default_algorithms = RAND,RSA,CIPHERS,DIGESTS
init = 1
Comment 2 Dan Horák 2019-07-24 11:35:00 UTC 
reproduced on Fedora and reported upstream
Comment 6 RHEL Program Management 2021-02-01 07:42:18 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Note You need to log in before you can comment on or make changes to this bug.