Bug 1731497 - error when initializing ibmpkcs11 engine
Summary: error when initializing ibmpkcs11 engine
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssl-ibmpkcs11
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: 8.0
Assignee: Dan Horák
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-19 14:33 UTC by Karel Srot
Modified: 2020-02-07 17:08 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github opencryptoki openssl-ibmpkcs11 issues 15 'None' closed ibmpkcs11 engine not loaded 2020-02-07 17:21:15 UTC

Description Karel Srot 2019-07-19 14:33:45 UTC
Description of problem:

# OPENSSL_CONF=openssl.cnf.sample.s390x openssl engine -c
(dynamic) Dynamic engine loading support
(ibmpkcs11) PKCS#11 hardware engine support
 [RSA, RAND, DES-ECB, DES-CBC, DES-EDE3, DES-EDE3-CBC, AES-128-ECB, AES-128-CBC, AES-192-ECB, AES-192-CBC, AES-256-ECB, AES-256-CBC, MD5, SHA1, RSA-SHA1, hmacWithSHA1, SHA256, SHA384, SHA512, SHA224]
4395914725152:error:26078067:engine routines:engine_list_add:conflicting engine id:crypto/engine/eng_list.c:65:
4395914725152:error:2606906E:engine routines:ENGINE_add:internal list error:crypto/engine/eng_list.c:225:
4395914725152:error:260B6067:engine routines:dynamic_load:conflicting engine id:crypto/engine/eng_dyn.c:502:
4395914725152:error:260BC066:engine routines:int_engine_configure:engine configuration error:crypto/engine/eng_cnf.c:141:section=ibmpkcs11_section, name=dynamic_path, value=/usr/lib64/engines-1.1/ibmpkcs11.so
4395914725152:error:0E07606D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:176:module=engines, value=engine_section, retcode=-1      

/var/log/messages contains:
Jul 19 10:15:09 ibm-z-143 pkcsconf[63118]: apiutil.c DL_Load: dlopen() failed for [libpkcs11_tpm.so]; dlerror = [libpkcs11_tpm.so: cannot open shared object file: No such file or directory]
Jul 19 10:15:09 ibm-z-143 pkcsconf[63118]: apiutil.c DL_Load: dlopen() failed for [libpkcs11_ica.so]; dlerror = [libpkcs11_ica.so: cannot open shared object file: No such file or directory]
Jul 19 10:15:09 ibm-z-143 pkcsconf[63118]: apiutil.c DL_Load: dlopen() failed for [libpkcs11_cca.so]; dlerror = [libpkcs11_cca.so: cannot open shared object file: No such file or directory]
Jul 19 10:15:09 ibm-z-143 pkcsconf[63118]: apiutil.c DL_Load: dlopen() failed for [libpkcs11_ep11.so]; dlerror = [libpkcs11_ep11.so: cannot open shared object file: No such file or directory]

I do not have other opencryptoki subpackages installed, only -libs and -swtok.
However even if the other subpackages are installed and pkcsslotd restarted, the error remains.

# rpm -q opencryptoki-swtok openssl openssl-ibmpkcs11
opencryptoki-swtok-3.10.0-3.el8.s390x
openssl-1.1.1-8.el8.s390x
openssl-ibmpkcs11-1.0.2-1.el8.s390x

# pkcsconf -t -c 3
Token #3 Info:
	Label: ibmtest                         
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 10:22:24

# pkcsconf -i
PKCS#11 Info
	Version 2.20 
	Manufacturer: IBM                              
	Flags: 0x0  
	Library Description: Meta PKCS11 LIBRARY              
	Library Version 3.10 
[root@ibm-z-143 tmp.AixJk5lsp8]# pkcsconf -s 3
Slot #3 Info
	Description: Linux
	Manufacturer: IBM
	Flags: 0x1 (TOKEN_PRESENT)
	Hardware Version: 0.0
	Firmware Version: 0.0

# cat openssl.cnf.sample.s390x
#
# OpenSSL example configuration file. This file will load the engine
# for all operations that the engine implements for all apps that
# have OpenSSL config support compiled into them.
#
# Adding OpenSSL config support is as simple as adding the following line to
# the app:
#
# #define OPENSSL_LOAD_CONF	1
#
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
ibmpkcs11 = ibmpkcs11_section

[ibmpkcs11_section]
SLOT_ID=3
dynamic_path = /usr/lib64/engines-1.1/ibmpkcs11.so
engine_id = ibmpkcs11
#
# The following algorithms will be enabled by these parameters
# to the default_algorithms line. Any combination of these is valid,
# with "ALL" denoting the same as all of them in a comma separated
# list.
#
# RSA
# - RSA encrypt, decrypt, sign and verify, key lengths 512-4096
#
# RAND
# - Hardware random number generation
#
# CIPHERS
# - DES-ECB, DES-CBC, DES-EDE3, DES-EDE3-CBC, AES-128-ECB, AES-128-CBC,
#   AES-192-ECB, AES-192-CBC, AES-256-ECB, AES-256-CBC symmetric crypto
#
# DIGESTS
# - SHA1, SHA256 digests
#
default_algorithms = ALL
#default_algorithms = RAND,RSA,CIPHERS,DIGESTS
init = 1

Comment 2 Dan Horák 2019-07-24 11:35:00 UTC
reproduced on Fedora and reported upstream


Note You need to log in before you can comment on or make changes to this bug.