pkcs11sign.cnf(5)

1PKCS11SIGN.CNF(5)             File Formats Manual            PKCS11SIGN.CNF(5)
2
3
4

NAME

6       pkcs11sign.cnf - Configuration for OpenSSL PKCS#11 sign provider module
7

DESCRIPTION

9       The  pkcs11-sign-provider implements the OpenSSL 3.0 provider interface
10       and provides cryptographic operation on asymmetric key material, avail‐
11       able  in  PKCS#11 infrastructure (e.g. opencryptoki). For more informa‐
12       tion see pkcs11sign(7).
13

CONFIGURATION

15   OpenSSL Configuration
16       The pkcs11-sign-provider can be configured application-specific or sys‐
17       tem-wide. In both cases, the configuration file need to define and ref‐
18       erence a section for the pkcs11-sign-provider,  following  the  OpenSSL
19       configuration syntax (config(5)).
20
21       The  pkcs11-sign-provider  section  specifies the shared library of the
22       provider itself (mandatory), the shared library of the Cryptoki  imple‐
23       mentation  (mandatory)  and  initialization parameters for the Cryptoki
24       implementation (optional). It is also possible  to  specify  a  forward
25       provider. If no forward provider is specified, the OpenSSL built-in de‐
26       fault-provider is selected.
27
28       The pkcs11-sign-provider must also be preferred in the  algorithm-prop‐
29       erties,  so that all requests are directed to the pkcs11-sign-provider.
30       This can either be done in the application or in the configuration file
31       (recommended).
32
33   Provider Section
34       A  provider section in the OpenSSL configuration define generic parame‐
35       ters, as well as provider-specific parameters.  Each  provider  section
36       can  be  references  in a providers sections.  The pkcs11-sign-provider
37       requires at least the generic provider section parameters module, iden‐
38       tity, and activate.  For more details about the generic provider param‐
39       eters, see config(5).
40
41       module (mandatory)
42              This parameter takes a path to the provider shared object  file.
43              For  the  pkcs11-sign-provider, use the path to the installation
44              location of pkcs11sign.so (provider shared object).
45
46       identity (optional)
47              This parameter specifies an alias  name  for  the  provider  and
48              overrides the provider name in the providers section. It is rec‐
49              ommended to use the same name as in the providers.
50
51       activate (optional)
52              If present, this parameter activates the provider section.
53
54       The  pkcs11-sign-provider  defines  the  provider  specific  parameters
55       pkcs11sign-module-path,  pkcs11sign-module-init-args,  and  pkcs11sign-
56       forward.
57
58       pkcs11sign-module-path (mandatory)
59              This parameter takes the path to the shared  object  file  of  a
60              PKCS#11 Cryptoki module implementation. The provider can be used
61              with PKCS#11 Cryptoki modules, implementing the PKCS#11 standard
62              version 3.0 (or compatible).
63
64       pkcs11sign-module-init-args (optional)
65              The  pkcs11sign-module-init-args takes a parameter string, which
66              is used during the initialization of the Cryptoki module.
67
68       pkcs11sign-forward (optional)
69              The pkcs11sign-forward parameter takes the name of  a  provider,
70              to  which all operations are forwarded, which are not handled by
71              the pkcs11-sign-provider itself, e.g. key derivation for  ECDHE.
72              If  this parameter is not specified in the provider section, the
73              pkcs11-sign-provider  will  use  the  built-in  OpenSSL  default
74              provider as forward.
75
76              The   syntax   for  this  parameter  is  "provider=<name_of_for‐
77              ward_provider>". See the configuration example for more details.
78
79   EVP Configuration (alg_section)
80       This section configures the algorithmic properties for the EVP API. The
81       pkcs11-sign-provider  should  be  set as the preferred provider for all
82       EVP  algorithms  by  adding  the  default_properties  the   expresstion
83       "?provider=pkcs11sign".
84
85   Configuration example
86       This configuration example shows
87           openssl_conf = openssl_init
88
89           [openssl_init]
90           providers = provider_sect
91           alg_section = evp_properties
92
93           [provider_sect]
94           default = default_sect
95           base = base_sect
96           pkcs11sign = pkcs11sign_sect
97
98           [evp_properties]
99           default_properties = ?provider=pkcs11sign
100
101           [pkcs11sign_sect]
102           module = /path/to/pkcs11sign.so
103           identity = pkcs11sign
104           pkcs11sign-module-path = /path/to/libopencryptoki.so.0
105           pkcs11sign-forward = provider=default
106           activate = 1
107

ENVIRONMENT

109       The  pkcs11-sign-provider  allows  to generate a detailed log-file. The
110       log-file generation can be enabled by setting the environment  variable
111       PKCS11SIGN_DEBUG  and  PKCS11SIGN_DEBUG_LEVEL.  The internal logging is
112       disabled, until the environment variables are set.
113
114       PKCS11SIGN_DEBUG
115              This variable specifies the path to the log-file. If  specified,
116              it  will enable the logging. The pkcs11-sign-provider will over‐
117              ride an existing file in this location.
118
119       PKCS11SIGN_DEBUG_LEVEL
120              This variable specifies the debugging  level.  Supported  values
121              are error (0), warning (1), info (2), and debug (3).
122

Copyright

127       Copyright © International Business Machines Corp. 2022, 2023
128
129pkcs11sign.cnf                    2023-05-17                 PKCS11SIGN.CNF(5)

NAME

DESCRIPTION

CONFIGURATION

ENVIRONMENT

SEE ALSO

Copyright