1PKCS11SIGN.CNF(5) File Formats Manual PKCS11SIGN.CNF(5)
2
3
4
6 pkcs11sign.cnf - Configuration for OpenSSL PKCS#11 sign provider module
7
9 The pkcs11-sign-provider implements the OpenSSL 3.0 provider interface
10 and provides cryptographic operation on asymmetric key material, avail‐
11 able in PKCS#11 infrastructure (e.g. opencryptoki). For more informa‐
12 tion see pkcs11sign(7).
13
15 OpenSSL Configuration
16 The pkcs11-sign-provider can be configured application-specific or sys‐
17 tem-wide. In both cases, the configuration file need to define and ref‐
18 erence a section for the pkcs11-sign-provider, following the OpenSSL
19 configuration syntax (config(5)).
20
21 The pkcs11-sign-provider section specifies the shared library of the
22 provider itself (mandatory), the shared library of the Cryptoki imple‐
23 mentation (mandatory) and initialization parameters for the Cryptoki
24 implementation (optional). It is also possible to specify a forward
25 provider. If no forward provider is specified, the OpenSSL built-in de‐
26 fault-provider is selected.
27
28 The pkcs11-sign-provider must also be preferred in the algorithm-prop‐
29 erties, so that all requests are directed to the pkcs11-sign-provider.
30 This can either be done in the application or in the configuration file
31 (recommended).
32
33 Provider Section
34 A provider section in the OpenSSL configuration define generic parame‐
35 ters, as well as provider-specific parameters. Each provider section
36 can be references in a providers sections. The pkcs11-sign-provider
37 requires at least the generic provider section parameters module, iden‐
38 tity, and activate. For more details about the generic provider param‐
39 eters, see config(5).
40
41 module (mandatory)
42 This parameter takes a path to the provider shared object file.
43 For the pkcs11-sign-provider, use the path to the installation
44 location of pkcs11sign.so (provider shared object).
45
46 identity (optional)
47 This parameter specifies an alias name for the provider and
48 overrides the provider name in the providers section. It is rec‐
49 ommended to use the same name as in the providers.
50
51 activate (optional)
52 If present, this parameter activates the provider section.
53
54 The pkcs11-sign-provider defines the provider specific parameters
55 pkcs11sign-module-path, pkcs11sign-module-init-args, and pkcs11sign-
56 forward.
57
58 pkcs11sign-module-path (mandatory)
59 This parameter takes the path to the shared object file of a
60 PKCS#11 Cryptoki module implementation. The provider can be used
61 with PKCS#11 Cryptoki modules, implementing the PKCS#11 standard
62 version 3.0 (or compatible).
63
64 pkcs11sign-module-init-args (optional)
65 The pkcs11sign-module-init-args takes a parameter string, which
66 is used during the initialization of the Cryptoki module.
67
68 pkcs11sign-forward (optional)
69 The pkcs11sign-forward parameter takes the name of a provider,
70 to which all operations are forwarded, which are not handled by
71 the pkcs11-sign-provider itself, e.g. key derivation for ECDHE.
72 If this parameter is not specified in the provider section, the
73 pkcs11-sign-provider will use the built-in OpenSSL default
74 provider as forward.
75
76 The syntax for this parameter is "provider=<name_of_for‐
77 ward_provider>". See the configuration example for more details.
78
79 EVP Configuration (alg_section)
80 This section configures the algorithmic properties for the EVP API. The
81 pkcs11-sign-provider should be set as the preferred provider for all
82 EVP algorithms by adding the default_properties the expresstion
83 "?provider=pkcs11sign".
84
85 Configuration example
86 This configuration example shows
87 openssl_conf = openssl_init
88
89 [openssl_init]
90 providers = provider_sect
91 alg_section = evp_properties
92
93 [provider_sect]
94 default = default_sect
95 base = base_sect
96 pkcs11sign = pkcs11sign_sect
97
98 [evp_properties]
99 default_properties = ?provider=pkcs11sign
100
101 [pkcs11sign_sect]
102 module = /path/to/pkcs11sign.so
103 identity = pkcs11sign
104 pkcs11sign-module-path = /path/to/libopencryptoki.so.0
105 pkcs11sign-forward = provider=default
106 activate = 1
107
109 The pkcs11-sign-provider allows to generate a detailed log-file. The
110 log-file generation can be enabled by setting the environment variable
111 PKCS11SIGN_DEBUG and PKCS11SIGN_DEBUG_LEVEL. The internal logging is
112 disabled, until the environment variables are set.
113
114 PKCS11SIGN_DEBUG
115 This variable specifies the path to the log-file. If specified,
116 it will enable the logging. The pkcs11-sign-provider will over‐
117 ride an existing file in this location.
118
119 PKCS11SIGN_DEBUG_LEVEL
120 This variable specifies the debugging level. Supported values
121 are error (0), warning (1), info (2), and debug (3).
122
124 config(5), pkcs11sign(7)
125
127 Copyright © International Business Machines Corp. 2022, 2023
128
129pkcs11sign.cnf 2023-05-17 PKCS11SIGN.CNF(5)