provider: Add new configuration option assume_fips

When OpenSSL runs in FIPS Mode, it will not use any providers that do not provide a property fips=yes, rendering the pkcs11 provider unusable in FIPS Mode. This is a regression and for many users that need to have smart cards working in FIPS Mode. Unfortunately, proper signalization from pkcs11 modules regarding the tokens FIPS certification status is not standardized yet, this will be left up to the user to decide if the pkcs11 modules talk to FIPS certified token or not. This involves adjusting the algorithm lists to contain dynamic properties based on this configuration option, where we previously had hardcoded just provider=pkcs11. Fixes: #469, #164 Signed-off-by: Jakub Jelen <[email protected]>
latchset · Jan 15, 2025 · d7e80bc · d7e80bc
1 parent 9e5635b
commit d7e80bc
Show file tree

Hide file tree

Showing 4 changed files with 247 additions and 220 deletions.
diff --git a/docs/provider-pkcs11.7 b/docs/provider-pkcs11.7
@@ -1,27 +1,10 @@
-.\" Automatically generated by Pandoc 3.1.3
+.\" Automatically generated by Pandoc 3.1.11.1
 .\"
-.\" Define V font for inline verbatim, using C font in formats
-.\" that render this, and otherwise B font.
-.ie "\f[CB]x\f[]"x" \{\
-. ftr V B
-. ftr VI BI
-. ftr VB B
-. ftr VBI BI
-.\}
-.el \{\
-. ftr V CR
-. ftr VI CI
-. ftr VB CB
-. ftr VBI CBI
-.\}
-.TH "provider-pkcs11" "7" "" "" "Configuration directives"
-.hy
+.TH "provider\-pkcs11" "7" "" "" "Configuration directives"
 .SH NAME
-.PP
-pkcs11-provider - An OpenSSL provider that allows to directly interface
-with pkcs11 drivers.
+pkcs11\-provider \- An OpenSSL provider that allows to directly
+interface with pkcs11 drivers.
 .SH DESCRIPTION
-.PP
 Starting with version 3.0 the OpenSSL project introduced a new modular
 system to extend OpenSSL that replaces the deprecated Engines modules.
 .PP
@@ -35,34 +18,30 @@ PKCS#11(2) driver and the use of pkcs11 URIs(3).
 The pkcs11 provider can be configured to be automatically loaded via
 openssl.cnf
 .SH CONFIGURATION
-.PP
 Configuration options recognized by the provider
-.SS pkcs11-module-path
-.PP
+.SS pkcs11\-module\-path
 A file path to the pkcs11 driver to be used
 .PP
-Default: If compiled with p11-kit defaults to its proxy driver,
+Default: If compiled with p11\-kit defaults to its proxy driver,
 otherwise none.
 .PP
 NOTE: See also PKCS11_PROVIDER_MODULE in the environment variables
 section.
 .PP
 Example:
 .PP
-\f[V]pkcs11-module-path = /usr/lib64/opensc-pkcs11.so\f[R]
-.SS pkcs11-module-init-args
-.PP
-Non-standard initialization arguments some pkcs11 driver may need.
+\f[CR]pkcs11\-module\-path = /usr/lib64/opensc\-pkcs11.so\f[R]
+.SS pkcs11\-module\-init\-args
+Non\-standard initialization arguments some pkcs11 driver may need.
 Generally not used, but some software tokens like NSS\[cq]s softokn
 require this.
 .PP
 Default: None
 .PP
 Example:
 .PP
-\f[V]pkcs11-module-init-args = configDir=/etc/pki/token\f[R]
-.SS pkcs11-module-token-pin
-.PP
+\f[CR]pkcs11\-module\-init\-args = configDir=/etc/pki/token\f[R]
+.SS pkcs11\-module\-token\-pin
 The user PIN to be used with the token.
 If a PIN is not set in configuration it can be asked interactively (if
 the application uses prompters), or it can be specified together with
@@ -74,19 +53,16 @@ Default: None
 .PP
 Example:
 .PP
-\f[V]pkcs11-module-token-pin = file:/etc/pki/pin.txt\f[R]
+\f[CR]pkcs11\-module\-token\-pin = file:/etc/pki/pin.txt\f[R]
 .IP
-.nf
-\f[C]
+.EX
 cat /etc/pki/pin.txt
 123456
-\f[R]
-.fi
-.SS pkcs11-module-allow-export
-.PP
+.EE
+.SS pkcs11\-module\-allow\-export
 Whether the pkcs11 provider will allow to export public keys through
 OpenSSL.
-OpenSSL often tries to export public keys from non-default providers to
+OpenSSL often tries to export public keys from non\-default providers to
 the default provider, and then use OpenSSL own functions to handle
 whatever operation is associated with the public key.
 This option can be useful to force public key operations to be executed
@@ -98,30 +74,28 @@ Default: 0 (Allow Export)
 .PP
 Example:
 .PP
-\f[V]pkcs11-module-allow-export = 1\f[R] (This disallows export of
+\f[CR]pkcs11\-module\-allow\-export = 1\f[R] (This disallows export of
 public keys)
-.SS pkcs11-module-cache-keys
-.PP
-Whether the pkcs11-provider should ask the token to cache token keys in
+.SS pkcs11\-module\-cache\-keys
+Whether the pkcs11\-provider should ask the token to cache token keys in
 the session.
 This is used in some tokens as a performance optimizations.
 For example software tokens that store keys encrypted can keep a copy of
 the key in the session to speed up access.
 Or Networked HSMs that allow exporting key material can cache the key in
-the session instead of re-requesting it over the network.
+the session instead of re\-requesting it over the network.
 .PP
 Two options are available: * true * false
 .PP
 Default: true (Note: if the token does not support session caching, then
-caching will be auto-disabled after the first attempt)
+caching will be auto\-disabled after the first attempt)
 .PP
 Example:
 .PP
-\f[V]pkcs11-module-cache-keys = false\f[R] (Disable any attempt of
+\f[CR]pkcs11\-module\-cache\-keys = false\f[R] (Disable any attempt of
 caching keys in the session)
-.SS pkcs11-module-cache-pins
-.PP
-Whether the pkcs11-provider should cache a pin entered interactively.
+.SS pkcs11\-module\-cache\-pins
+Whether the pkcs11\-provider should cache a pin entered interactively.
 This is useful to allow starting a service and providing the pin only
 manually, yet let the service perform multiple logins as needed, for
 example after forking.
@@ -132,10 +106,9 @@ Default: unset (No caching)
 .PP
 Example:
 .PP
-\f[V]pkcs11-module-cache-pins = cache\f[R] (Will cache a pin that has
-been entered manually)
-.SS pkcs11-module-cache-sessions
-.PP
+\f[CR]pkcs11\-module\-cache\-pins = cache\f[R] (Will cache a pin that
+has been entered manually)
+.SS pkcs11\-module\-cache\-sessions
 Allows to tune how many pkcs11 sessions may be kept open and cached for
 rapid use.
 This parameter is adjusted based on the maximum number of sessions the
@@ -146,9 +119,8 @@ Default: 5
 .PP
 Example:
 .PP
-\f[V]pkcs11-module-cache-sessions = 0\f[R] (Disables caching)
-.SS pkcs11-module-login-behavior
-.PP
+\f[CR]pkcs11\-module\-cache\-sessions = 0\f[R] (Disables caching)
+.SS pkcs11\-module\-login\-behavior
 Whether the pkcs11 provider will attempt to login to the token when a
 public key is being requested.
 .PP
@@ -161,11 +133,10 @@ Default: \[lq]auto\[rq]
 .PP
 Example:
 .PP
-\f[V]pkcs11-module-login-behavior = always\f[R] (Always tries to login
-before loading public keys)
-.SS pkcs11-module-load-behavior
-.PP
-Whether the pkcs11-provider immediately loads an initializes the pkcs11
+\f[CR]pkcs11\-module\-login\-behavior = always\f[R] (Always tries to
+login before loading public keys)
+.SS pkcs11\-module\-load\-behavior
+Whether the pkcs11\-provider immediately loads an initializes the pkcs11
 module as soon as OpenSSL loads the provider (generally at application
 startup), or defer initialization until the first time a pkcs11 key is
 loaded (or some other operation explicitly requiring the pkcs11 provider
@@ -178,45 +149,39 @@ Default: unset (Loads only at first use)
 .PP
 Example:
 .PP
-\f[V]pkcs11-module-load-behavior = early\f[R] (Loads pkcs11 module
+\f[CR]pkcs11\-module\-load\-behavior = early\f[R] (Loads pkcs11 module
 immediately at application startup)
-.SS pkcs11-module-quirks
-.PP
+.SS pkcs11\-module\-quirks
 Workarounds that may be needed to deal with some tokens and cannot be
 autodetcted yet are not appropriate defaults.
-.SS no-deinit
-.PP
-It prevents de-initing when OpenSSL winds down the provider.
+.SS no\-deinit
+It prevents de\-initing when OpenSSL winds down the provider.
 NOTE this option may leak memory and may cause some modules to misbehave
 if the application intentionally unloads and reloads them.
-.SS no-operation-state
-.PP
+.SS no\-operation\-state
 OpenSSL by default assumes contexts with operations in flight can be
 easily duplicated.
 That is only possible if the tokens support getting and setting the
 operation state.
 If the quirk is enabled the context duplication is not performed.
-.SS no-session-callbacks
-.PP
+.SS no\-session\-callbacks
 Some implementatations of PKCS11 don\[cq]t allow setting
-\f[V]pApplication\f[R] and \f[V]Notify\f[R] callback functions in
-\f[V]C_OpenSession\f[R].
+\f[CR]pApplication\f[R] and \f[CR]Notify\f[R] callback functions in
+\f[CR]C_OpenSession\f[R].
 This option sets NULL values for both callbacks.
-.SS no-allowed-mechanisms
-.PP
+.SS no\-allowed\-mechanisms
 Some implementatations of PKCS11 don\[cq]t support
-\f[V]CKA_ALLOWED_MECHANISMS\f[R] attribute on keys.
+\f[CR]CKA_ALLOWED_MECHANISMS\f[R] attribute on keys.
 Setting this quirk prevents the provider from attempting to set and read
 this attribute.
 .PP
 Default: none
 .PP
 Example:
 .PP
-\f[V]pkcs11-module-quirks = no-deinit no-operation-state\f[R] (Disables
-deinitialization, blocks context duplication)
-.SS pkcs11-module-block-operations
-.PP
+\f[CR]pkcs11\-module\-quirks = no\-deinit no\-operation\-state\f[R]
+(Disables deinitialization, blocks context duplication)
+.SS pkcs11\-module\-block\-operations
 Allows to block specific \[lq]provider operations\[rq] even if the token
 actually supports the necessary mechanisms.
 This is useful to work around cases where one wants to enforce use of
@@ -230,27 +195,39 @@ Use carefully.
 .PP
 Default: none
 .PP
-Example: \f[V]pkcs11-module-block-operations = digest\f[R] (Disables
+Example: \f[CR]pkcs11\-module\-block\-operations = digest\f[R] (Disables
 digest mechanisms, which will be instead routed to the OpenSSL default
 provider in most configurtions)
-.SH ENVIRONMENT VARIABLES
+.SS pkcs11\-module\-assume\-fips
+Assume the token used by the PKCS#11 module is FIPS certified.
+.PP
+Due to the incomplete specification for signalization of the
+certification from the pkcs11 modules, this can not be determined
+automatically.
+If you know your token is FIPS certified, you need to set this
+configuration option to true.
+Otherwise the pkcs11\-provider will not work in FIPS Mode.
+.PP
+Default: False
 .PP
+Example:
+.PP
+\f[CR]pkcs11\-module\-assume\-fips = true\f[R]
+.SH ENVIRONMENT VARIABLES
 Environment variables recognized by the provider
 .SS PKCS11_PROVIDER_MODULE
-.PP
 This variable can be used to set a different pkcs11 driver to be used.
 It is useful when an application needs to use a different driver than
 the rest of the system.
-This environment variable \f[B]overrides\f[R] the pkcs11-module-path
+This environment variable \f[B]overrides\f[R] the pkcs11\-module\-path
 option sets in openssl.cnf
 .PP
 Example:
 .PP
-\f[V]PKCS11_PROVIDER_MODULE = /usr/lib64/opensc-pkcs11.so\f[R]
+\f[CR]PKCS11_PROVIDER_MODULE = /usr/lib64/opensc\-pkcs11.so\f[R]
 .SS PKCS11_PROVIDER_DEBUG
-.PP
 This variable can be set to obtain debug information.
-Two sub-options can be specified: file, level
+Two sub\-options can be specified: file, level
 .PP
 The normal debug_level is 1, if a higher level is provider then
 additional information (like all supported mechanism info for each slot)
@@ -262,11 +239,10 @@ cannot be used in values.
 .PP
 Examples:
 .PP
-\f[V]PKCS11_PROVIDER_DEBUG=file:/tmp/debug.log\f[R]
+\f[CR]PKCS11_PROVIDER_DEBUG=file:/tmp/debug.log\f[R]
 .PP
-\f[V]PKCS11_PROVIDER_DEBUG=file:/dev/stderr,level:2\f[R]
+\f[CR]PKCS11_PROVIDER_DEBUG=file:/dev/stderr,level:2\f[R]
 .SH USE IN OLDER APPLICATIONS (URIs in PEM files)
-.PP
 It is strongly suggested to update applications to use the new
 OSSL_STORE API provided by OpenSSL 3.0 which accepts URIs to
 transparenly load keys from either files or any other supported
@@ -277,9 +253,9 @@ tool to generate a \[lq]wrapper\[rq] PEM file that contains the PKCS#11
 URI needed to identify a key on the a token.
 .PP
 This PEM file can be loaded via the clasic methods used to parse PEM/DER
-representations of keys and will trigger the use of the pkcs11-provider
+representations of keys and will trigger the use of the pkcs11\-provider
 decoders when the provider is loaded.
-An error will be returned if the provider is not pre-loaded or an older
+An error will be returned if the provider is not pre\-loaded or an older
 version of OpenSSL is used.
 .PP
 In tools/uri2pem.py there is a sample python script that can take a key
@@ -290,17 +266,13 @@ These files are not encrypted.
 The follwing command can be used to list all keys on a token and print
 their identifying URI:
 .IP
-.nf
-\f[C]
-openssl storeutl -keys -text pkcs11:
-\f[R]
-.fi
+.EX
+openssl storeutl \-keys \-text pkcs11:
+.EE
 .SH EXAMPLES
-.PP
 openssl.cnf:
 .IP
-.nf
-\f[C]
+.EX
 HOME = .
 
 # Use this in order to automatically load providers.
@@ -317,18 +289,18 @@ pkcs11 = pkcs11_sect
 activate = 1
 
 [pkcs11_sect]
-module = /usr/lib64/ossl-modules/pkcs11.so
-pkcs11-module-path = /usr/lib64/pkcs11/vendor_pkcs11.so
-pkcs11-module-token-pin = /etc/ssl/pinfile.txt
+module = /usr/lib64/ossl\-modules/pkcs11.so
+pkcs11\-module\-path = /usr/lib64/pkcs11/vendor_pkcs11.so
+pkcs11\-module\-token\-pin = /etc/ssl/pinfile.txt
 activate = 1
-\f[R]
-.fi
+.EE
 .SH SEE ALSO
 .IP "1." 3
-PROVIDER(7) man page -
+PROVIDER(7) man page \-
 https://www.openssl.org/docs/manmaster/man7/provider.html
 .IP "2." 3
-PKCS#11 Technical committe and standards -
-https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11
+PKCS#11 Technical committe and standards \-
+https://www.oasis\-open.org/committees/tc_home.php?wg_abbrev=pkcs11
 .IP "3." 3
-PKCS#11 URI Scheme - RFC 7512 - https://www.rfc-editor.org/rfc/rfc7512
+PKCS#11 URI Scheme \- RFC 7512 \-
+https://www.rfc\-editor.org/rfc/rfc7512