Hello,
I understand that with OpenSSL 3 it is not necessary anymore to use OpenSSL engines to use HSM. Now with the new provider interface, the application does not even need to be aware if the key is in the HSM or not. OpenSSL will abstract all work for the application.
The configuration pointed by PKCS11 with OpenSSL 3.0 - #4 by leo suggests we just specify the pkcs11: url and as long as openssl.cnf is set to load the pkcs11 provider, it works, without specifying the SslEngine key (which was required for old PKCS#11 engine implementation).
The PKCS11 with provider configuration works for me. I am now trying to have the key directly in the TPM (i.e. created with tpm2-tools) and have mender use it. It “almost” works, see:
record_id=1 severity=info time="2025-Feb-08 17:30:24.984082" name="Global" msg="Successfully loaded private key from handle:0x81000004"
using interface /sys/class/net/eth0
record_id=2 severity=debug time="2025-Feb-08 17:30:25.043631" name="Global" msg="Got identity data: {"mac":"REDACTED"}"
record_id=3 severity=info time="2025-Feb-08 17:30:25.202369" name="Global" msg="Signing with: handle:0x81000004"
record_id=4 severity=debug time="2025-Feb-08 17:30:25.202669" name="Global" msg="Shasum is: 251e20438acddb47b46b5b4c54ee12ebf2cc47018cf212a62e9fa745055e4225"
Failed to process command line options: Error during crypto library setup: Failed to initialize the OpenSSL signer: error:03000096:digital envelope routines::operation not supported for this keytype
System error, code=2, No such file or directory
it fails to setup the signing context. I see the problem is happening when trying to initialize the signer here: mender/src/common/crypto/platform/openssl/crypto.cpp at master · mendersoftware/mender · GitHub
I don’t believe is any problem in OpenSSL or in the tpm2 provider, because with OpenSSL I can do like:
openssl pkeyutl -inkey handle:0x81000004 -sign -rawin -in testdata -out testdata.sig
and it works, so I believe it must be something with how mender is using the new OpenSSL API.
It is a bit weird that the source code in mender/src/common/crypto/platform/openssl/crypto.cpp at master · mendersoftware/mender · GitHub, defines a ProviderPtr which is not used anywhere. I believe it is not necessary anyway, unless we want to customize the provider if not set in the default openssl.cnf.
For the record, if the tpm2 provider is not set in my default openssl.cnf I get:
Failed to process command line options: Error during crypto library setup: Failed to load the private key from the configuration: Failed to load the private key from: handle:0x81000004 error: error:80000002:system library::No such file or directory
error:1608010C:STORE routines::unsupported
System error, code=2, No such file or directory
(obviously, OpenSSL will refuse to use this key)
But if the configuration is properly set, it “almost” works and I get the problem described above.
Can anyone please point me in the right direction to try to fix this?
It would be awesome if we could use persistent handles in the TPM instead of PKCS#11 for the private key.
OpenSSL 3.2.1
Mender 4.0.6
tpm2-openssl 1.3.0
Thank you!