p11-kit fails to access a module?

[mouse07410]

Environment: MacOS Sequoia 15.5, p11tool 3.7.11.

Config: I have three modules defined in ~/.config/pkcs11/modules/, and two devices: Yubikey-4, and YubiHSM2.

$ ll ~/.config/pkcs11/modules/
total 24
drwxr-xr-x  5 ur20980  staff  160 Jun 18 10:41 ./
drwxr-xr-x  4 ur20980  staff  128 May  3  2023 ../
-rw-r--r--  1 ur20980  staff  157 Nov 14  2021 pkcs11.module
-rw-r--r--  1 ur20980  staff  213 Jun 18 10:41 yhsm2.module
-rw-r--r--  1 ur20980  staff  151 Nov 19  2021 ykcs11.module
$ 

Two modules refer to the same Yubikey-4 (one accesses it through OpenSC, the other one - via Yubico YKCS11 library/module). Both of those seem to work fine.

The third module defines access to YubiHSM2 (file yhsm2.module):

# For normal access
module: /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib
# For debug - in which case set
# PKCS11SPY=/usr/local/lib/pkcs11/yubihsm_pkcs11.dylib
#module=/Library/OpenSC/lib/pkcs11-spy.so
critical: no

Problem:
p11tool --list-token-urls doesn't even try to access the HSM:

$ p11tool --list-token-urls
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=xxxxxxx;token=xxxxxxxxxxxxxx
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico%20%28www.yubico.com%29;serial=xxxxxxxxx;token=YubiKey%20PIV%20%23xxxxxxxxxx
$ 

It used to work several months ago. Does not work anymore. Help, please?

[ueno]

Do you see any indication if you run p11tool under P11_KIT_DEBUG=all ?

[mouse07410]

Do you see any indication if you run p11tool under P11_KIT_DEBUG=all ?

Alas, no. Will post the actual log soon.

Update: The log: p11-debug.txt

[mouse07410]

Modifying OpenSSL openssl.cnf seemed to help here, so closing for now.

[mouse07410]

Alas, I was too quick considering this resolved. :-(

Running p11-kit on a local machine indeed seems to work fine.

However, running from a remote, I still have the problem with p11-kit. Note that when I replace p11-kit-proxy.dylib with yubihsm_pkcs11.dylib - HSM access works perfectly.

Similarly, when instead of PKCS11 provider I use PKCS11 engine (libp11), pointing it at the HSM PKCS11 module instead of p11-kit-proxy (who's supposed to provide transition to the module defined in ~/.config/pkcs11/modules/yhsm2.module), it works fine.

$ PKCS11_KIT_DEBUG=all openssl dgst -sign "pkcs11:model=YubiHSM;token=YubiHSM;id=%57%3d;object-type=private" -sha384 -out /tmp/t.sig1 /tmp/t.dat
Enter pass phrase for PKCS#11 Token (Slot 19 - YubiHSM Connector 0.0.0.0):
Could not find private key from pkcs11:model=YubiHSM;token=YubiHSM;id=%57%3d;object-type=private
$ 

Here's the log. I noticed that there seems to be no reaction to PKCS11_KIT_DEBUG=all env var.

p11kit-debug2.txt

Here's the good (working) log:

$ PKCS11_KIT_DEBUG=all openssl dgst -engine pkcs11 -keyform ENGINE -sign "pkcs11:model=YubiHSM;token=YubiHSM;id=%57%3d;object-type=private" -sha384 -out /tmp/t.sig1 /tmp/t.dat
Engine "pkcs11" set.
Enter PKCS#11 token PIN for YubiHSM:
$ openssl dgst -engine pkcs11 -keyform ENGINE -verify "pkcs11:model=YubiHSM;token=YubiHSM;id=%57%3d;object-type=public" -sha384 -signature /tmp/t.sig1 /tmp/t.dat
Engine "pkcs11" set.
PKCS11_get_public_key returned NULL
Enter PKCS#11 token PIN for YubiHSM:
Verified OK
$ 

[ueno]

What's the difference between "local" and "remote"? Unless you configure p11-kit-server/client, p11-kit-proxy only enumerates local modules.

[mouse07410]

What's the difference between "local" and "remote"? Unless you configure p11-kit-server/client, p11-kit-proxy only enumerates local modules.

The actual PKCS11 driver for the HSM wraps PKCS11 traffic and sends it over HTTPS to the server, which accesses the actual (physical) HSM directly.

Thus, application (OpenSSL in this case) invokes PKCS11 provider. Provider, in turn, invokes PKCS11 driver for the specified URI.

So, when I run both PKCS11 driver and the HSM server on the same box - it seems to work OK. But when the "driver" is on a different machine - I'm having the above problem.

The problem only manifests itself if p11-kit is involved - i.e., when the "driver" is p11-kit who in turn invokes the "real" PKCS11 driver, based on the set of modules it's aware of (whose <name>.module files are in ~/.config/pkcs11/modules/).
When I tell the PKCS11 provider to invoke the HSM PKCS11 driver directly (via PKCS11_PROVIDER_MODULE=/path/to/YubiHSM/PKCS11_driver), it works OK between two different physical machines. But once I allow p11-kit to be a "go-between", it fails as shown above.