mastercard / pkcs11-tools Goto Github PK

A set of tools to manage objects on PKCS#11 cryptographic tokens. Compatible with many PKCS#11 library, including major HSM brands, NSS and softoken.

License: Other

Makefile 0.53% Shell 11.42% M4 2.21% C 82.54% Perl 0.21% Lex 1.34% Yacc 1.65% Python 0.11%

pkcs11 x509 keymanagment c-language aix solaris windows linux macos bsd

pkcs11-tools's Introduction

PKCS#11 tools

pkcs11-tools is a toolkit containing a bunch of small utilities to perform key management tasks on cryptographic tokens implementing a PKCS#11 interface. It features a number of commands similar to the unix CLI utilities, such as ls , mv, rm, od, and more. It also has specific commands to generate keys, generate CSRs, import certificates and other files, in a fashion compatible with most implementations, including both IBM and Oracle JVMs. It is also able to interface with NSS libraries from mozilla.org.

Some features:

support for DES, 3DES, AES, HMAC, RSA, DSA, DH, Elliptic curves (NIST curves, Edwards curves)
generation of PKCS#10 (CSR) and self-signed certificates
import of certificates, public keys, data files
support for wrapping and unwrapping keys, for both symmetric and asymmetric keys
support for templates during key creation, public key import, key wrapping and key unwrapping
support for session key generation and direct wrapping under one or several keys, in a single command
support for key rewrapping (i.e. key unwrapping and key wrapping)

News

July 2023

Version 2.6 brings support for the AWS CloudHSM platform, library version 5.9. Limitations are:

Certificates are not supported by the platform, therefore any command handling certificates will fail
Changing attributes values is not supported by the platform; several commands rely on that capability to adjust CKA_ID accross objects. These commands may occasionally report an error when executed; key material is usually created.
For the same reason, p11mv and p11setattr will not operate on this platform.
The platform does not allow for duplicate CKA_ID attributes, which occasionally brings issues when generating key material. This will be adjusted in a later release.
p11od command will not work, due to the way CloudHSM handles attributes.
When using wrapped key files, CKA_SIGN_RECOVER and CKA_VERIFY_RECOVER are not supported, and should be commented out.
Wrap and unwrap templates are not supported by this platform. These should also be commented out in wrapped key files. AWS CloudHSM support is disabled by default; please refer to installation instructions for more details.

June 2023

Version 2.6, introduces support for JWK - JOSE Web Key output (RFC 7517) on the p11keygen, p11wrap, and p11rewrap commands. The JWK format is not supported for importing keys.

October 2021

Version 2.5, that brings support for CKA_ALLOWED_MECHANISMS, on many key management commands: p11keygen, p11wrap , p11unwrap, p11rewrap, p11od, p11ls. Note that the wrapped key grammar has changed; the grammar version number has been incremented to 2.2.

July 2021

Version 2.4, to support templates in many commands: p11keygen, p11importpubk, p11wrap, p11unwrap, p11od , p11ls. Keys created with a template can be wrapped, the template attributes will be carried. Note that the wrapped key grammar has changed, and the grammar version number has been incremented to 2.1.

April 2021

Version 2.3, that adds extra options to p11kcv, so that tokens not supporting NULL-length HMAC computation can be also supported.

March 2021

Version 2.2 is slightly changing the layout of p11slotinfo. Edwards Curve support enhanced. The toolkit is also adapted to be packaged as a FreeBSD port.

January 2021

Version 2.1 brings support for Edwards Curve.

December 2020

The toolkit has reached v2.0. It features several major changes:

it supports (and requires) OpenSSL v1.1.1+
signing commands (p11mkcert, p11req and masqreq) implement OpenSSL algorithm methods. This will enable supporting more algorithms in the future.
major overhaul of the wrapping/unwrapping system: it is now possible to perform double wrapping (aka envelope wrapping) with a single command, in a secure fashion
p11keygen can now generate a session key and wrap it under one or several wrapping keys
a new command, p11rewrap, allows to unwrap a key and immediately rewrap in under one or several wrapping keys, in a secure fashion.

Introduction

Ensure the prerequisites listed in the Install Document are installed before proceeding

To build the source code, simply execute (with appropriate privileges)

$ ./bootstrap.sh
$ ./configure
$ make install

To list the methods available on a PKCS#11 token, use p11slotinfo, that will return the list of available mechanisms, together with allowed APIs.

$ using PKCS11LIB at /opt/softhsm2-devel/lib/softhsm/libsofthsm2.so
PKCS#11 Library
---------------
Name        : /opt/softhsm2-devel/lib/softhsm/libsofthsm2.so
Lib version : 2.6
API version : 2.40
Description : Implementation of PKCS11
Manufacturer: SoftHSM

PKCS#11 module slot list:
Slot index: 0
----------------
Description : SoftHSM slot ID 0x4fbfdc13
Token Label : token1
Manufacturer: SoftHSM project


Enter slot index: 0

Slot[0]
-------------
Slot Number : 1337973779
Description : SoftHSM slot ID 0x4fbfdc13
Manufacturer: SoftHSM project
Slot Flags  : [ CKF_TOKEN_PRESENT ]

Token
-------------
Label       : first token
Manufacturer: SoftHSM project

Token Flags : [ CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED ]

Mechanisms:
-----------
CKM_MD5                                   --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000210)
CKM_SHA_1                                 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000220)
CKM_SHA224                                --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000255)
CKM_SHA256                                --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000250)
CKM_SHA384                                --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000260)
CKM_SHA512                                --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000270)
CKM_MD5_HMAC                              --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000211)
CKM_SHA_1_HMAC                            --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000221)
CKM_SHA224_HMAC                           --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000256)
CKM_SHA256_HMAC                           --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000251)
CKM_SHA384_HMAC                           --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000261)
CKM_SHA512_HMAC                           --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000271)
CKM_RSA_PKCS_KEY_PAIR_GEN                 --- --- --- --- --- --- --- --- gkp --- --- --- SW (00000000)
CKM_RSA_PKCS                              enc dec --- sig --- vfy --- --- --- wra unw --- SW (00000001)
...

To list the objects sitting on the token at slot with index 0, use p11ls. objects are listed together with their attributes;

$ p11ls -l /usr/local/opt/softhsm/lib/softhsm/libsofthsm2.so -s 0

Enter passphrase for token: ******

seck/des-double                       tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(128)
pubk/rsa                              tok,pub,r/w,loc,vfy,rsa(2048)
seck/des-simple                       tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(64)
seck/aes-wrapping                     tok,prv,r/w,imp,wra,unw,sen,NAS,WXT,aes
pubk/dh                               tok,pub,r/w,loc,enc,vre,wra,dh(2048)
pubk/rsa-wrapping                     tok,pub,r/w,loc,wra,rsa(2048)
prvk/rsa-disclosed                    tok,prv,r/w,loc,sig,NSE,NAS,XTR,WXT,rsa(2048)
prvk/rsa-wrapping                     tok,prv,r/w,loc,unw,sen,ase,nxt,rsa(2048)
seck/aes-128                          tok,prv,r/w,loc,enc,dec,sen,ase,nxt,aes(128)
seck/aes-256                          tok,prv,r/w,loc,wra,unw,sen,ase,nxt,aes(256)
prvk/rsa                              tok,prv,r/w,loc,sig,sen,ase,nxt,rsa(2048)
pubk/rsa-disclosed                    tok,pub,r/w,loc,vfy,rsa(2048)
prvk/dh                               tok,prv,r/w,loc,dec,sir,unw,sen,ase,nxt,dh(2048)
seck/des-triple                       tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(192)
prvk/dsa                              tok,prv,r/w,loc,dec,sig,sir,unw,sen,ase,nxt,dsa(2048)
pubk/dsa                              tok,pub,r/w,loc,enc,vfy,vre,wra,dsa(2048)
data/dsaparam                         tok,prv,
seck/hmac-256                         tok,prv,r/w,loc,sig,vfy,sen,ase,nxt,generic
data/dhparam                          tok,prv,

To avoid specifying command line arguments, environment variables can be specified for the following items:

optional arg	description	environment variable
`-l`	path to library	`PKCS11LIB`
`-m`	path to NSS keystore (for NSS only)	`PKCS11NSSDIR`
`-s`	slot index number	`PKCS11SLOT`
`-t`	token name	`PKCS11TOKEN`
`-p`	token password	`PKCS11PASSWORD`

To extract the value of a non-sensitive object, use p11cat:

$ p11cat pubk/rsa
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2zd+HKrd1u7TBMfvlpO2
1eT8uoY+aLw6/yT9treLk67czyA6XQ8NMtspacgxLXbC0XbaObGJDOswFN2o+zjA
hgKkBY6mEZKO3dzmqtQupQvxybyrj0pg0e+YoZe34rIjVvCdJ9T48etvCyrDZata
XYMw9pT2JvlJQG2ddPVjR83tGNayGYWmz5L0JwDLlb0NwJTJItIaabseIKHqQOzN
tSgeLsOmy08aqSq87WKEAilXrxcv8mWl/gbu18Chu4z7KJ76dWHnJfXzIMJCNNxf
HjhvKZx6bFMEi/gI9gCkUekO+6clrEjSxWzgnC8IDZCLGAvNBZ0pKBW9yEuayPiX
rQIDAQAB
-----END PUBLIC KEY-----

To see an object's value, use p11more:

$ p11more cert/rootca
Certificate:
	Data:
		Version: 3 (0x2)
		Serial Number: 2933735351 (0xaedd3fb7)
	Signature Algorithm: sha256WithRSAEncryption
		Issuer: C=BE, O=Dummy CA Inc., CN=Dummy Root CA G1
		Validity
			Not Before: Sep 28 08:10:48 2018 GMT
			Not After : Sep 28 08:10:48 2028 GMT
		Subject: C=BE, O=Dummy CA Inc., CN=Dummy Root CA G1
		Subject Public Key Info:
			Public Key Algorithm: rsaEncryption
				Public-Key: (2048 bit)
				Modulus:
					00:a9:a6:a5:99:d0:3e:0e:00:c1:f7:df:9f:9c:92:
					40:ac:67:d3:77:e0:d5:6d:eb:a0:5c:29:12:ad:57:
					a3:23:9a:27:03:cb:dc:62:43:c3:04:a8:e8:a3:ab:
...

Moreover, p11odcan be used to extract all attribute values from an object:

$ p11od pubk/dh
pubk/dh:
 CKA_CLASS:
  0000  02 00 00 00 00 00 00 00                          CKO_PUBLIC_KEY
 CKA_TOKEN:
  0000  01                                               CK_TRUE
 CKA_PRIVATE:
  0000  00                                               CK_FALSE
 CKA_LABEL:
  0000  64 68                                            dh
 CKA_VALUE:
  0000  7e cc a1 d2 c2 e7 90 b9 fa 68 fc ae 49 46 2e 0f  ~........h..IF..
  0010  62 1e 2c 69 2e 94 f2 eb 46 63 d7 fd 57 1f 5d 02  b.,i....Fc..W.].
  0020  30 f4 3b 48 44 0c eb d7 7e 83 d5 26 7c 7a a3 f5  0.;HD...~..&|z..
...

Generating a key is easy: just use p11keygen with the proper arguments.

$ p11keygen -k ec -q prime256v1 -i my-ec-key sign=true verify=true
Generating, please wait...
key generation succeeded

Likewise, p11req is used to generate a CSR.

$ p11req -i my-ec-key -d '/CN=my.site.org/O=My organization/C=BE' -e 'DNS:another-url-for-my.site.org' -v
Certificate Request:
	Data:
		Version: 0 (0x0)
		Subject: C=BE, O=My organization, CN=my.site.org
		Subject Public Key Info:
			Public Key Algorithm: id-ecPublicKey
				Public-Key: (256 bit)
				pub:
					04:3f:56:11:f8:38:c7:f0:c1:87:a4:75:1a:ca:2e:
					46:38:9e:6a:79:3a:3e:a5:90:54:48:be:81:18:c6:
					f3:1c:92:8b:72:35:cd:e3:32:8c:40:a4:d4:e7:33:
					50:13:34:4a:87:e0:8c:17:77:39:ed:ef:de:d3:1a:
					26:b3:11:87:13
				ASN1 OID: prime256v1
				NIST CURVE: P-256
		Attributes:
		Requested Extensions:
			X509v3 Subject Alternative Name:
				DNS:another-url-for-my.site.org
	Signature Algorithm: ecdsa-with-SHA256
		 30:45:02:21:00:e8:b7:c0:49:bc:77:8d:94:29:18:66:8f:9d:
		 6a:62:cd:f0:84:46:89:73:93:11:d8:67:98:95:12:1c:53:f7:
		 5f:02:20:4a:b6:98:fd:66:be:7c:7f:d1:02:07:d0:5b:dc:8b:
		 fd:3f:89:f0:ed:03:ec:2e:a4:1c:72:a2:21:22:9f:a5:7d
-----BEGIN CERTIFICATE REQUEST-----
MIIBMTCB2AIBADA9MQswCQYDVQQGEwJCRTEYMBYGA1UECgwPTXkgb3JnYW5pemF0
aW9uMRQwEgYDVQQDDAtteS5zaXRlLm9yZzBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABD9WEfg4x/DBh6R1GsouRjieank6PqWQVEi+gRjG8xySi3I1zeMyjECk1Ocz
UBM0SofgjBd3Oe3v3tMaJrMRhxOgOTA3BgkqhkiG9w0BCQ4xKjAoMCYGA1UdEQQf
MB2CG2Fub3RoZXItdXJsLWZvci1teS5zaXRlLm9yZzAKBggqhkjOPQQDAgNIADBF
AiEA6LfASbx3jZQpGGaPnWpizfCERolzkxHYZ5iVEhxT918CIEq2mP1mvnx/0QIH
0Fvci/0/ifDtA+wupBxyoiEin6V9
-----END CERTIFICATE REQUEST-----

Later, p11importcert can be used to import the certificate back to the keystore. Public keys can be imported using p11importpubk, and data files with p11importdata.

If you need to wrap or unwrap a key, you can use the command p11wrap:

$ p11wrap -w aes-wrapping -i rootca -a cbcpad >wrapped-key.wrap
key wrapping succeeded

The key can be unwrapped later, reusing the wrapped-key.wrap file created earlier:

$ p11unwrap -f wrapped-key.wrap
key unwrapping succeeded

Installation

The project can compile on many platforms, including Linux, AIX, Solaris. Using cross-compilers, it is also possible to compile for the Windows platform. Compilation under macOS requires brew. Please refer to docs/INSTALL.md for installation instructions.

Manual

Please refer to docs/MANUAL.md for instructions / how-to guide.

Contributing

If you wish to contribute to this project, please refer to the rules in docs/CONTRIBUTING.md.

Contributors:

Georg Lippold (Mastercard, https://www.mastercard.com) - JWK output, GitHub build & CodeQL integration

Author

Eric Devolder (Mastercard, https://www.mastercard.com)

Licensing terms

Except when specified differently in source files, the following license apply:

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an " AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

pkcs11-tools's People

Contributors

Stargazers

Watchers

pkcs11-tools's Issues

ubuntu 22.04 Compilation error

Describe the bug
When building pkcs-tools-2.5.1 package 2.5.1 I receive the following issue:

In file included from attribctx_lexer.c:49:
../gl/string.h:965:1: error: expected ',' or ';' before '_GL_ATTRIBUTE_MALLOC'
  965 | _GL_FUNCDECL_SYS (strdup, char *,
      | ^~~~~~~~~~~~~~~~
make[2]: *** [Makefile:1657: libp11_la-attribctx_lexer.lo] Error 1

To Reproduce
Steps to reproduce the behavior:

Download pkcs11-tools-2.5.1.tar.gz
Untar the achive
./configure
./make

Expected behavior
Expect the package to build.

Screenshots
If applicable, add screenshots to help explain your problem.

Operating System (please complete the following information):

OS: Linux
Version Ubuntu 22.04

Additional context
Add any other context about the problem here.

build failure on Linux

Describe the bug
Following the steps on INSTALL wiki, the make step fails to build the project

To Reproduce
Steps to reproduce the behavior:

Clone project
run ./bootstrap.sh
run make

Error:

In file included from attribctx_lexer.c:49:
../gl/string.h:965:1: error: expected ‘,’ or ‘;’ before ‘_GL_ATTRIBUTE_MALLOC’
  965 | _GL_FUNCDECL_SYS (strdup, char *,
      | ^~~~~~~~~~~~~~~~
make[2]: *** [Makefile:1655: libp11_la-attribctx_lexer.lo] Error 1

Attaching config.log

Operating System (please complete the following information):

OS: Linux desktop 6.1.0-8-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.25-1 (2023-04-22) x86_64 GNU/Linux

Issue when autoreconf -vfi is run from bootstrap.sh

Hi,

I am having the following error when autoreconf -vfi if run from bootstrap.sh:

configure.ac:51: error: possibly undefined macro: AC_MSG_WARN

When I run the generated configure script, I am getting

./configure: line 6198: syntax error near unexpected token ,AC_MSG_WARN' ./configure: line 6198: AX_PROG_FLEX(,AC_MSG_WARN([GNU flex is required to regenerate lexer. Generated source code is provided, so it should be OK, until you change the lexer source file. Hint: use LEX variable to point to flex on your system.]))'

Would it be possible to put the configure file in the repository?

Thanks a lot, best regards.

Informational: Listed mechanism for SoftHSM

Hi @keldonin! Thanks for working on this awesome utility. While playing with it, I was a little confused by the output of p11slotinfo -l /usr/lib/softhsm/libsofthsm.so.

-----------
CKM_RSA_PKCS_KEY_PAIR_GEN                 --- --- --- --- --- --- --- --- gkp --- --- --- SW (00000000)
CKM_RSA_PKCS                              enc dec --- sig --- vfy --- --- --- --- --- --- SW (00000001)
CKM_RSA_X_509                             --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000003)
CKM_MD5                                   --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000210)
CKM_RIPEMD160                             --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000240)
CKM_SHA_1                                 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000220)
CKM_SHA256                                --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000250)
CKM_SHA384                                --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000260)
CKM_SHA512                                --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000270)
CKM_MD5_RSA_PKCS                          --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000005)
CKM_RIPEMD160_RSA_PKCS                    --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000008)
CKM_SHA1_RSA_PKCS                         --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000006)
CKM_SHA256_RSA_PKCS                       --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000040)
CKM_SHA384_RSA_PKCS                       --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000041)
CKM_SHA512_RSA_PKCS                       --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000042)
CKM_SHA1_RSA_PKCS_PSS                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (0000000e)
CKM_SHA256_RSA_PKCS_PSS                   --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000043)
CKM_SHA384_RSA_PKCS_PSS                   --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000044)
CKM_SHA512_RSA_PKCS_PSS                   --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000045)

SoftHSM has support for AES GCM but it does not show up as a supported mechanism in the output. Any thoughts?

bootstrapping failed.

Hi,

I've tried to build this toolset, but bootstrapping is failed.

After cloning I've started the .bootstrap.sh and receiving the following output:

$ ./bootstrap.sh 
Submodule '.gnulib' (https://git.savannah.gnu.org/git/gnulib.git) registered for path '.gnulib'
Cloning into '/home/gryzly/work/pkcs11-tools/.gnulib'...
Submodule path '.gnulib': checked out '87dc278345db394227f281c831a3fafb0b7854fb'
Submodule 'include/oasis-pkcs11' (https://github.com/oasis-tcs/pkcs11.git) registered for path 'include/oasis-pkcs11'
Cloning into '/home/gryzly/work/pkcs11-tools/include/oasis-pkcs11'...
Submodule path 'include/oasis-pkcs11': checked out 'df530bf9c88831284ee374cfe16bad40672ce603'
Module list with included dependencies (indented):
    absolute-header
    alloca-opt
    attribute
    btowc
    builtin-expect
  byteswap
    c99
  calloc-gnu
    calloc-posix
    errno
    extensions
    extern-inline
    fd-hook
    getdelim
  gethostname
  getline
  getopt-gnu
    getopt-posix
    gettext-h
    hard-locale
    include_next
    intprops
    inttypes-incomplete
    langinfo
    libc-config
    limits-h
    localcharset
    locale
    localeconv
    lock
  malloc-gnu
    malloc-posix
    mbrtowc
    mbsinit
    mbtowc
    msvc-inval
    msvc-nothrow
    multiarch
    nl_langinfo
    nocrash
  realloc-gnu
    realloc-posix
  regex
    setlocale-null
    snippet/_Noreturn
    snippet/arg-nonnull
    snippet/c++defs
    snippet/warn-on-use
    socketlib
    sockets
    socklen
    ssize_t
    std-gnu11
    stdalign
    stdbool
    stddef
    stdint
    stdio
    stdlib
  strcase
    streq
    strings
    sys_socket
    sys_types
    sys_uio
  sysexits
  termios
    threadlib
  time
    unistd
    verify
    wchar
    wcrtomb
    wctype-h
    windows-mutex
    windows-once
    windows-recmutex
    windows-rwlock
File list:
  lib/_Noreturn.h
  lib/alloca.in.h
  lib/arg-nonnull.h
  lib/attribute.h
  lib/btowc.c
  lib/byteswap.in.h
  lib/c++defs.h
  lib/calloc.c
  lib/cdefs.h
  lib/errno.in.h
  lib/fd-hook.c
  lib/fd-hook.h
  lib/getdelim.c
  lib/gethostname.c
  lib/getline.c
  lib/getopt-cdefs.in.h
  lib/getopt-core.h
  lib/getopt-ext.h
  lib/getopt-pfx-core.h
  lib/getopt-pfx-ext.h
  lib/getopt.c
  lib/getopt.in.h
  lib/getopt1.c
  lib/getopt_int.h
  lib/gettext.h
  lib/glthread/lock.c
  lib/glthread/lock.h
  lib/glthread/threadlib.c
  lib/hard-locale.c
  lib/hard-locale.h
  lib/intprops.h
  lib/inttypes.in.h
  lib/langinfo.in.h
  lib/lc-charset-dispatch.c
  lib/lc-charset-dispatch.h
  lib/libc-config.h
  lib/limits.in.h
  lib/localcharset.c
  lib/localcharset.h
  lib/locale.in.h
  lib/localeconv.c
  lib/malloc.c
  lib/mbrtowc-impl-utf8.h
  lib/mbrtowc-impl.h
  lib/mbrtowc.c
  lib/mbsinit.c
  lib/mbtowc-impl.h
  lib/mbtowc-lock.c
  lib/mbtowc-lock.h
  lib/mbtowc.c
  lib/msvc-inval.c
  lib/msvc-inval.h
  lib/msvc-nothrow.c
  lib/msvc-nothrow.h
  lib/nl_langinfo-lock.c
  lib/nl_langinfo.c
  lib/realloc.c
  lib/regcomp.c
  lib/regex.c
  lib/regex.h
  lib/regex_internal.c
  lib/regex_internal.h
  lib/regexec.c
  lib/setlocale-lock.c
  lib/setlocale_null.c
  lib/setlocale_null.h
  lib/sockets.c
  lib/sockets.h
  lib/stdalign.in.h
  lib/stdbool.in.h
  lib/stddef.in.h
  lib/stdint.in.h
  lib/stdio.in.h
  lib/stdlib.in.h
  lib/strcasecmp.c
  lib/streq.h
  lib/strings.in.h
  lib/strncasecmp.c
  lib/sys_socket.c
  lib/sys_socket.in.h
  lib/sys_types.in.h
  lib/sys_uio.in.h
  lib/sysexits.in.h
  lib/termios.in.h
  lib/time.in.h
  lib/unistd.c
  lib/unistd.in.h
  lib/verify.h
  lib/w32sock.h
  lib/warn-on-use.h
  lib/wchar.in.h
  lib/wcrtomb.c
  lib/wctype-h.c
  lib/wctype.in.h
  lib/windows-initguard.h
  lib/windows-mutex.c
  lib/windows-mutex.h
  lib/windows-once.c
  lib/windows-once.h
  lib/windows-recmutex.c
  lib/windows-recmutex.h
  lib/windows-rwlock.c
  lib/windows-rwlock.h
  m4/00gnulib.m4
  m4/__inline.m4
  m4/absolute-header.m4
  m4/alloca.m4
  m4/btowc.m4
  m4/builtin-expect.m4
  m4/byteswap.m4
  m4/calloc.m4
  m4/codeset.m4
  m4/eealloc.m4
  m4/errno_h.m4
  m4/extensions.m4
  m4/extern-inline.m4
  m4/getdelim.m4
  m4/gethostname.m4
  m4/getline.m4
  m4/getopt.m4
  m4/glibc21.m4
  m4/gnulib-common.m4
  m4/include_next.m4
  m4/inttypes.m4
  m4/langinfo_h.m4
  m4/limits-h.m4
  m4/localcharset.m4
  m4/locale-fr.m4
  m4/locale-ja.m4
  m4/locale-zh.m4
  m4/locale_h.m4
  m4/localeconv.m4
  m4/lock.m4
  m4/malloc.m4
  m4/mbrtowc.m4
  m4/mbsinit.m4
  m4/mbstate_t.m4
  m4/mbtowc.m4
  m4/msvc-inval.m4
  m4/msvc-nothrow.m4
  m4/multiarch.m4
  m4/nl_langinfo.m4
  m4/nocrash.m4
  m4/off_t.m4
  m4/pid_t.m4
  m4/pthread_rwlock_rdlock.m4
  m4/realloc.m4
  m4/regex.m4
  m4/setlocale_null.m4
  m4/socketlib.m4
  m4/sockets.m4
  m4/socklen.m4
  m4/sockpfaf.m4
  m4/ssize_t.m4
  m4/std-gnu11.m4
  m4/stdalign.m4
  m4/stdbool.m4
  m4/stddef_h.m4
  m4/stdint.m4
  m4/stdio_h.m4
  m4/stdlib_h.m4
  m4/strcase.m4
  m4/strings_h.m4
  m4/sys_socket_h.m4
  m4/sys_types_h.m4
  m4/sys_uio_h.m4
  m4/sysexits.m4
  m4/termios_h.m4
  m4/threadlib.m4
  m4/time_h.m4
  m4/unistd_h.m4
  m4/visibility.m4
  m4/warn-on-use.m4
  m4/wchar_h.m4
  m4/wchar_t.m4
  m4/wcrtomb.m4
  m4/wctype_h.m4
  m4/wint_t.m4
  m4/zzgnulib.m4
Creating directory ./gl
Creating directory ./gl/glthread
Copying file gl/_Noreturn.h
Copying file gl/alloca.in.h
Copying file gl/arg-nonnull.h
Copying file gl/attribute.h
Copying file gl/btowc.c
Copying file gl/byteswap.in.h
Copying file gl/c++defs.h
Copying file gl/calloc.c
Copying file gl/cdefs.h
Copying file gl/errno.in.h
Copying file gl/fd-hook.c
Copying file gl/fd-hook.h
Copying file gl/getdelim.c
Copying file gl/gethostname.c
Copying file gl/getline.c
Copying file gl/getopt-cdefs.in.h
Copying file gl/getopt-core.h
Copying file gl/getopt-ext.h
Copying file gl/getopt-pfx-core.h
Copying file gl/getopt-pfx-ext.h
Copying file gl/getopt.c
Copying file gl/getopt.in.h
Copying file gl/getopt1.c
Copying file gl/getopt_int.h
Copying file gl/gettext.h
Copying file gl/glthread/lock.c
Copying file gl/glthread/lock.h
Copying file gl/glthread/threadlib.c
Copying file gl/hard-locale.c
Copying file gl/hard-locale.h
Copying file gl/intprops.h
Copying file gl/inttypes.in.h
Copying file gl/langinfo.in.h
Copying file gl/lc-charset-dispatch.c
Copying file gl/lc-charset-dispatch.h
Copying file gl/libc-config.h
Copying file gl/limits.in.h
Copying file gl/localcharset.c
Copying file gl/localcharset.h
Copying file gl/locale.in.h
Copying file gl/localeconv.c
Copying file gl/malloc.c
Copying file gl/mbrtowc-impl-utf8.h
Copying file gl/mbrtowc-impl.h
Copying file gl/mbrtowc.c
Copying file gl/mbsinit.c
Copying file gl/mbtowc-impl.h
Copying file gl/mbtowc-lock.c
Copying file gl/mbtowc-lock.h
Copying file gl/mbtowc.c
Copying file gl/msvc-inval.c
Copying file gl/msvc-inval.h
Copying file gl/msvc-nothrow.c
Copying file gl/msvc-nothrow.h
Copying file gl/nl_langinfo-lock.c
Copying file gl/nl_langinfo.c
Copying file gl/realloc.c
Copying file gl/regcomp.c
Copying file gl/regex.c
Copying file gl/regex.h
Copying file gl/regex_internal.c
Copying file gl/regex_internal.h
Copying file gl/regexec.c
Copying file gl/setlocale-lock.c
Copying file gl/setlocale_null.c
Copying file gl/setlocale_null.h
Copying file gl/sockets.c
Copying file gl/sockets.h
Copying file gl/stdalign.in.h
Copying file gl/stdbool.in.h
Copying file gl/stddef.in.h
Copying file gl/stdint.in.h
Copying file gl/stdio.in.h
Copying file gl/stdlib.in.h
Copying file gl/strcasecmp.c
Copying file gl/streq.h
Copying file gl/strings.in.h
Copying file gl/strncasecmp.c
Copying file gl/sys_socket.c
Copying file gl/sys_socket.in.h
Copying file gl/sys_types.in.h
Copying file gl/sys_uio.in.h
Copying file gl/sysexits.in.h
Copying file gl/termios.in.h
Copying file gl/time.in.h
Copying file gl/unistd.c
Copying file gl/unistd.in.h
Copying file gl/verify.h
Copying file gl/w32sock.h
Copying file gl/warn-on-use.h
Copying file gl/wchar.in.h
Copying file gl/wcrtomb.c
Copying file gl/wctype-h.c
Copying file gl/wctype.in.h
Copying file gl/windows-initguard.h
Copying file gl/windows-mutex.c
Copying file gl/windows-mutex.h
Copying file gl/windows-once.c
Copying file gl/windows-once.h
Copying file gl/windows-recmutex.c
Copying file gl/windows-recmutex.h
Copying file gl/windows-rwlock.c
Copying file gl/windows-rwlock.h
Copying file m4/00gnulib.m4
Copying file m4/__inline.m4
Copying file m4/absolute-header.m4
Copying file m4/alloca.m4
Copying file m4/btowc.m4
Copying file m4/builtin-expect.m4
Copying file m4/byteswap.m4
Copying file m4/calloc.m4
Copying file m4/codeset.m4
Copying file m4/eealloc.m4
Copying file m4/errno_h.m4
Copying file m4/extensions.m4
Copying file m4/extern-inline.m4
Copying file m4/getdelim.m4
Copying file m4/gethostname.m4
Copying file m4/getline.m4
Copying file m4/getopt.m4
Copying file m4/glibc21.m4
Copying file m4/gnulib-common.m4
Copying file m4/gnulib-tool.m4
Copying file m4/include_next.m4
Copying file m4/inttypes.m4
Copying file m4/langinfo_h.m4
Copying file m4/limits-h.m4
Copying file m4/localcharset.m4
Copying file m4/locale-fr.m4
Copying file m4/locale-ja.m4
Copying file m4/locale-zh.m4
Copying file m4/locale_h.m4
Copying file m4/localeconv.m4
Copying file m4/lock.m4
Copying file m4/malloc.m4
Copying file m4/mbrtowc.m4
Copying file m4/mbsinit.m4
Copying file m4/mbstate_t.m4
Copying file m4/mbtowc.m4
Copying file m4/msvc-inval.m4
Copying file m4/msvc-nothrow.m4
Copying file m4/multiarch.m4
Copying file m4/nl_langinfo.m4
Copying file m4/nocrash.m4
Copying file m4/off_t.m4
Copying file m4/pid_t.m4
Copying file m4/pthread_rwlock_rdlock.m4
Copying file m4/realloc.m4
Copying file m4/regex.m4
Copying file m4/setlocale_null.m4
Copying file m4/socketlib.m4
Copying file m4/sockets.m4
Copying file m4/socklen.m4
Copying file m4/sockpfaf.m4
Copying file m4/ssize_t.m4
Copying file m4/std-gnu11.m4
Copying file m4/stdalign.m4
Copying file m4/stdbool.m4
Copying file m4/stddef_h.m4
Copying file m4/stdint.m4
Copying file m4/stdio_h.m4
Copying file m4/stdlib_h.m4
Copying file m4/strcase.m4
Copying file m4/strings_h.m4
Copying file m4/sys_socket_h.m4
Copying file m4/sys_types_h.m4
Copying file m4/sys_uio_h.m4
Copying file m4/sysexits.m4
Copying file m4/termios_h.m4
Copying file m4/threadlib.m4
Copying file m4/time_h.m4
Copying file m4/unistd_h.m4
Copying file m4/visibility.m4
Copying file m4/warn-on-use.m4
Copying file m4/wchar_h.m4
Copying file m4/wchar_t.m4
Copying file m4/wcrtomb.m4
Copying file m4/wctype_h.m4
Copying file m4/wint_t.m4
Copying file m4/zzgnulib.m4
Creating gl/Makefile.am
Creating m4/gnulib-cache.m4
Creating m4/gnulib-comp.m4
Creating ./gl/.gitignore
Creating ./gl/glthread/.gitignore
Creating ./m4/.gitignore
Finished.

You may need to add #include directives for the following .h files.
  #include <byteswap.h>
  #include <getopt.h>
  #include <regex.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <strings.h>
  #include <sysexits.h>
  #include <termios.h>
  #include <time.h>
  #include <unistd.h>

You may need to use the following Makefile variables when linking.
Use them in <program>_LDADD when linking a program, or
in <library>_a_LDFLAGS or <library>_la_LDFLAGS when linking a library.
  $(GETHOSTNAME_LIB)
  $(LIBSOCKET)
  $(LIBTHREAD)
  $(LIB_HARD_LOCALE)
  $(LIB_MBRTOWC)
  $(LIB_SETLOCALE_NULL)
  $(LTLIBINTL) when linking with libtool, $(LIBINTL) otherwise

Don't forget to
  - add "gl/Makefile" to AC_CONFIG_FILES in ./configure.ac,
  - mention "gl" in SUBDIRS in Makefile.am,
  - mention "-I m4" in ACLOCAL_AMFLAGS in Makefile.am,
  - mention "m4/gnulib-cache.m4" in EXTRA_DIST in Makefile.am,
  - invoke gl_EARLY in ./configure.ac, right after AC_PROG_CC_C99,
  - invoke gl_INIT in ./configure.ac.
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force
configure.ac:51: error: possibly undefined macro: AC_MSG_WARN
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1

OS: CentOS Linux release 8.3.2011
Kernel: 4.18.0-240.1.1.el8_3.x86_64

Dependencies:

automake-1.16.1-6.el8.noarch
autoconf-2.69-27.el8.noarch
libtool-2.4.6-25.el8.x86_64

Compilation failed

I try to compile it my ubuntu. but here is the problem. even i installed the pkg-config

Once I removed the square brackets around the AC_MSG_ERROR and AC_MSG_WARN macro, it worked

49-50line:

AX_PROG_FLEX([],AC_MSG_WARN([GNU flex is required to regenerate lexer. Generated source code is provided, so it should be OK, until you change the lexer source file. Hint: use LEX variable to point to flex on your system.]))
AX_PROG_FLEX_VERSION([2.5.0],[],AC_MSG_WARN([GNU flex 2.5+ is required to regenerate lexer. Generated source code is provided, so it should be OK, until you change the lexer source file.]))

55-56line:

AX_PROG_BISON([],AC_MSG_WARN([GNU bison is required to regenerate parser. Generated source code is provided, so it should be OK, until you change the parser source file.]))
AX_PROG_BISON_VERSION([3.0.0],[],AC_MSG_WARN([GNU bison v3+ is required to regenerate parser. Generated source code is provided, so it should be OK, until you change the parser source file. Hint: use YACC variable to point to bison on your system.]))

88line:

AC_SEARCH_LIBS([dlopen], [dl dld], [], AC_MSG_ERROR([unable to find the dlopen() function]) )

But when i start to ./configure , it was another problem:

ian@star01:~/Desktop/pkcs11-tools$ ./configure 
checking whether to enable maintainer-specific portions of Makefiles... no
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for gcc option to accept ISO C99... none needed
checking for perl... /usr/bin/perl
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gtar... no
checking for tar... tar
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... -lfl
checking whether yytext is a pointer... yes
./configure: line 4744: syntax error near unexpected token `,{'
./configure: line 4744: `AX_PROG_FLEX(,{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: GNU flex is required to regenerate lexer. Generated source code is provided, so it should be OK, until you change the lexer source file. Hint: use LEX variable to point to flex on your system." >&5'

Here is the OS and releated info:

Linux star01 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
g++ (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
autoreconf (GNU Autoconf) 2.69

p11mkcert Make failed

I am getting the following errors when attempting to run make on the latest pkcs11-tools:

Making all in src
make[1]: Entering directory '/home/lm19/pkcs11-tools/src'
CC libcommon_la-version.lo
CCLD libcommon.la
ar: u' modifier ignored since D' is the default (see U') CC p11mkcert.o CCLD p11mkcert ../lib/.libs/libp11.a(libp11_la-pkcs11_ossl_eddsa_meth.o): In function eddsa_method_setup':
/home/lm19/pkcs11-tools/lib/pkcs11_ossl_eddsa_meth.c:177: undefined reference to EVP_PKEY_meth_get_digestsign' /home/lm19/pkcs11-tools/lib/pkcs11_ossl_eddsa_meth.c:178: undefined reference to EVP_PKEY_meth_set_digestsign'
collect2: error: ld returned 1 exit status
Makefile:1388: recipe for target 'p11mkcert' failed
make[1]: *** [p11mkcert] Error 1
make[1]: Leaving directory '/home/lm19/pkcs11-tools/src'
Makefile:1199: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

Support for more MACing options with `p11kcv`

p11kcv should support more MACing mechanisms:

it should allow using the CKA_CHECK_VALUE attribute value when found
support for CMAC, for 3DES and AES keys
support for XCBC-MAC and XCBC-MAC-96 for AES keys
support for regular MAC on 3DES and AES keys

invalid mechanisms reported by p11slotinfo, on MIPS/Linux platform

Describe the bug
When executing p11slotinfo on a mips platform, mechanism names are incorrect.

To Reproduce
Steps to reproduce the behavior:

deploy a new NSS token: certutil -dsql:. -N
execute the following command:

$ with_nss p11slotinfo
PKCS#11 Library
---------------
Name        : /usr/lib/libsoftokn3.so
Lib version : 3.89
API version : 2.40
Description : NSS Internal Crypto Services
Manufacturer: Mozilla Foundation

Slot[1]
-------------
Slot Number : 2
Description : NSS User Private Key and Certificate Services
Manufacturer: Mozilla Foundation
Slot Flags  : [ CKF_TOKEN_PRESENT ]

Token
-------------
Label       : NSS Certificate DB
Manufacturer: Mozilla Foundation

Token Flags : [ CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_DUAL_CRYPTO_OPERATIONS CKF_TOKEN_INITIALIZED ]

Mechanisms:
-----------
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- gkp --- --- --- SW (00000000)
CKM_UNKNOWN_MECHANISM                     enc dec --- sig sir vfy vre --- --- wra unw --- SW (00000001)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (0000000d)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000009)
CKM_UNKNOWN_MECHANISM                     enc dec --- sig sir vfy vre --- --- wra unw --- SW (00000003)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000004)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000005)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000006)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000046)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000040)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000041)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000042)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (0000000e)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000047)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000043)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000044)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000045)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- gkp --- --- --- SW (00000010)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000011)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (00002000)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000012)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000013)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000014)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000015)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000016)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- gkp --- --- --- SW (00000020)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- --- --- --- der SW (00000021)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- gkp --- --- --- SW (00001040) ec: F^p F2m --- nam unc ---
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- --- --- --- der SW (00001050) ec: F^p F2m --- nam unc ---
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001041) ec: F^p F2m --- nam unc ---
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001042) ec: F^p F2m --- nam unc ---
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001043) ec: F^p F2m --- nam unc ---
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001044) ec: F^p F2m --- nam unc ---
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001045) ec: F^p F2m --- nam unc ---
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001046) ec: F^p F2m --- nam unc ---
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (00000100)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000101)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000102)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000103)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000104)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000105)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (00000120)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000121)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000122)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000123)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000124)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000125)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (00000130)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (00000131)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000132)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000133)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000134)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000135)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000136)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (00000140)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000141)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000142)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000143)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000144)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000145)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (00001080)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00001081)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00001082)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001083)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001084)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (0000108a)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (0000108b)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00001085)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- --- --- --- SW (00001089)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- --- --- --- SW (00001086)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- --- --- --- SW (00001087)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (0000108d)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (0000108c)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (00000550)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000551)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000552)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000553)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000554)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000555)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (00000650)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000651)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000652)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000653)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000654)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00000655)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (ce53436b)
CKM_VENDOR_DEFINED                       *enc dec --- --- --- --- --- --- --- --- --- --- SW (ce53436c)
CKM_VENDOR_DEFINED                       *enc dec --- --- --- --- --- --- --- --- --- --- SW (ce534371)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (00001225)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- --- --- --- SW (00001226)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- --- --- --- SW (00004021)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000201)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000202)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000211)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000212)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000221)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000222)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000256)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000257)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000251)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000252)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000261)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000262)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000271)
CKM_UNKNOWN_MECHANISM                     --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000272)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- --- --- --- der SW (0000402a)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- --- --- --- der SW (0000402b)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (0000402c)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce534353)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce534354)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce534355)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce534356)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (00000350)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- --- --- --- der SW (000003a0)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- --- --- --- der SW (000003a1)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (80000002)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (80000008)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (000003a8)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (000003a9)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (000003ab)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (000003aa)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (000003a7)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (000003a6)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (000003c0)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- gen --- --- --- --- SW (000003b0)
CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN       *--- --- --- --- --- --- --- gen --- --- --- --- SW (80000009)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (8000000a)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (8000000b)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (ce53436d)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (ce53436e)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (ce53436f)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (ce534370)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- --- --- --- der SW (000003ac)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- --- --- --- der SW (000003ad)
CKM_UNKNOWN_MECHANISM                     --- --- --- --- --- --- --- --- --- --- --- der SW (000003ae)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce53437a)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce53437b)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce53437c)
CKM_VENDOR_DEFINED                       *enc dec --- --- --- --- --- --- --- wra unw --- SW (ce534351)
CKM_VENDOR_DEFINED                       *enc dec --- --- --- --- --- --- --- wra unw --- SW (ce534352)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (00002109)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (0000210a)
CKM_UNKNOWN_MECHANISM                     enc dec --- --- --- --- --- --- --- wra unw --- SW (0000210b)
CKM_NSS_JPAKE_ROUND1_SHA1                *--- --- --- --- --- --- --- gen --- --- --- --- SW (ce534357)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (ce534358)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (ce534359)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- gen --- --- --- --- SW (ce53435a)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce53435b)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce53435c)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce53435d)
CKM_NSS_JPAKE_ROUND2_SHA512              *--- --- --- --- --- --- --- --- --- --- --- der SW (ce53435e)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce53435f)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce534360)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce534361)
CKM_NSS_JPAKE_FINAL_SHA512               *--- --- --- --- --- --- --- --- --- --- --- der SW (ce534362)
CKM_VENDOR_DEFINED                       *--- --- hsh --- --- --- --- --- --- --- --- --- SW (ce534363)
CKM_NSS_SSL3_MAC_CONSTANT_TIME           *--- --- hsh --- --- --- --- --- --- --- --- --- SW (ce534364)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce534372)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce534373)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce534374)
CKM_VENDOR_DEFINED                       *--- --- --- --- --- --- --- --- --- --- --- der SW (ce534375)

Expected behavior
Most of the mechanisms should have their proper mechanism name instead of CKM_VENDOR_DEFINED.

Operating System (please complete the following information):

OS: GNU/Linux 5.15.137
arch: mips

Some wrong names for hashes and MGF in the manual

Under https://github.com/Mastercard/pkcs11-tools/blob/master/docs/MANUAL.md#p11wrap-and-p11unwrap,

mgf=CKG_MGF1_SHA1|CKG_MGF1_SHA256|CKG_MGF_SHA384|CKG_MGF_SHA512 - MGF parameter, default is CKG_MGF1_SHA1
hash=CKM_SHA_1|CKM_SHA224|CKM_SHA256|CKM_SHA384|CKM_SHA512 - hashing alg. argument, default is CKM_SHA_1

These are not the same as the mechanisms listed in the standard. Yesterday I was trying unwrapping and wrapping and couldn't figure out why I was getting errors until I looked the mechanisms up.

`p11wrap` is mistakenly adding `CKA_EC_PARAMS` attribute.

p11wrap is mistakenly adding CKA_EC_PARAMS attribute.

When unwrapping the key, that parameter is forbidden, according to PKCS#11 v2.40 curr table 31 PKCS#11 v2.40 base table 10, item 6, "MUST not be specified when object is unwrapped with C_UnwrapKey."

This results in EC keys that cannot unwrap, when using cbcpad wrapping algorithm.
The workaround is to comment out CKA_EC_PARAMS from the wrap file before unwrapping the key.

Support for OpenSSL 1.1+

Forked from Issue #5

p11keygen ignores some of unknown argument

Describe the bug
p11keygen simply ignores unknown argument if argument starts with unicode characters

To Reproduce
Steps to reproduce the behavior:

run p11keygen -i test_key -k rsa WRAP £UNWRAP, success to generate key
run p11ls prvk/test_key outputs prvk/test_key tok,prv,r/w,loc,sen,ase,nxt,rsa(2048). Nounw attribute found

Expected behavior
run p11keygen -i test_key -k rsa WRAP £UNWRAP should fail with error message

Operating System (please complete the following information):

OS: Oracle Linux 7
Kernel Version: 3.10.0 x86_64

Support for EdDSA curves

Forked from #5.

Depends on #9 and #10.

memory leak found with commands p11req and p11mkcert

Describe the bug
A memory leak has been found (using Valgrind) when executing p11req and p11mkcert. The memleak is caused by structures not being properly disposed off.

To Reproduce
Steps to reproduce the behavior:

execute p11req or p11mkcert through valgrind
See valgrind output

Expected behavior
Valgrind should not report memory leaks at exit time for these commands.

Operating System (please complete the following information):

OS: linux

Additional context
Seems like a simple fix, X509 and X509_REQ structures must be freed once commands are finished.

OpenSSL 1.1.1, Cryptoki 2.40, possibly Cryptoki v3 EdDSA features?

Hi Eric,
great project! I see in https://github.com/Mastercard/pkcs11-tools/projects/1 that you're planning to support OpenSSL 1.1 and update to Cryptoki 2.40, is this actively being worked on, in the sense having an idea when it will land?

Additionally, it would be great to already have support for EdDSA: it should be included in PKCS#11 version 3, there is a draft that looks close to final, and SoftHSMv2 added support in 2.5.

bootstrap error Ubuntu 22.04

neither bootstrap nor autreconf is working on Ubuntu 22.04:

$ ./bootstrap.sh
aclocal.m4:1041: AM_PROG_LEX is expanded from...
configure.ac:49: the top level
configure.ac:66: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
configure.ac:66: You should run autoupdate.
m4/libtool.m4:99: AC_PROG_LIBTOOL is expanded from...
configure.ac:66: the top level
configure.ac:208: warning: The macro `AC_CANONICAL_SYSTEM' is obsolete.
configure.ac:208: You should run autoupdate.
./lib/autoconf/general.m4:2081: AC_CANONICAL_SYSTEM is expanded from...
m4/ax_create_target_h.m4:473: AC_CANONICAL_CPU_ARCH is expanded from...
m4/ax_create_target_h.m4:93: AX_CREATE_TARGET_H is expanded from...
configure.ac:208: the top level
configure.ac:51: error: possibly undefined macro: AC_MSG_WARN
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: error: /usr/bin/autoconf failed with exit status: 1

$ autoreconf -ifv
autoreconf: export WARNINGS=
autoreconf: Entering directory '.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
autoreconf: configure.ac: not using Intltool
autoreconf: configure.ac: not using Gtkdoc
autoreconf: running: aclocal --force -I m4
autoreconf: running: /usr/bin/autoconf --force
configure.ac:37: warning: The macro `AC_PROG_CC_C99' is obsolete.
configure.ac:37: You should run autoupdate.
./lib/autoconf/c.m4:1659: AC_PROG_CC_C99 is expanded from...
configure.ac:37: the top level
configure.ac:49: warning: AC_PROG_LEX without either yywrap or noyywrap is obsolete
./lib/autoconf/programs.m4:716: _AC_PROG_LEX is expanded from...
./lib/autoconf/programs.m4:709: AC_PROG_LEX is expanded from...
aclocal.m4:1041: AM_PROG_LEX is expanded from...
configure.ac:49: the top level
configure.ac:66: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
configure.ac:66: You should run autoupdate.
m4/libtool.m4:99: AC_PROG_LIBTOOL is expanded from...
configure.ac:66: the top level
configure.ac:208: warning: The macro `AC_CANONICAL_SYSTEM' is obsolete.
configure.ac:208: You should run autoupdate.
./lib/autoconf/general.m4:2081: AC_CANONICAL_SYSTEM is expanded from...
m4/ax_create_target_h.m4:473: AC_CANONICAL_CPU_ARCH is expanded from...
m4/ax_create_target_h.m4:93: AX_CREATE_TARGET_H is expanded from...
configure.ac:208: the top level
configure.ac:51: error: possibly undefined macro: AC_MSG_WARN
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: error: /usr/bin/autoconf failed with exit status: 1

It's the only package it fails autoreconf, didn't notice this error with any other software so far.

(Help, please) no way to build the source code on Ubuntu 20...

Good afternoon,

I am pretty lost trying to build the source code on Ubuntu 20...
After running 'autoconf' I get many 'undefined macro' messages, as you can see below,

Googling I found that running 'autoreconf -fi' might solve it, there's still a macro error related to AC_MSG_WARN though.

Any help would be much appreciated. Thanks a lot

jordi@jordi-VirtualBox:/pkcs11-tools-master$ autoconf
configure.ac:1: error: possibly undefined macro: dnl
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:20: error: possibly undefined macro: AM_MAINTAINER_MODE
configure.ac:38: error: possibly undefined macro: AC_MSG_FAILURE
configure.ac:51: error: possibly undefined macro: AC_MSG_WARN
configure.ac:60: error: possibly undefined macro: AM_INIT_AUTOMAKE
configure.ac:63: error: possibly undefined macro: AM_PROG_AR
configure.ac:66: error: possibly undefined macro: AC_PROG_LIBTOOL
configure.ac:71: error: possibly undefined macro: AM_CONDITIONAL
configure.ac:82: error: possibly undefined macro: AC_CHECK_DECLS
configure.ac:98: error: possibly undefined macro: AM_COND_IF
configure.ac:102: error: possibly undefined macro: AC_SEARCH_LIBS
configure.ac:102: error: possibly undefined macro: AC_MSG_ERROR
configure.ac:106: error: possibly undefined macro: AC_CHECK_LIB
jordi@jordi-VirtualBox:/pkcs11-tools-master$

jordi@jordi-VirtualBox:/pkcs11-tools-master$ autoreconf -fi
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/ltobsolete.m4'
configure.ac:51: error: possibly undefined macro: AC_MSG_WARN
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
jordi@jordi-VirtualBox:~/pkcs11-tools-master$

VERSIONS

jordi@jordi-VirtualBox:/pkcs11-tools-master$ uname -a
Linux jordi-VirtualBox 5.8.0-49-generic #5520.04.1-Ubuntu SMP Fri Mar 26 01:01:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

jordi@jordi-VirtualBox:~/pkcs11-tools-master$ autoconf --version
autoconf (GNU Autoconf) 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+/Autoconf: GNU GPL version 3 or later
http://gnu.org/licenses/gpl.html, http://gnu.org/licenses/exceptions.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

jordi@jordi-VirtualBox:~/pkcs11-tools-master$ m4 --version
m4 (GNU M4) 1.4.18
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Failing compilation on Ubuntu 22.04

Describe the bug
The first step in building this software, ./bootstrap.sh fails with issues pointing to the configuration files.

Operating System (please complete the following information):

OS: Ubuntu 22.04 (64-bit)

Additional context
Output from running the command:

/pkcs11-tools$ ./bootstrap.sh
Module list with included dependencies (indented):
absolute-header
attribute
btowc
builtin-expect
byteswap
c99
calloc-gnu
calloc-posix
dynarray
errno
extensions
extern-inline
fd-hook
free-posix
getdelim
gethostname
getline
getopt-gnu
getopt-posix
gettext-h
hard-locale
include_next
intprops
inttypes-incomplete
langinfo
libc-config
limits-h
localcharset
locale
localeconv
lock
malloc-gnu
malloc-posix
mbrtowc
mbsinit
mbtowc
msvc-inval
msvc-nothrow
multiarch
nl_langinfo
nocrash
realloc-gnu
realloc-posix
regex
setlocale-null
snippet/_Noreturn
snippet/arg-nonnull
snippet/c++defs
snippet/warn-on-use
socketlib
sockets
socklen
ssize_t
std-gnu11
stdalign
stdbool
stddef
stdint
stdio
stdlib
strcase
streq
string
strings
sys_socket
sys_types
sys_uio
sysexits
termios
threadlib
time
unistd
vararrays
verify
wchar
wcrtomb
wctype-h
windows-mutex
windows-once
windows-recmutex
windows-rwlock
xalloc-oversized
File list:
lib/_Noreturn.h
lib/arg-nonnull.h
lib/attribute.h
lib/btowc.c
lib/byteswap.in.h
lib/c++defs.h
lib/calloc.c
lib/cdefs.h
lib/dynarray.h
lib/errno.in.h
lib/fd-hook.c
lib/fd-hook.h
lib/free.c
lib/getdelim.c
lib/gethostname.c
lib/getline.c
lib/getopt-cdefs.in.h
lib/getopt-core.h
lib/getopt-ext.h
lib/getopt-pfx-core.h
lib/getopt-pfx-ext.h
lib/getopt.c
lib/getopt.in.h
lib/getopt1.c
lib/getopt_int.h
lib/gettext.h
lib/glthread/lock.c
lib/glthread/lock.h
lib/glthread/threadlib.c
lib/hard-locale.c
lib/hard-locale.h
lib/intprops.h
lib/inttypes.in.h
lib/langinfo.in.h
lib/lc-charset-dispatch.c
lib/lc-charset-dispatch.h
lib/libc-config.h
lib/limits.in.h
lib/localcharset.c
lib/localcharset.h
lib/locale.in.h
lib/localeconv.c
lib/malloc.c
lib/malloc/dynarray-skeleton.c
lib/malloc/dynarray.h
lib/malloc/dynarray_at_failure.c
lib/malloc/dynarray_emplace_enlarge.c
lib/malloc/dynarray_finalize.c
lib/malloc/dynarray_resize.c
lib/malloc/dynarray_resize_clear.c
lib/mbrtowc-impl-utf8.h
lib/mbrtowc-impl.h
lib/mbrtowc.c
lib/mbsinit.c
lib/mbtowc-impl.h
lib/mbtowc-lock.c
lib/mbtowc-lock.h
lib/mbtowc.c
lib/msvc-inval.c
lib/msvc-inval.h
lib/msvc-nothrow.c
lib/msvc-nothrow.h
lib/nl_langinfo-lock.c
lib/nl_langinfo.c
lib/realloc.c
lib/regcomp.c
lib/regex.c
lib/regex.h
lib/regex_internal.c
lib/regex_internal.h
lib/regexec.c
lib/setlocale-lock.c
lib/setlocale_null.c
lib/setlocale_null.h
lib/sockets.c
lib/sockets.h
lib/stdalign.in.h
lib/stdbool.in.h
lib/stddef.in.h
lib/stdint.in.h
lib/stdio.in.h
lib/stdlib.in.h
lib/strcasecmp.c
lib/streq.h
lib/string.in.h
lib/strings.in.h
lib/strncasecmp.c
lib/sys_socket.c
lib/sys_socket.in.h
lib/sys_types.in.h
lib/sys_uio.in.h
lib/sysexits.in.h
lib/termios.in.h
lib/time.in.h
lib/unistd.c
lib/unistd.in.h
lib/verify.h
lib/w32sock.h
lib/warn-on-use.h
lib/wchar.in.h
lib/wcrtomb.c
lib/wctype-h.c
lib/wctype.in.h
lib/windows-initguard.h
lib/windows-mutex.c
lib/windows-mutex.h
lib/windows-once.c
lib/windows-once.h
lib/windows-recmutex.c
lib/windows-recmutex.h
lib/windows-rwlock.c
lib/windows-rwlock.h
lib/xalloc-oversized.h
m4/00gnulib.m4
m4/__inline.m4
m4/absolute-header.m4
m4/btowc.m4
m4/builtin-expect.m4
m4/byteswap.m4
m4/calloc.m4
m4/codeset.m4
m4/eealloc.m4
m4/errno_h.m4
m4/extensions.m4
m4/extern-inline.m4
m4/free.m4
m4/getdelim.m4
m4/gethostname.m4
m4/getline.m4
m4/getopt.m4
m4/gnulib-common.m4
m4/include_next.m4
m4/inttypes.m4
m4/langinfo_h.m4
m4/limits-h.m4
m4/localcharset.m4
m4/locale-fr.m4
m4/locale-ja.m4
m4/locale-zh.m4
m4/locale_h.m4
m4/localeconv.m4
m4/lock.m4
m4/malloc.m4
m4/mbrtowc.m4
m4/mbsinit.m4
m4/mbstate_t.m4
m4/mbtowc.m4
m4/msvc-inval.m4
m4/msvc-nothrow.m4
m4/multiarch.m4
m4/nl_langinfo.m4
m4/nocrash.m4
m4/off_t.m4
m4/pid_t.m4
m4/pthread_rwlock_rdlock.m4
m4/realloc.m4
m4/regex.m4
m4/setlocale_null.m4
m4/socketlib.m4
m4/sockets.m4
m4/socklen.m4
m4/sockpfaf.m4
m4/ssize_t.m4
m4/std-gnu11.m4
m4/stdalign.m4
m4/stdbool.m4
m4/stddef_h.m4
m4/stdint.m4
m4/stdio_h.m4
m4/stdlib_h.m4
m4/strcase.m4
m4/string_h.m4
m4/strings_h.m4
m4/sys_socket_h.m4
m4/sys_types_h.m4
m4/sys_uio_h.m4
m4/sysexits.m4
m4/termios_h.m4
m4/threadlib.m4
m4/time_h.m4
m4/unistd_h.m4
m4/vararrays.m4
m4/visibility.m4
m4/warn-on-use.m4
m4/wchar_h.m4
m4/wchar_t.m4
m4/wcrtomb.m4
m4/wctype_h.m4
m4/wint_t.m4
m4/zzgnulib.m4
Finished.

You may need to add #include directives for the following .h files.
#include <byteswap.h>
#include <getopt.h>
#include <regex.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <sysexits.h>
#include <termios.h>
#include <time.h>
#include <unistd.h>

You may need to use the following Makefile variables when linking.
Use them in _LDADD when linking a program, or
in _a_LDFLAGS or _la_LDFLAGS when linking a library.
$(GETHOSTNAME_LIB)
$(LIBSOCKET)
$(LIBTHREAD)
$(LIB_HARD_LOCALE)
$(LIB_MBRTOWC)
$(LIB_SETLOCALE_NULL)
$(LTLIBINTL) when linking with libtool, $(LIBINTL) otherwise

Don't forget to

add "gl/Makefile" to AC_CONFIG_FILES in ./configure.ac,

mention "gl" in SUBDIRS in Makefile.am,

mention "-I m4" in ACLOCAL_AMFLAGS in Makefile.am,

mention "m4/gnulib-cache.m4" in EXTRA_DIST in Makefile.am,

invoke gl_EARLY in ./configure.ac, right after AC_PROG_CC,

invoke gl_INIT in ./configure.ac.
autoreconf: export WARNINGS=
autoreconf: Entering directory '.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
autoreconf: configure.ac: not using Intltool
autoreconf: configure.ac: not using Gtkdoc
autoreconf: running: aclocal --force -I m4
autoreconf: running: /usr/bin/autoconf --force
configure.ac:37: warning: AC_PROG_CC_C99 is obsolete; use AC_PROG_CC
configure.ac:40: warning: ac_ext=c
configure.ac:40: ac_cpp='$CPP $CPPFLAGS'
configure.ac:40: ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
configure.ac:40: ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
configure.ac:40: ac_compiler_gnu=$ac_cv_c_compiler_gnu
configure.ac:40: if test -n "$ac_tool_prefix"; then
configure.ac:40: # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
configure.ac:40: set dummy ${ac_tool_prefix}gcc; ac_word=$2
configure.ac:40: { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
configure.ac:40: printf %s "checking for $ac_word... " >&6; }
configure.ac:40: if test ${ac_cv_prog_CC+y}
configure.ac:40: then :
configure.ac:40: printf %s "(cached) " >&6
configure.ac:40: else $as_nop
configure.ac:40: if test -n "$CC"; then
configure.ac:40: ac_cv_prog_CC="$CC" # Let the user override the test.
configure.ac:40: else
configure.ac:40: as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
configure.ac:40: for as_dir in $PATH
configure.ac:40: do
configure.ac:40: IFS=$as_save_IFS
configure.ac:40: case $as_dir in #(((
configure.ac:40: '' is m4_require'd but not m4_defun'd
lib/m4sugar/m4sh.m4:692: _AS_IF_ELSE is expanded from...
lib/m4sugar/m4sh.m4:699: AS_IF is expanded from...
./lib/autoconf/general.m4:2249: AC_CACHE_VAL is expanded from...
./lib/autoconf/programs.m4:41: _AC_CHECK_PROG is expanded from...
./lib/autoconf/programs.m4:101: AC_CHECK_PROG is expanded from...
./lib/autoconf/programs.m4:221: AC_CHECK_TOOL is expanded from...
./lib/autoconf/c.m4:452: AC_PROG_CC is expanded from...
configure.ac:40: the top level
configure.ac:46: warning: ac_ext=c
configure.ac:46: ac_cpp='$CPP $CPPFLAGS'
configure.ac:46: ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
configure.ac:46: ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
configure.ac:46: ac_compiler_gnu=$ac_cv_c_compiler_gnu
configure.ac:46: if test -n "$ac_tool_prefix"; then
configure.ac:46: # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
configure.ac:46: set dummy ${ac_tool_prefix}gcc; ac_word=$2
configure.ac:46: { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
configure.ac:46: printf %s "checking for $ac_word... " >&6; }
configure.ac:46: if test ${ac_cv_prog_CC+y}
configure.ac:46: then :
configure.ac:46: printf %s "(cached) " >&6
configure.ac:46: else $as_nop
configure.ac:46: if test -n "$CC"; then
configure.ac:46: ac_cv_prog_CC="$CC" # Let the user override the test.
configure.ac:46: else
configure.ac:46: as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
configure.ac:46: for as_dir in $PATH
configure.ac:46: do
configure.ac:46: IFS=$as_save_IFS
configure.ac:46: case $as_dir in #(((
configure.ac:46: '' is m4_require'd but not m4_defun'd
lib/m4sugar/m4sh.m4:692: _AS_IF_ELSE is expanded from...
lib/m4sugar/m4sh.m4:699: AS_IF is expanded from...
./lib/autoconf/general.m4:2249: AC_CACHE_VAL is expanded from...
./lib/autoconf/programs.m4:41: _AC_CHECK_PROG is expanded from...
./lib/autoconf/programs.m4:101: AC_CHECK_PROG is expanded from...
./lib/autoconf/programs.m4:221: AC_CHECK_TOOL is expanded from...
./lib/autoconf/c.m4:452: AC_PROG_CC is expanded from...
configure.ac:46: the top level
configure.ac:55: warning: AC_PROG_LEX without either yywrap or noyywrap is obsolete
./lib/autoconf/programs.m4:716: _AC_PROG_LEX is expanded from...
./lib/autoconf/programs.m4:709: AC_PROG_LEX is expanded from...
aclocal.m4:1041: AM_PROG_LEX is expanded from...
configure.ac:55: the top level
configure.ac:72: warning: The macro 'AC_PROG_LIBTOOL' is obsolete.
configure.ac:72: You should run autoupdate.
m4/libtool.m4:99: AC_PROG_LIBTOOL is expanded from...
configure.ac:72: the top level
configure.ac:214: warning: The macro 'AC_CANONICAL_SYSTEM' is obsolete.
configure.ac:214: You should run autoupdate.
./lib/autoconf/general.m4:2081: AC_CANONICAL_SYSTEM is expanded from...
m4/ax_create_target_h.m4:473: AC_CANONICAL_CPU_ARCH is expanded from...
m4/ax_create_target_h.m4:93: AX_CREATE_TARGET_H is expanded from...
configure.ac:214: the top level
configure.ac:34: error: possibly undefined macro: AC_PROG_CC
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:38: error: possibly undefined macro: AC_PROG_CC_C99
configure.ac:57: error: possibly undefined macro: AC_MSG_WARN
autoreconf: error: /usr/bin/autoconf failed with exit status: 1

/pkcs11-tools$

wrapped keys should have `CKA_EXRTACTABLE` set to `false` by default

When wrapping a key using p11wrap, the attribute CKA_EXTRACTABLE is set to true, since that key must have this attribute set to be wrapped. There is however no reason to maintain this attribute to true; moreover, this creates a potential security issue since, without modifying the unwrap template manually, the recovered key will also feature this attribute, making it vulnerable to extraction.

It is recommended to set this attribute to false, irrespective of its value fetched from the wrapped key.

Support for PKCS#11 v2.40

Forked from issue #5

issues with eddsa after keygen

Able to run keygen and ls using ed25519 and 448. but not other functions such as cat, req, mkcert, etc with eddsa. No issues with other tested algorithms such as prime256, etc. Believe to have a working install otherwise.

setup system
compile and install softhsm 2.6.1 with --enable-eddsa
compile and install mastercard/pkcs11-tools
install gnutls-utils 3.7.2
openssl 1.1.1k
initialize softhsm token
softhsm2-util --init-token --slot 0 --label "CA_G1" --so-pin password --pin 1111
softhsm2-util --sh

2a. Results
Found token (9e4f3336-a231-b09b-b7dd-be8a5edc900b) with matching serial.
The token (/var/lib/softhsm/tokens/9e4f3336-a231-b09b-b7dd-be8a5edc900b) has been deleted.
The token has been initialized and is reassigned to slot 124920443
Available slots:
Slot 124920443
Slot info:
Description: SoftHSM slot ID 0x772227b
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number: cecf60180772227b
Initialized: yes
User PIN init.: yes
Label: CA_G1
Slot 1
Slot info:
Description: SoftHSM slot ID 0x1
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number:
Initialized: no
User PIN init.: no
Label:

setup pkcs11-tools and generate keys
export PKCS11LIB=/usr/local/lib/softhsm/libsofthsm2.so
export PKCS11SLOT=0
export PKCS11TOKENLABEL=CA_G1
export PKCS11PASSWORD=1111

p11slotinfo (abbreviated to show relevant supported algorithms)
PKCS#11 Library

Name : /usr/local/lib/softhsm/libsofthsm2.so
Lib version : 2.6
API version : 2.40
Description : Implementation of PKCS11
Manufacturer: SoftHSM

Slot[0]

Slot Number : 124920443
Description : SoftHSM slot ID 0x772227b
Manufacturer: SoftHSM project
Slot Flags : [ CKF_TOKEN_PRESENT ]

Token

Label : CA_G1
Manufacturer: SoftHSM project

Token Flags : [ CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED ]

Mechanisms:

CKM_ECDH1_DERIVE --- --- --- --- --- --- --- --- --- --- --- der SW (00001050)
CKM_ECDSA --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001041) ec: F^p --- --- nam unc ---
CKM_EC_EDWARDS_KEY_PAIR_GEN --- --- --- --- --- --- --- --- gkp --- --- --- SW (00001055)
CKM_ECDSA_KEY_PAIR_GEN --- --- --- --- --- --- --- --- gkp --- --- --- SW (00001040) ec: F^p --- --- nam unc ---
CKM_EDDSA --- --- --- sig --- vfy --- --- --- --- --- --- SW (00001057)

p11keygen -k ed -q ed448 -i test-448
p11keygen -k ed -q ed25519 -i test-25519

view with p11tool (test-25519 shows as type 25519 for private and public, test-448 shows as type 448 for public and 25519 for private)
p11tool --provider /usr/local/lib/softhsm/libsofthsm2.so --list-all --login --set-pin=1111
Object 0:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=cecf60180772227b;token=CA_G1;id=%87%44%23%DB%DA%B9%94%0D%B6%48%40%91%D7%27%7E%D2%B0%C6%A1%0B;object=test-25519;type=public
Type: Public key (EdDSA (Ed25519))
Label: test-25519
ID: 87:44:23:db:da:b9:94:0d:b6:48:40:91:d7:27:7e:d2:b0:c6:a1:0b

Object 1:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=cecf60180772227b;token=CA_G1;id=%87%44%23%DB%DA%B9%94%0D%B6%48%40%91%D7%27%7E%D2%B0%C6%A1%0B;object=test-25519;type=private
Type: Private key (EdDSA (Ed25519))
Label: test-25519
Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: 87:44:23:db:da:b9:94:0d:b6:48:40:91:d7:27:7e:d2:b0:c6:a1:0b

Object 2:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=cecf60180772227b;token=CA_G1;id=%24%25%9C%A2%E2%A6%4B%40%B5%B4%AC%E6%A7%2C%BC%BF%BF%D9%92%D2;object=test-448;type=public
Type: Public key (EdDSA (Ed448))
Label: test-448
ID: 24:25:9c:a2:e2:a6:4b:40:b5:b4:ac:e6:a7:2c:bc:bf:bf:d9:92:d2

Object 3:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=cecf60180772227b;token=CA_G1;id=%24%25%9C%A2%E2%A6%4B%40%B5%B4%AC%E6%A7%2C%BC%BF%BF%D9%92%D2;object=test-448;type=private
Type: Private key (EdDSA (Ed25519))
Label: test-448
Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: 24:25:9c:a2:e2:a6:4b:40:b5:b4:ac:e6:a7:2c:bc:bf:bf:d9:92:d2

p11ls (shows correct for all, only command that seems to work)
pubk/test-25519 tok,pub,r/w,loc,ed(ED25519)
prvk/test-25519 tok,prv,r/w,loc,sen,ase,nxt,ed(ED25519)
pubk/test-448 tok,pub,r/w,loc,ed(ED448)
prvk/test-448 tok,prv,r/w,loc,sen,ase,nxt,ed(ED448)

p11more pubk (other commands such as p11cat, p11req, p11mkcert, etc produce this same result)
*** OpenSSL ERROR at pkcs11_more.c:458 'error:2606A074:engine routines:ENGINE_by_id:no such engine' - (from crypto/engine/eng_list.c:334)
*** OpenSSL ERROR at pkcs11_more.c:458 'error:2606A074:engine routines:ENGINE_by_id:no such engine' - (from crypto/engine/eng_list.c:334)

Expected behavior
to generate, view, and utilize eddsa the same as other

Screenshots
results as above

Operating System (please complete the following information):
tested on fedora 34
ubuntu 20.04

Thank you

Do not store generated files in the git repo

Describe the bug
Some files are in the git repository but they should not.

Expected behavior
The following files should be removed from git:

compile
config.guess
config.rpath
config.sub
configure
depcomp
install-sh
Makefile.in
missing
ylwrap

The m4/ directory should also be removed unless some specific files are not installed by the aclocal command.

Operating System (please complete the following information):

OS: any
Version any

Additional context
files generated by the autotools (automake, autoconf, autoheader, libtool, etc.) should not be in the git repo since they are generated.
You can provide a bootstrap.sh script to generated them for example.

cross-compiling fails under v1.0.1

Describe the bug
When cross-compiling, configure script chokes and reports the following error:
checking for include/cryptoki/ncipher.h... configure: error: cannot check for file existence when cross compiling

To Reproduce
Steps to reproduce the behavior:

download tagged version v1.0.1
follow cross-compiling instructions from INSTALL.md

Expected behavior
configure script should suceed.

Operating System (please complete the following information):

OS: debian 9

Additional context
cross-compiling for win32.

rpmbuild: fails because of missing pkcs11_ossl.h in the tar.gz and INSTALL.md has a typo

After running ./configure and make dist, rpmbuild fails:

  CC       libp11_la-pkcs11_ossl_fake_sign.lo
pkcs11_ossl_rsa_meth.c:28:10: fatal error: pkcs11_ossl.h: No such file or directory
   28 | #include "pkcs11_ossl.h"
      |          ^~~~~~~~~~~~~~~
compilation terminated.
make[2]: *** [Makefile:1724: libp11_la-pkcs11_ossl_rsa_meth.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
pkcs11_ossl_dsa_meth.c:28:10: fatal error: pkcs11_ossl.h: No such file or directory
   28 | #include "pkcs11_ossl.h"
      |          ^~~~~~~~~~~~~~~
compilation terminated.
pkcs11_ossl_ecdsa_meth.c:29:10: fatal error: pkcs11_ossl.h: No such file or directory
   29 | #include "pkcs11_ossl.h"
      |          ^~~~~~~~~~~~~~~

Once I added the missing file into the .tar.gz file generated by make dist and ran rpmbuild again, it succeeded and the resulting RPM installs with DNF. This is on Fedora 32.

There's also a typo in INSTALL.md:

$ cp pkcs11-tools-[VERSION].tar.gz $HOME/rpmbuild/SRPMS

should be

$ cp pkcs11-tools-[VERSION].tar.gz $HOME/rpmbuild/SOURCES

Commandline option -t can't find token

If I usel e.g. one of the tools p11ls, p11rm or p11mv with the -t option followed by the name of an existing token, I always get the message "*** Error: token with label 'xxx' not found".

This maybe also true for other commands as well but I haven't check that.

Cause of problem:

Source: lib/pkcs11_session.c
function: rtrim()

The above mentioned source file contains the following line (around line 37):
n = strlen((const char *)str)>limit ? limit : strlen((const char *)str);

That line is not working correctly. The > comparision fails.

Because strlen() calculates a length of 98 for the string and because this value is bigger than the limit of 32, after that comparison, n should have the value 32.

But it has not. n has still the value 98 and therefore the following comparison with the entered token name fails.

This is not an error in that line of code itself ! In my opinion, the root cause of the problem is an error in the gcc compiler if one of the optimization options -O1 or -O2 or -O3 is used.

One idea to solve the problem is to not use the -O2 flag for compilation of that source file.

The second ideas is to switch of the -O2 optimization just for the rtrim() function. This can be done to extend the pototype of that function to:

static CK_UTF8CHAR_PTR rtrim(CK_UTF8CHAR_PTR str, int limit) attribute((optimize("-O0")));

If I do this in my environment, the comparison now works correctly and therefore the commands now find my token by name successfully.

Additional info:
gcc (GCC) 8.2.1 20180905 (Red Hat 8.2.1-3) running on an AWS ec2-micro instance.

pkcs11-tools Latest commit db918aa on 22 Feb.

p11mv belongs to pkcs11-tools v1.0.2 (Aug 26 2019)
arch/CPU/OS: x86_64/x86_64/linux-gnu
using openssl library: OpenSSL 1.0.2t-dev xx XXX xxxx

Hope that helps :-)

By the way, these pkcs11-tools are extremely helpful. Thank you very much for that.

README.md Typos

I found a couple of typos in README.md. I wanted to make sure I followed the contributing guide as much as possible for this. Since this is such a small change, I am not sure if anything else needs to be included in this.

C_WrapKey using AES key to wrap ED448 and ED25519 fails for CKM_AES_KEY_WRAP_PAD with CKR_KEY_NOT_WRAPPABLE

Describe the bug
C_WrapKey using AES key to wrap ED448 and ED25519 fails for CKM_AES_KEY_WRAP_PAD with CKR_KEY_NOT_WRAPPABLE

To Reproduce
Steps to reproduce the behavior:

Let's try wrapping a prime256v1 key with same steps and observe that it is successful.

p11keygen -k ec -q prime256v1 -i prime256v1-17 CKA_EXTRACTABLE=true -W 'wrappingkey="aes-sharing",algorithm=rfc5649,filename="prime256v1-key-wrapped.seck"'

+ p11keygen -k ec -q prime256v1 -i prime256v1-17 CKA_EXTRACTABLE=true -W 'wrappingkey="aes-sharing",algorithm=rfc5649,filename="prime256v1-key-wrapped.seck"'
Generating, please wait...
>>> key generated
>>> job #1: wrapping key 'prime256v1-17' with parameters 'wrappingkey="aes-sharing",algorithm=rfc5649,filename="prime256v1-key-wrapped.seck"'
key generation succeeded

Repeat for ED25519 key

p11keygen -k ed -q ED25519 -i ED25519-17 CKA_EXTRACTABLE=true -W 'wrappingkey="aes-sharing",algorithm=rfc5649,filename="ED25519-key-wrapped.seck"'

+ p11keygen -k ed -q ED25519 -i ED25519-17 CKA_EXTRACTABLE=true -W 'wrappingkey="aes-sharing",algorithm=rfc5649,filename="ED25519-key-wrapped.seck"'
Generating, please wait...
>>> key generated
>>> job #1: wrapping key 'ED25519-17' with parameters 'wrappingkey="aes-sharing",algorithm=rfc5649,filename="ED25519-key-wrapped.seck"'
*** PKCS#11 Error: C_WrapKey() returned CKR_KEY_NOT_WRAPPABLE ( 0x00000069 )
***Warning: It didn't work with CKM_AES_KEY_WRAP_PAD
***Error: tried all mechanisms, no one worked
***Error: wrapping operation failed for wrapping job #1
some (1) wrapping jobs failed - returning code 1 (0x0001) to calling process

p11keygen -k ed -q ED448 -i ED448-17 CKA_EXTRACTABLE=true -W 'wrappingkey="aes-sharing",algorithm=rfc5649,filename="ED448-key-wrapped.seck"'

+ p11keygen -k ed -q ED448 -i ED448-17 CKA_EXTRACTABLE=true -W 'wrappingkey="aes-sharing",algorithm=rfc5649,filename="ED448-key-wrapped.seck"'
Generating, please wait...
>>> key generated
>>> job #1: wrapping key 'ED448-17' with parameters 'wrappingkey="aes-sharing",algorithm=rfc5649,filename="ED448-key-wrapped.seck"'
*** PKCS#11 Error: C_WrapKey() returned CKR_KEY_NOT_WRAPPABLE ( 0x00000069 )
***Warning: It didn't work with CKM_AES_KEY_WRAP_PAD
***Error: tried all mechanisms, no one worked
***Error: wrapping operation failed for wrapping job #1
some (1) wrapping jobs failed - returning code 1 (0x0001) to calling process

Expected behavior

CKM_AES_KEY_WRAP_PAD should have been successful.

Screenshots

Operating System (please complete the following information):

OS: CentOS 8.3.2011
Kernel 5.8.5-1.el8.elrepo.x86_64

AES support

in the README.md it said it support AES operations but I could'nt find the implementation anywhere in the code !

"configure.ac:47: error: possibly undefined macro: AC_MSG_WARN" on CentOS 7.8

Describe the bug
...
autoreconf: running: /usr/bin/autoconf --force
configure.ac:47: error: possibly undefined macro: AC_MSG_WARN
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1

To Reproduce
Steps to reproduce the behavior:

git clone https://github.com/Mastercard/pkcs11-tools.git
cd pkcs11-tools
./bootstrap.sh
See error

Expected behavior
./bootstrap.sh should exit cleanly

Operating System (please complete the following information):

OS: CentOS Linux
Version 7.8.2003 (Core)

p11req -X option results in malloc failure

Describe the bug
using the p11req command with the following options

$ p11req -i testp1 -d /CN=abc/O=def/C=xx-o ~/cavium_testp1.pkcs10 -e IP:0.0.0.0 -X

results in the following bug

*** OpenSSL ERROR at ../../lib/pkcs11_req.c:49  'error:0F076041:common libcrypto routines:OPENSSL_hexstr2buf:malloc failure' - (from crypto/o_str.c:157)

To Reproduce
1.

$ p11req -i testp1 -d /CN=abc/O=def/C=xx-o ~/cavium_testp1.pkcs10 -e IP:0.0.0.0 -X
*** OpenSSL ERROR at ../../lib/pkcs11_req.c:49  'error:0F076041:common libcrypto routines:OPENSSL_hexstr2buf:malloc failure' - (from crypto/o_str.c:157)

Expected behavior
No malloc error, command should produce valid pkcs10 request file. Removing the -X option at the end makes it succeed.

Screenshots
N/A

Operating System (please complete the following information):

OS: Linux
Version

Linux 3.10.0-1160.71.1.0.1.el7.x86_64 #1 SMP Tue Jun 28 22:16:18 PDT 2022 x86_64 x86_64 x86_64 GNU/Linux

$ p11req -V
p11req belongs to pkcs11-tools v2.6.0 (Jul 13 2023)
arch/CPU/OS: x86_64/x86_64/linux-gnu
using openssl library: OpenSSL 1.1.1t  7 Feb 2023
compiled with nCipher extensions
compiled with Gemalto Safenet Luna extensions

Additional context
N/A

mastercard / pkcs11-tools Goto Github PK

pkcs11-tools's Introduction

PKCS#11 tools

News

July 2023

June 2023

October 2021

July 2021

April 2021

March 2021

January 2021

December 2020

Introduction

Installation

Manual

Contributing

Author

Licensing terms

pkcs11-tools's People

Contributors

Stargazers

Watchers

Forkers

pkcs11-tools's Issues

p11slotinfo (abbreviated to show relevant supported algorithms) PKCS#11 Library

Slot[0]

Token

Mechanisms:

Recommend Projects

Recommend Topics

Recommend Org

p11slotinfo (abbreviated to show relevant supported algorithms)
PKCS#11 Library