[nginx-tests] Tests: loading keys from pkcs11-provider.

Maxim Dounin mdounin at mdounin.ru
Tue Oct 14 23:57:53 UTC 2025 

details:   http://freenginx.org/hg/nginx-tests/rev/f3f2fec834c4
branches:  
changeset: 2031:f3f2fec834c4
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Wed Oct 15 02:39:23 2025 +0300
description:
Tests: loading keys from pkcs11-provider.

diffstat:

 ssl_store_pkcs11.t |  54 ++++++++++++++++++++++++++++++++++++++++--------------
 1 files changed, 40 insertions(+), 14 deletions(-)

diffs (118 lines):

diff --git a/ssl_store_libp11.t b/ssl_store_pkcs11.t
copy from ssl_store_libp11.t
copy to ssl_store_pkcs11.t
--- a/ssl_store_libp11.t
+++ b/ssl_store_pkcs11.t
@@ -5,7 +5,7 @@
 # (C) Nginx, Inc.
 
 # Tests for http ssl module, loading "store:..." certificates and keys
-# from libp11 pkcs11prov OpenSSL provider (https://github.com/OpenSC/libp11).
+# from pkcs11-provider (https://github.com/latchset/pkcs11-provider).
 
 ###############################################################################
 
@@ -42,6 +42,11 @@ plan(skip_all => 'no store:... keys')
 
 daemon off;
 
+# pkcs11-provider tries to reinitialize softhsm after fork(),
+# so we need softhsm2 environment variable in worker processes
+
+env SOFTHSM2_CONF;
+
 events {
 }
 
@@ -87,14 +92,16 @@ http {
 EOF
 
 # Create a SoftHSM token with a secret key, and configure OpenSSL
-# to access it using the libp11 pkcs11prov provider.  See detailed example
-# posted by Dmitrii Pichulin here:
+# to access it using pkcs11-provider.  See detailed example posted
+# by Dmitrii Pichulin here:
 #
 # http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html
 #
-# Adapted to provider usage based on libp11 documentation, see here:
+# Adapted to provider usage based on libp11 documentation and
+# pkcs11-provider documentation, see here:
 #
 # https://github.com/OpenSC/libp11
+# https://github.com/latchset/pkcs11-provider
 #
 # Note that library paths are different on different systems.  We try
 # to detect some known ones.
@@ -102,22 +109,41 @@ EOF
 # Still, detected libraries might not match OpenSSL library used when
 # building nginx, or the "openssl" tool in path, so everything will fail.
 # As such, this test is marked unsafe.
+#
+# Note well that pkcs11-provider asks for PIN after fork() via the default
+# user interface (not the one explicitly passed to OSSL_STORE_open())
+# if PIN is not explicitly provided in the provider configuration with
+# "pkcs11-module-token-pin = ..." and/or PIN caching is not explicitly
+# enabled with "pkcs11-module-cache-pins = cache".  Even "pin-value=..." in
+# PKCS#11 URI is not enough.  We use PIN in the configuration explicitly
+# set with "pkcs11-module-token-pin = 1234".
+#
+# Additionally, old versions of pkcs11-provider need various quirks
+# to work with SoftHSM.  In particular, pkcs11-provider 0.3 as seen
+# on Ubuntu 24.04 needs at least:
+#
+# pkcs11-module-load-behavior = early
+# pkcs11-module-quirks = no-operation-state
+#
+# No quirks are needed with pkcs11-provider 1.0+.
 
-# Libraries on various systems: FreeBSD, Alpine, Debian
+# Libraries on various systems: FreeBSD, Alpine, Debian, Fedora
 
 my ($provider) = grep { -e $_ } qw!
-	/usr/local/lib/ossl-modules/pkcs11prov.so
-	/usr/lib/ossl-modules/pkcs11prov.so
-	/usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11prov.so
+	/usr/local/lib/ossl-modules/pkcs11.so
+	/usr/lib/ossl-modules/pkcs11.so
+	/usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
+	/usr/lib64/ossl-modules/pkcs11.so
 !;
 
 my ($softhsm) = grep { -e $_ } qw!
 	/usr/local/lib/softhsm/libsofthsm2.so
 	/usr/lib/softhsm/libsofthsm2.so
 	/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
+	/usr/lib64/pkcs11/libsofthsm2.so
 !;
 
-plan(skip_all => 'no libp11 pkcs11prov provider') unless $provider;
+plan(skip_all => 'no pkcs11-provider') unless $provider;
 plan(skip_all => 'no softhsm2') unless $softhsm;
 
 $t->write_file('openssl.conf', <<EOF);
@@ -134,11 +160,11 @@ pkcs11 = pkcs11_sect
 activate = 1
 
 [pkcs11_sect]
-identity = pkcs11prov
 module = $provider
-pkcs11_module = $softhsm
-debug_level = 2
-pin = 1234
+pkcs11-module-path = $softhsm
+pkcs11-module-token-pin = 1234
+pkcs11-module-load-behavior = early
+pkcs11-module-quirks = no-operation-state
 activate = 1
 
 [ req ]
@@ -193,7 +219,7 @@ foreach my $name ('localhost') {
 
 ###############################################################################
 
-like(http_get('/proxy'), qr/200 OK/, 'ssl store libp11 pkcs11prov');
+like(http_get('/proxy'), qr/200 OK/, 'ssl store pkcs11-provider');
 like(http_get('/var'), qr/200 OK/, 'ssl_certificate with variable');
 
 ###############################################################################

More information about the nginx-devel mailing list