Skip to content

Add PKCS#11 provider compatible with OpenSSL 3.x/4.0#650

Merged
mtrojnar merged 12 commits intoOpenSC:masterfrom
olszomal:provider_v2
Apr 21, 2026
Merged

Add PKCS#11 provider compatible with OpenSSL 3.x/4.0#650
mtrojnar merged 12 commits intoOpenSC:masterfrom
olszomal:provider_v2

Conversation

@olszomal
Copy link
Copy Markdown
Collaborator

@olszomal olszomal commented Apr 21, 2026

Pull Request Type

  • Bug fix
  • New feature
  • Code style / formatting / renaming
  • Refactoring (no functional or API changes)
  • Build / CI related changes
  • Documentation
  • Other (please describe):

Related Issue

Fix #631

Current Behavior

The existing PKCS#11 integration relies on legacy EVP_PKEY_METHOD-based implementations, which are deprecated and removed in OpenSSL 4.0. As a result, the current implementation is not compatible with OpenSSL 4.0.

EdDSA support is also conditionally guarded using incorrect macros (OPENSSL_NO_EC instead of OPENSSL_NO_ECX), leading to potential build and feature inconsistencies.

New Behavior

This PR introduces a new PKCS#11 provider implementation compatible with OpenSSL 3.x and forward-compatible with OpenSSL 4.0, replacing legacy EVP_PKEY_METHOD usage with provider-based interfaces (KEYMGMT, SIGNATURE, ASYM_CIPHER).

EdDSA support is properly handled using OPENSSL_NO_ECX, and key handling, reference management, and cleanup logic have been corrected.

Scope of Changes

  • Implement PKCS#11 provider using OpenSSL provider APIs (KEYMGMT, SIGNATURE, ASYM_CIPHER)
  • Remove reliance on deprecated EVP_PKEY_METHOD and ensure compatibility with OpenSSL 4.0
  • Fix conditional compilation guards for EdDSA (OPENSSL_NO_ECX)
  • Improve memory management and resource lifecycle handling
  • Update and extend the test suite to cover the new provider functionality

Testing

  • Existing tests -> fixed and improved
  • New tests added
  • Manual testing -> performed with YubiKey 5

Additional Notes

License Declaration

  • I hereby agree to license my contribution under the project's license.

olszomal added 12 commits April 9, 2026 11:08
@olszomal
rsa-oaep-prov test: improve error handling and length validation
f4a7c32
@olszomal
Add KEYMGMT, SIGNATURE and ASYM_CIPHER for PKCS#11 provider
9566d62
@olszomal
Disable custom EVP_PKEY methods in provider mode
04cf4cf
@olszomal
Use ASN1_STRING API instead of direct struct access
8009dc9
@olszomal
tests: use optional propquery for pkcs11prov to allow fallback to def…
956e95f 
…ault provider
@olszomal
correct PKCS11_OBJECT_private reference handling
0a39ee1
@olszomal
Replace EVP_PKEY_up_ref() with EVP_PKEY_dup() for EdDSA keys.
1d4b778 
Using up_ref() shared the same EVP_PKEY instance and unnecessarily increased
the reference count of the underlying engine-backed key, leading to incorrect
lifetime management.
@olszomal
tests: fix listkeys_ext invocation in rsa-testlistkeys_ext.softhsm
377876b
@olszomal
Cleanup PKCS#11 resources in EdDSA tests
4cde006
@olszomal
tests: call OPENSSL_cleanup() during provider cleanup
5add921
@olszomal
tests: add RSA-PSS raw sign/verify tests for engine and provider
0c67ead
@olszomal
Fix EdDSA guards to use OPENSSL_NO_ECX instead of OPENSSL_NO_EC
ec8f4f6
@mtrojnar mtrojnar merged commit 72af41d into OpenSC:master Apr 21, 2026
10 checks passed
@olszomal olszomal deleted the provider_v2 branch April 28, 2026 12:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fails to build on OpenSSL-4.x-dev

2 participants

@olszomal @mtrojnar