Cannot export EC public key using pkcs11-tool

[mimok]

trafficstars

Problem Description

I developped my own PKCS11 lib and when i try to export an EC P256 public key using pkcs11-tool, i get the following error: error: cannot create EVP_PKEY. I did some tests with a Nitrokey HSM 2 and i have the same problem.

I'm using a RaspberryPI 5 with opensc in version 0.23.0.3 and OpenSSL in version 3.0.13.

Steps to reproduce

Here is the following command use to dump the public key:

pkcs11-tool --module /usr/lib/arm-linux-gnueabihf/opensc-pkcs11.so --id 7e103066d11f7646b5f2de2a2e2d973b7681951e --type=pubkey -r -o pubkey.pem

Logs

Logs from Nitrokey HSM 2 are located here: https://gist.github.com/mimok/8b399f7f7b62e1390b645b8e301cfbda

[frankmorgner]

Please read the documentation in the Wiki https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#using-pkcs11-tool

[CardContact]

Just tried that with a recent code base and it works as expected.

[mimok]

@frankmorgner : IMO RTFM is not the right answer here ;-)

@CardContact : Thank you for your answer. It turns that OpenSSL 3.0.13 is not compatible with OpenSC 0.23.0.3. Compiling and installing the latest release of OpenSC solves the problem.

[CardContact]

Interesting observation.

We see a similar issues with sbsigntool, openssl, engine-pkcs11, p11-kit and opensc on Debian Bookworm (12). It just gets stuck somewhere in engine-pkcs11 for no apparent reason.

Did you figure out what the incompatibility is ?

[Jakuje]

I think this might have been related to #2715 which introduced the use of dedicated openssl context for the OpenSC operations. Wihtout that, the global openssl context is used, which means it could recursively load opensc if it is part of the engine pkcs11 or similar.

[mimok]

@CardContact, Sorry I did not search for the origin of the bug.