MacOS 15.2 pkcs11 provider will not initiallize.

[medhost-nwatson]

The latest install of Yubihsm SDK version 2024-09 for Darwin Arm64 running on an M2 Pro-based Mac will not initialize the pkcs11 provider for Java.

keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /usr/local/yubihsm/sun_yubihsm2_pkcs11.conf -list -J-Djava.security.debug=sunpkcs11

SunPKCS11 loading /usr/local/yubihsm/sun_yubihsm2_pkcs11.conf sunpkcs11: Initializing PKCS#11 library /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib keytool error: java.security.ProviderException: Initialization failed

I have tried OpenJDk 17, Corretto 17, and Corretto 11 for Java releases, and they all give the same error.

[aveenismail]

@medhost-nwatson Sincere apologies for the very late response.

Was the issue resolved?

[medhost-nwatson]

No Worries. No, I never resolved it with the Mac, but it works fine on Windows and Linux, and that's our primary use case, so I hadn't thought it about again for a bit.

[qpernil]

One suggestion would be to build it with static dependencies, by specifying -DENABLE_STATIC=1 to cmake, and see if that solves the issue.

[mouse07410]

I don't think it's likely to solve the problem, and question the feasibility of statically linking PKCS11 provider.

[qpernil]

I have the same problem on my mac, and using cmake -DENABLE_STATIC=1 solves it for me. That flag additionally builds a static version of the libraries, and links yubihsm_pkcs11 against those static libraries, including the usb / http backends, which are normally dynamicall loaded depending on config (with dlopen/dlsym etc). yubihsm_pkcs11 remains a shared library so from a pkcs11 client's prespective it works the same. As the released versions work I suspect this is a build issue when you build from source on macos. It has only started happening with recent macos versions. This is something we will fix, but for now this is the workaround.