OSSL_PROVIDER_load_ex loaded but OSSL_STORE_open returs nul Context (error:1608010C:STORE routines::unsupported)

[hafedh-trimeche]

Hello,

Please note that I translated from Pascal code to C one:
/* -------------------------------------------------------------------------
   Function : SSLProviderInit
   Purpose  : Loads an OpenSSL provider with optional parameters and
              performs basic validation (availability, self‑test).

   Parameters
     ctx          - Pointer to an OpenSSL library context (POSSL_LIB_CTX)
     providerName - Name of the provider to load (UTF‑8 string)
     params       - Array of provider parameters (TOSSLParams)
     activate     - Boolean flag (currently unused – the function always
                    passes "true" for the "activate" parameter)

   Returns
     Pointer to the loaded provider (POSSL_PROVIDER) or NULL on failure.
   -------------------------------------------------------------------------- */
POSSL_PROVIDER *SSLProviderInit(POSSL_LIB_CTX *ctx,
                                const char *providerName,
                                TOSSLParams params,
                                bool activate)
{
    POSSL_PROVIDER *result = NULL;
    OSSL_PARAM *sslParams = NULL;
    char *rawProviderName = NULL;
    int i, paramCount, lError;

    /* Guard against a NULL library context */
    if (ctx == NULL)
        return NULL;

    /* -----------------------------------------------------------------
       Build the parameter array expected by OSSL_PROVIDER_load_ex().
       The array consists of:
         1) A mandatory "activate" = "true" entry,
         2) One entry for each element in `params`,
         3) A terminating OSSL_PARAM construct (OSSL_PARAM_end).
       ----------------------------------------------------------------- */
    paramCount = (int)ParamsLength(params);          /* helper to obtain Length(Params) */
    sslParams = (OSSL_PARAM *)malloc(sizeof(OSSL_PARAM) * (paramCount + 2));
    if (sslParams == NULL)
        return NULL;    /* allocation failure */

    /* activate = "true" */
    sslParams[0] = OSSL_PARAM_construct_utf8_string("activate", "true", 4);

    for (i = 0; i < paramCount; ++i) {
        char *nameRaw  = UnicodeToRaw(TrimString(params[i].Name));
        char *valueRaw = UnicodeToRaw(TrimString(params[i].Value));

        /* OSSL_PARAM_construct_utf8_string expects a length without the NUL */
        sslParams[i + 1] = OSSL_PARAM_construct_utf8_string(
                               nameRaw,
                               valueRaw,
                               (size_t)strlen(valueRaw));

        /* The helper functions allocate memory; free after use */
        free(nameRaw);
        free(valueRaw);
    }

    /* Terminate the array */
    sslParams[paramCount + 1] = OSSL_PARAM_construct_end();

    /* Convert the provider name to a raw (UTF‑8) string */
    rawProviderName = UnicodeToRaw(providerName);
    if (rawProviderName == NULL) {
        free(sslParams);
        return NULL;
    }

    /* --------------------------------------------------------------
       Load the provider with the prepared parameter list.
       -------------------------------------------------------------- */
    result = OSSL_PROVIDER_load_ex(ctx, rawProviderName, sslParams);

    /* Clean up temporary conversion */
    free(rawProviderName);
    free(sslParams);

    if (result != NULL) {
        /* Verify that the provider is available in the given context */
        lError = OSSL_PROVIDER_available(ctx, rawProviderName);
        if (lError <= 0) {
            RegisterEventLog(
                SSLErrorMessage(
                    "SSLProviderInit (Not available) [%s: %s]",
                    providerName, providerName),
                LogError, LogSSL);
            SSLProviderFree(result);
            return NULL;
        }

        /* Run the provider's self‑test */
        lError = OSSL_PROVIDER_self_test(result);
        if (lError <= 0) {
            RegisterEventLog(
                SSLErrorMessage(
                    "SSLProviderInit (Self test) [%s: %s]",
                    providerName, providerName),
                LogError, LogSSL);
            SSLProviderFree(result);
            return NULL;
        }

    } else {
        /* Provider loading failed */
        RegisterEventLog(
            SSLErrorMessage(
                "SSLProviderInit (NULL) [%s: %s]",
                providerName, providerName),
            LogError, LogSSL);
    }

    return result;
}

/*=====================================================================
  Function: PKCS11_load_private_key
  Purpose : Load a private key from a PKCS#11 token using OpenSSL's
            OSSL_STORE API.
  Returns : EVP_PKEY* on success, NULL on failure.
=====================================================================*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/evp.h>
#include <openssl/store.h>

/* External helper functions – assumed to exist elsewhere */
extern const char *RFC7512Encode(const char *input);
extern unsigned char *StringToRaw(const char *input);
extern void RegisterEventLog(const char *msg, int level, int facility);
extern const char *SSLErrorMessage(const char *detail);

/* Logging levels – replace with real definitions if needed */
enum { LogError = 1, LogSSL = 2 };

/*=====================================================================
  EVP_PKEY *PKCS11_load_private_key(const char *token,
                                    const char *serial,
                                    const char *label,
                                    const char *pin);
=====================================================================*/
EVP_PKEY *PKCS11_load_private_key(const char *token,
                                 const char *serial,
                                 const char *label,
                                 const char *pin)
{
    EVP_PKEY *result      = NULL;
    char *uri             = NULL;
    unsigned char *raw    = NULL;
    OSSL_STORE_CTX *ctx   = NULL;
    OSSL_STORE_INFO *info = NULL;

    /* ---------- Build the PKCS#11 URI -------------------------------- */
    const char *enc_token  = RFC7512Encode(token);
    const char *enc_serial = RFC7512Encode(serial);
    const char *enc_label  = RFC7512Encode(label);
    const char *enc_pin    = NULL;

    size_t uri_len = 0;
    uri_len = strlen("pkcs11:token=") + strlen(enc_token) +
              strlen("serial=")   + strlen(enc_serial) +
              strlen(";object=")  + strlen(enc_label) +
              strlen(";type=private") + 1;   /* nul‑terminator */

    if (pin && pin[0] != '\0') {
        enc_pin = RFC7512Encode(pin);
        uri_len += strlen("?pin-value=") + strlen(enc_pin);
    }

    uri = (char *)malloc(uri_len);
    if (!uri) {
        /* Out of memory – cannot continue */
        return NULL;
    }

    strcpy(uri, "pkcs11:token=");
    strcat(uri, enc_token);
    strcat(uri, "serial=");
    strcat(uri, enc_serial);
    strcat(uri, ";object=");
    strcat(uri, enc_label);
    strcat(uri, ";type=private");
    if (enc_pin) {
        strcat(uri, "?pin-value=");
        strcat(uri, enc_pin);
    }

    /* ---------- Convert the URI to a raw string ---------------------- */
    raw = StringToRaw(uri);
    if (!raw) {
        goto cleanup;
    }

    /* ---------- Open the store --------------------------------------- */
    ctx = OSSL_STORE_open((const char *)raw, NULL, NULL, NULL, NULL);
    if (!ctx) {
        goto cleanup;
    }

    /* Expect a private key object */
    if (OSSL_STORE_expect(ctx, OSSL_STORE_INFO_PKEY) <= 0) {
        goto cleanup;
    }

    /* Load the first matching object */
    info = OSSL_STORE_load(ctx);
    if (!info) {
        goto cleanup;
    }

    if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
        result = OSSL_STORE_INFO_get1_PKEY(info);
    }
    OSSL_STORE_INFO_free(info);
    info = NULL;

cleanup:
    if (ctx) {
        OSSL_STORE_close(ctx);
    }

    if (!result) {
        char err_msg[256];
        snprintf(err_msg, sizeof(err_msg),
                 "PKCS11_load_private_key [Serial: %s  Label: %s]",
                 serial, label);
        RegisterEventLog(SSLErrorMessage(err_msg), LogError, LogSSL);
    }

    /* Free temporary buffers (StringToRaw ownership semantics are
       assumed to be handled elsewhere if needed). */
    free(uri);
    return result;
}

Setting Parameters as:
pkcs11-module-path: "D:\Developer\Resources\pkcs11\BouncyHsm\BouncyHsm.Pkcs11Lib.dll"
active: "true"
The Uri: "pkcs11:token=Bouncy;serial=750704DDBCF642CE;object=Manager;type=private?pin-value=1111"

Invoking OSSL_STORE_open, an error is generated:
PKCS11_load_private_key [Serial: 750704DDBCF642CE Label: Manager]: error:1608010C:STORE routines::unsupported

Best regards.

[mtrojnar]

I believe the error

error:1608010C:STORE routines::unsupported

is most likely caused by opening the PKCS#11 URI in a different OpenSSL library context than the one where the provider was loaded.

1. "OSSL_STORE_open()" vs "OSSL_STORE_open_ex()"

Your provider is loaded with:

OSSL_PROVIDER_load_ex(ctx, rawProviderName, sslParams);

which loads it into a specific "OSSL_LIB_CTX *ctx".

However the key loading code uses:

ctx = OSSL_STORE_open((const char *)raw, NULL, NULL, NULL, NULL);

"OSSL_STORE_open()" always uses the default (NULL) libctx. If the PKCS#11 provider was loaded into a different context, the STORE layer cannot find the "pkcs11:" scheme handler and returns:

STORE routines::unsupported

The fix is to use "OSSL_STORE_open_ex()" and pass the same "OSSL_LIB_CTX" used for "OSSL_PROVIDER_load_ex()":

OSSL_STORE_CTX sctx = OSSL_STORE_open_ex(
uri,
libctx, / same context used for OSSL_PROVIDER_load_ex */
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
);

2. Memory lifetime bug in "SSLProviderInit()"

Inside the loop you do:

sslParams[i + 1] = OSSL_PARAM_construct_utf8_string(nameRaw, valueRaw, strlen(valueRaw));
free(nameRaw);
free(valueRaw);

"OSSL_PARAM_construct_utf8_string()" does not copy the strings. The parameter structure only stores the pointers, so freeing them immediately leaves dangling pointers in "sslParams".

Those buffers must remain valid until after "OSSL_PROVIDER_load_ex()" returns.

3. Use-after-free in the availability check

"rawProviderName" is freed before it is used again:

free(rawProviderName);

lError = OSSL_PROVIDER_available(ctx, rawProviderName);

This is a use-after-free.

4. Minor URI construction issue

The snippet shows:

"pkcs11:token=" + token + "serial=" + serial

but RFC7512 requires the attributes to be separated by ";", i.e.:

pkcs11:token=...;serial=...;object=...;type=private

Your runtime example URI includes the ";", so the snippet might just be slightly out of sync.

Summary

The main cause of the reported error is most likely the context mismatch:

• provider loaded with "OSSL_PROVIDER_load_ex(ctx, ...)"
• key loaded with "OSSL_STORE_open()" (default libctx)

Switching to "OSSL_STORE_open_ex(..., ctx, ...)" should allow the "pkcs11:" scheme to be resolved.

[hafedh-trimeche]

Hello,

Thank you for valuable clarification.

• Freeing and allocation variables (string, RawByteString, TBytes, ...) [Reference counted] are managed by Delphi and there is no Memory Leaks.
• pkcs11-module-path parameter is set to an existing library D:\Developer\Resources\pkcs11\BouncyHsm\BouncyHsm.Pkcs11Lib.dll
• OSSL_STORE_open_ex is invoked without errors.
• Constructed Uri is pkcs11:token=Bouncy;serial=750704DDBCF642CE;object=Manager;type=private as value (; is a Pascal compiler sentence separator and isn't included into Uri).
• OSSL_STORE_expect returned true.

But OSSL_STORE_load generated this error:
PKCS11_load_private_key [Serial: 750704DDBCF642CE Label: Manager]: error:42800401:libp11::Unable to load PKCS#11 module

Best regards.

[mtrojnar]

Please submit a minimized working PoC suitable for reproducing the reported issue before we'll proceed with further investigation.

Preferably, read How to Report Bugs Effectively first.

[hafedh-trimeche]

Hello,

Changing module's parameter from pkcs11-module-path (OpenSSL documented) to pkcs11_module, the module is loaded.

But this error is generated:
PKCS11_load_private_key [Serial: e05c24005cd4893c Label: Manager]: error:0308010C:digital envelope routines::unsupported

Best regards.

[mtrojnar]

Changing module's parameter from pkcs11-module-path (OpenSSL documented) to pkcs11_module, the module is loaded.

Would you kindly point me to the specific OpenSSL manual page that mentions pkcs11-module-path?

[hafedh-trimeche]

https://github.com/openssl-projects/pkcs11-provider/blob/main/src/provider.c

static struct p11prov_cfg_names {
    const char *name;
} p11prov_cfg_names[P11PROV_CFG_SIZE] = {
    { "pkcs11-module-path" },
    { "pkcs11-module-init-args" },
    { "pkcs11-module-token-pin" },
    { "pkcs11-module-allow-export" },
    { "pkcs11-module-login-behavior" },
    { "pkcs11-module-load-behavior" },
    { "pkcs11-module-cache-pins" },
    { "pkcs11-module-cache-keys" },
    { "pkcs11-module-quirks" },
    { "pkcs11-module-cache-sessions" },
    { "pkcs11-module-encode-provider-uri-to-pem" },
    { "pkcs11-module-block-operations" },
    { "pkcs11-module-assume-fips" },
};

Best regards.

[mtrojnar]

pkcs11-provider a sub-project of the OpenSSL community, just like libp11 is sub-project of the OpenSC community. OpenSSL, OpenSC, pkcs11-provider and libp11 are separate projects that produce distinct libraries. The documentation of pkcs11-provider is applicable to pkcs11-provider, and not to libp11. Similarly, the documentation of libp11 is applicable to libp11, and not to pkcs11-provider.

Feel free to switch from libp11 to pkcs11-provider if it works better for you.

[hafedh-trimeche]

Hi,

I'll consider using your library: OpenSSL's pkcs11-provider has no binaries under Windows!

Any documentation about Parameters?

Best regards.

[hafedh-trimeche]

Hello,

OSSL_STORE_open_ex("pkcs11:token=Bouncy;serial=750704DDBCF642CE;object=Manager;type=private",ctx,"provider=pkcs11prov",NULL,NULL,NULL,NULL,NULL);
returned NULL and generated this error:
PKCS11_load_private_key [Serial: 750704DDBCF642CE Label: Manager]: error:16080106:STORE routines::passed invalid argument

Best regards;

[hafedh-trimeche]

Hello,

Trying to test the library from command line with OpenSSL 3.6 installed, the command returned an error!

openssl.cfg:

[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect

[default_sect]
activate = 1

[pkcs11_sect]
identity = pkcs11prov
module = D:\Developer\Resources\pkcs11\libp11\pkcs11prov.dll
pkcs11_module = D:\SoftHSM\lib\softhsm2-x64.dll
debug_level = 7
force_login = 1
activate = 1

openssl list -providers -verbose -provider pkcs11prov
list: unable to load provider pkcs11prov

Hint: use -provider-path option or OPENSSL_MODULES environment variable.
E0520000:error:12800067:DSO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(C:\Program Files\OpenSSL\lib\ossl-modules\pkcs11prov.dll)
E0520000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto\dso\dso_lib.c:147:
E0520000:error:07880025:common libcrypto routines:provider_init:reason(37):crypto\provider_core.c:1026:name=pkcs11prov

Even with this format, the result is the same:

[pkcs11_sect]
identity = pkcs11prov
module = D:/Developer/Resources/pkcs11/libp11/pkcs11prov.dll
pkcs11_module = D:/SoftHSM/lib/softhsm2-x64.dll
debug_level = 7
force_login = 1
activate = 1

Best regards.

[hafedh-trimeche]

Hello,

Setting OPENSSL_MODULES to C:\Program Files\OpenSSL-Win64\bin and copying pkcs11prov.dll to the same directory, the command worked well!

Providers:
  pkcs11prov
    name: libp11 PKCS#11 provider (pkcs11prov)
    version: 3.6.1
    status: active
    build info: 3.6.1
    gettable provider parameters:
      name: pointer to a UTF8 encoded string (arbitrary size)
      version: pointer to a UTF8 encoded string (arbitrary size)
      buildinfo: pointer to a UTF8 encoded string (arbitrary size)
      status: integer (arbitrary size)

I'll test it from Code.

Best regards.

[hafedh-trimeche]

Hello,

CKA_ID must be entirely percent-encoded!

set OPENSSL_MODULES=C:\ProgramData\Safe Data\UTest\LIB
set PKCS11_MODULE_PATH=D:\SoftHSM\lib\softhsm2-x64.dll

openssl pkey -provider pkcs11prov -provider legacy -provider default -in "pkcs11:serial=e05c24005cd4893c;id=%FE%D4%41%66%45%00%35%97;type=private?pin-value=1111" -pubout -out public.pem

PKCS#11: Initializing the module: D:\SoftHSM\lib\softhsm2-x64.dll
- [1557432636] SoftHSM slot ID 0x5cd4893  login                                 (Manager)
- [2068585754] SoftHSM slot ID 0x7b4c1d1  login                                 (Manager [Safe Data])
- [2] SoftHSM slot ID 0x2        uninitialized, login                  (no label)
Searching slots without login for an initialized token containing private key  id=FED4416645003597
Found slot: SoftHSM slot ID 0x5cd4893c
Found initialized token: Manager
Searching slots with login for an initialized token containing private key  id=FED4416645003597
Found slot: SoftHSM slot ID 0x5cd4893c
Found initialized token: Manager
Found 1 private key:
   1 P  id=FED4416645003597 label=manager.strong-data.com
Returning last matching private key: id=FED4416645003597 label=manager.strong-data.com

Switching to Code's Implementation.

Best regards.

[hafedh-trimeche]

Hello,

It seams that loading Provider using OSSL_PROVIDER_load_ex and pkcs11_module set to the PKCS#11 driver, doesn't activate it.
Even when providing a wrong location of the module, OSSL_PROVIDER_load_ex returns no error! May it's by design.

This log demonstrates that the Provider's Name not available:

Category [SSL]
{PKCS11_load_private_key}

//
Uri: pkcs11:serial=e05c24005cd4893c;id=%FE%D4%41%66%45%00%35%97;type=public {pkcs11prov}
//

error:16080106:STORE routines::passed invalid argument
File: crypto\store\store_meth.c Line: 300

Examining the source

  if (store == NULL || namemap == NULL) {
        ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_PASSED_INVALID_ARGUMENT);
        return NULL;
    }

which indicates that the Provider is not activated.

Please how to activate the provider at runtime?

Best regards.