Setup PKCS11 object ID in a global configuration

[muraliselvaraj2020]

Hi All,

Please review below details and help me how to approach this requirement.

I'm using OpenSSL 3.0.5 with legacy engine support ( Please note, we are still in engine NOT migrated to provider yet).

Adding custom OpenSSL patch to load private key from PKCS11 ID (%12) to perform crypto operation.
Currently we are using hard-coding value key_ID as 0x12 in the custom OpenSSL patch.
However, I would like to avoid the hard-coding value in the patch by following this approach.

Approach 1:

creating a file /etc/ssl/pkcs11.cnf
KEY_ID = 12

Adding this line .include /etc/ssl/pkcs11.cnf in /etc/ssl/openssl.cnf then would it be possible to read the KEY_ID ?

(or)

Approach 2:

Can we read KEY_ID from /etc/ssl/pkcs11.cnf in the OpenSSL patch ?

(or)

Approach 3:

exporting KEY_ID = 12 as an environment variable and accessing getenv("KEY_ID") from the OpenSSL patch?

Please share your suggestion on how to proceed further. Thanks.

[simo5]

My suggestion would be to upgrade to a supported version of openssl and use pkcs11-provider.
Other than that I can't help you, If you want to enquire about engine and I presume openssl-pkcs11 you should ask on that project channels.