I usually use it in Linux but tried this on my NitroHSM with Windows 10. Does this match your setup / error messages you experience?
System
- Win10 latest patches
- scsh3.17.610 → Initialized blank device with default keys, public key or pin auth, 4 key domains, default PINs (reset for this test)
- installed sc-hsm-middleware-x64-2.12.msi (was already installed)
- installed OpenSC-0.22.0_win64.msi (was already installed)
- installed precompiled binary of OpenSSL from Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions
Command outputs
C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes Nitrokey Nitrokey HSM 0
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" --version
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
dir "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"
Volume in drive C is Windows
Volume Serial Number is D462-71C6
Directory of C:\Program Files\OpenSC Project\OpenSC\pkcs11
08/10/2021 10:04 AM 3,872,256 opensc-pkcs11.dll
1 File(s) 3,872,256 bytes
0 Dir(s) 50,741,764,096 bytes free
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" engine dynamic -pre ID:pkcs11 -pre SO_PATH:"C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:"C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" -pre LIST_DEVICES
(dynamic) Dynamic engine loading support
[Success]: ID:pkcs11
[Success]: SO_PATH:C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll
[Success]: LIST_ADD:1
[Failure]: LOAD
1C550000:error:1280006A:DSO support routines:win32_bind_func:could not bind to the requested symbol name:crypto\dso\dso_win32.c:182:symname(bind_engine)
1C550000:error:1280006A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:crypto\dso\dso_lib.c:171:
1C550000:error:13000068:engine routines:dynamic_load:DSO failure:crypto\engine\eng_dyn.c:451:
[Failure]: MODULE_PATH:C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll
1C550000:error:13000089:engine routines:int_ctrl_helper:invalid cmd name:crypto\engine\eng_ctrl.c:90:
1C550000:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto\engine\eng_ctrl.c:253:
[Failure]: LIST_DEVICES
1C550000:error:13000089:engine routines:int_ctrl_helper:invalid cmd name:crypto\engine\eng_ctrl.c:90:
1C550000:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto\engine\eng_ctrl.c:253:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19045 N/A Build 19045
C:\Users\rottmrei>"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" engine dynamic -pre ID:pkcs11 -pre SO_PATH:"C:\Windows\System32\sc-hsm-pkcs11.dll" -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:"C:\Windows\System32\sc-hsm-pkcs11.dll" -pre LIST_DEVICES
(dynamic) Dynamic engine loading support
[Success]: ID:pkcs11
[Success]: SO_PATH:C:\Windows\System32\sc-hsm-pkcs11.dll
[Success]: LIST_ADD:1
[Failure]: LOAD
701F0000:error:1280006A:DSO support routines:win32_bind_func:could not bind to the requested symbol name:crypto\dso\dso_win32.c:182:symname(bind_engine)
701F0000:error:1280006A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:crypto\dso\dso_lib.c:171:
701F0000:error:13000068:engine routines:dynamic_load:DSO failure:crypto\engine\eng_dyn.c:451:
[Failure]: MODULE_PATH:C:\Windows\System32\sc-hsm-pkcs11.dll
701F0000:error:13000089:engine routines:int_ctrl_helper:invalid cmd name:crypto\engine\eng_ctrl.c:90:
701F0000:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto\engine\eng_ctrl.c:253:
[Failure]: LIST_DEVICES
701F0000:error:13000089:engine routines:int_ctrl_helper:invalid cmd name:crypto\engine\eng_ctrl.c:90:
701F0000:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto\engine\eng_ctrl.c:253:
I also tried the openssl commands with both pkcs11 dlls in an Administrator shell.
To my understanding, this should list the available devices.
I tested this also with a blank Debian:
- debian 12
- latest git version of sc-hsm-embedded
- openssl from repo
$ openssl engine dynamic -pre ID:pkcs11 -pre SO_PATH:/usr/local/lib/libsc-hsm-pkcs11.so -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/libsc-hsm-pkcs11.so -pre LIST_DEVICES
(dynamic) Dynamic engine loading support
[Success]: ID:pkcs11
[Success]: SO_PATH:/usr/local/lib/libsc-hsm-pkcs11.so
[Success]: LIST_ADD:1
[Failure]: LOAD
40D71BFFFF7E0000:error:1280006A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name:../crypto/dso/dso_dlfcn.c:188:symname(bind_engine): /usr/local/lib/libsc-hsm-pkcs11.so: undefined symbol: bind_engine
40D71BFFFF7E0000:error:1280006A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:../crypto/dso/dso_lib.c:176:
40D71BFFFF7E0000:error:13000068:engine routines:dynamic_load:DSO failure:../crypto/engine/eng_dyn.c:455:
[Failure]: MODULE_PATH:/usr/local/lib/libsc-hsm-pkcs11.so
40D71BFFFF7E0000:error:13000089:engine routines:int_ctrl_helper:invalid cmd name:../crypto/engine/eng_ctrl.c:90:
40D71BFFFF7E0000:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:../crypto/engine/eng_ctrl.c:258:
[Failure]: LIST_DEVICES
40D71BFFFF7E0000:error:13000089:engine routines:int_ctrl_helper:invalid cmd name:../crypto/engine/eng_ctrl.c:90:
40D71BFFFF7E0000:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:../crypto/engine/eng_ctrl.c:258:
dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-================-============-====================================================
ii openssl 3.0.11-1~deb12u2 amd64 Secure Sockets Layer toolkit - cryptographic utility
Here are some basic tests:
t=`mktemp -d`
cat > $t/openssl.cnf <<"eof"
HOME = .
openssl_conf = openssl_init
config_diagnostics = 1
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
[ ca ]
[ CA_default ]
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
[ tsa_config1 ]
server = pki.certificate.fi:8700
path = pkix/
extracertsout = insta.extracerts.pem
subject = "/CN=openssl-cmp-test"
newkey = insta.priv.pem
certout = insta.cert.pem
[ir]
cmd = ir
[cr]
cmd = cr
[kur]
cmd = kur
[rr]
cmd = rr
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/local/lib/libsc-hsm-pkcs11.so
MODULE_PATH = libsc-hsm-pkcs11.so
init = 0
eof
export OPENSSL_CONF=$t/openssl.cnf
openssl engine pkcs11 -t
FATAL: Startup failure (dev note: apps_startup()) for openssl
40D75790937F0000:error:1280006A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name:../crypto/dso/dso_dlfcn.c:188:symname(bind_engine): /usr/local/lib/libsc-hsm-pkcs11.so: undefined symbol: bind_engine
40D75790937F0000:error:1280006A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name:../crypto/dso/dso_lib.c:176:
40D75790937F0000:error:13000068:engine routines:dynamic_load:DSO failure:../crypto/engine/eng_dyn.c:455:
40D75790937F0000:error:13000066:engine routines:int_engine_configure:engine configuration error:../crypto/engine/eng_cnf.c:139:section=pkcs11_section, name=dynamic_path, value=/usr/local/lib/libsc-hsm-pkcs11.so
40D75790937F0000:error:0700006D:configuration file routines:module_run:module initialization error:../crypto/conf/conf_mod.c:276:module=engines, value=engine_section retcode=-1
$ pkcs11-tool --module /usr/local/lib/libsc-hsm-pkcs11.so --list-slots
Available slots:
Slot 0 (0x1): Nitrokey Nitrokey HSM (DENK0***0 ) 00 00
token label : dev
token manufacturer : CardContact (www.cardcontact.de)
token model : SmartCard-HSM
token flags : login required, rng, token initialized, PIN initialized
hardware version : 5.0
firmware version : 3.4
serial num : **0
pin min/max : 6/16
@sc-hsm is this supposed to work with openssl like that?