Skip to content

Use Provider API to load PKCS#11 on OpenSSL 3#2948

Merged
h2zh merged 7 commits intoPelicanPlatform:mainfrom
h2zh:ossl-provider-over-engine
Jan 15, 2026
Merged

Use Provider API to load PKCS#11 on OpenSSL 3#2948
h2zh merged 7 commits intoPelicanPlatform:mainfrom
h2zh:ossl-provider-over-engine

Conversation

@h2zh
Copy link
Contributor

@h2zh h2zh commented Jan 6, 2026
edited
Loading

  • Add provider-mode PKCS#11 config generation for OpenSSL 3.x with auto OpenSSL version detection
  • Keep legacy ENGINE mode for OpenSSL 1.x
  • Create pkcs11 openssl config file under a temp dir in the xrootd run location and set group-safe perms on
    dir and config file.

pkcs11-provider-2
The addition from this PR is marked in red.

Dependency requirements

Rebuild XRootD from this branch: PelicanPlatform/xrootd#42

For OpenSSL 3.x:

dnf install -y pkcs11-provider p11-kit-server

For OpenSSL 1.x:

dnf install -y openssl-pkcs11 p11-kit-server

h2zh added 2 commits January 6, 2026 06:40
@h2zh
PKCS11 integration strategy update
b01ab3f 
Use Provider API for OpenSSL 3.x (Alma 10 / EL9+); keep Engine API as a contained compatibility shim for OpenSSL 1.1.1 (EL8)

(cherry picked from commit ccbd098d68207a0a0391aae3b2453819eb32a152)
@h2zh
Set proper perms for openssl-pkcs11.cnf
3a96b29 
(cherry picked from commit eb5e258dcacba9678c5e92cf053ab13cf3da70a9)
@h2zh h2zh requested a review from patrickbrophy January 6, 2026 15:23
@h2zh h2zh linked an issue Jan 6, 2026 that may be closed by this pull request
ENGINE is deprecated in OpenSSL 3+ and disabled in AlmaLinux 10 #2950
Closed
7 tasks
patrickbrophy
patrickbrophy requested changes Jan 7, 2026
View reviewed changes
h2zh added 5 commits January 7, 2026 21:22
@h2zh
Load and activate both the default and pkcs11 providers
b7a8f4a 
- The pkcs11 provider handles PKCS#11 URIs (for OSSL_STORE key loading), while the default provider handles standard crypto operations.
@h2zh
Unit tests and comments amendment
618a655
@h2zh
Extract the Provider/Engine mode detection into a helper function
555b33a 
- And unit tests
@h2zh
Ensure restrictive permissions are set for the OpenSSL config file at…
6522dcf 
… the time of creation
@h2zh
Fix linter error
9e4d4b9
@h2zh h2zh requested a review from patrickbrophy January 13, 2026 15:13
patrickbrophy
patrickbrophy approved these changes Jan 15, 2026
View reviewed changes
Copy link
Contributor

@patrickbrophy patrickbrophy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good! LGTM

@h2zh h2zh merged commit b1de1f0 into PelicanPlatform:main Jan 15, 2026
27 of 29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patrickbrophy patrickbrophy patrickbrophy approved these changes

Assignees

@patrickbrophy patrickbrophy

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ENGINE is deprecated in OpenSSL 3+ and disabled in AlmaLinux 10

2 participants

@h2zh @patrickbrophy