Read pkcs11-uri parameter from EVP_PKEY/EVP_PKEY_CTX/OSSL_STORE/OSSL_STORE_INFO

[Ayke]

Hello there!

I have been using pkcs11-provider to manage my softhsm setup and it's been working well. I notice that when I create a new private key using pkcs11-provider (by creating a new EVP_PKEY_CTX and set corresponding parameters), if pkcs11-uri parameter is empty, a random id will be generated for the key (I suppose this comes from softhsm not pkcs11-provider).

I know that you can set up pkcs11-uri parameter to designate an uri for the newly created key. However this parameter seems only settable but not gettable for EVP_PKEY_CTX.
Now I'm wondering, with an EVP_PKEY_CTX (or related object, such as EVP_PKEY, or even OSSL_STORE/OSSL_STORE_INFO), does pkcs11-provider support any way of querying its pkcs11-uri?

Thanks for your time in advance!

[simo5]

Use:
openssl storeutl -text pkcs11:

It will output all of the keys it can find and pkcs11-provider will produce a pkcs11-uri as an additional output, example:

54: Pkey
PKCS11 EC Private Key (256 bits)
[Can't export and print private key data]
URI pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%75%FC%EE%1B%31%A1%51%E2%CB%37%6F%FA%1C%FB%4A%EA;type=private

As you can se the object ID is printed there (if a random number it will not be the easiest to read but it is available).
you can trim the pkcs11-uri as needed.

[Ayke]

Thank you for your reply! Sorry that I wasn't clear in the context.

If I understand this correctly this is a commandline cmd to print all objects, but if in the C library context, when I have an EVP_PKEY object (loaded from pkcs11-provider) (or other related objects such as EVP_PKEY_CTX) at hand in program, is there any way that I can get its pkcs11-uri?

[simo5]

Unfortunately no, we could add a key parameter that you could obtain via EVP_PKEY_get_params(), but it is not currently something we do.

[Ayke]

Thank you for the info!!