Fix PKCS#11 infrastructure issues

“sahmad154” · “sahmad154” · commit 75cf872883c8 · 2026-02-10T13:58:45.000Z
- Fix slot detection: Use grep -B 20 to find slot number before label
  Resolves CKR_TOKEN_NOT_RECOGNIZED errors with dynamic slot assignment
- Add PKCS#11 engine symlink: Create link from ENGINESDIR to actual engine location
  Enables OpenSSL to find pkcs11.so engine for curl --engine pkcs11
- Fix client CA chain copy: Add existence check before copying
  Prevents silent failures when ICA chain file missing

Tested in running container:
- Certificate import successful with 3 objects (rdkclient, rdkclient-key, rdkclient-p12-key)
- OpenSSL engine available: openssl engine -t pkcs11 returns [available]
- L2 tests pass: 54 passed, 30 skipped
diff --git a/native-platform/certs.sh b/native-platform/certs.sh
@@ -103,7 +103,11 @@ if [ "$ENABLE_MTLS" = "true" ]; then
 
     # Copy client CA chain to shared volume for mock-xconf container
     mkdir -p "$SHARED_CERTS_DIR/client"
-    cp "$CLIENT_ICA_CHAIN" "$SHARED_CERTS_DIR/client/ca-chain.pem"
+    if [ -f "$CLIENT_ICA_CHAIN" ]; then
+        cp "$CLIENT_ICA_CHAIN" "$SHARED_CERTS_DIR/client/ca-chain.pem"
+    else
+        echo "[certs] WARNING: Client ICA chain not found at $CLIENT_ICA_CHAIN" >&2
+    fi
 
     # Validate shared export exists and is non-empty
     if [ ! -s "$SHARED_CERTS_DIR/client/ca-chain.pem" ]; then
diff --git a/native-platform/scripts/import-certs-to-pkcs11.sh b/native-platform/scripts/import-certs-to-pkcs11.sh
@@ -19,8 +19,8 @@ if [ ! -f "$PKCS11_MODULE" ]; then
     exit 1
 fi
 
-# Get token slot
-SLOT=$(softhsm2-util --show-slots | grep -A 2 "$TOKEN_LABEL" | grep "Slot " | awk '{print $2}')
+# Get token slot by searching for the label and extracting the slot number before it
+SLOT=$(softhsm2-util --show-slots | grep -B 20 "Label:.*$TOKEN_LABEL" | grep "^Slot " | head -1 | awk '{print $2}')
 if [ -z "$SLOT" ]; then
     echo "[import-certs-to-pkcs11] ERROR: Token '$TOKEN_LABEL' not found"
     exit 1
diff --git a/native-platform/scripts/setup-pkcs11-openssl.sh b/native-platform/scripts/setup-pkcs11-openssl.sh
@@ -89,6 +89,11 @@ fi
 echo "/usr/local/lib64" > /etc/ld.so.conf.d/openssl-local.conf
 ldconfig
 
+# Create symlink for PKCS#11 engine (OpenSSL looks in ENGINESDIR=/usr/local/lib64/engines-3)
+echo "[setup-pkcs11-openssl] Creating PKCS#11 engine symlink..."
+mkdir -p /usr/local/lib64/engines-3
+ln -sf /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so /usr/local/lib64/engines-3/pkcs11.so
+
 # Verify installation
 FINAL_VERSION=$(${INSTALL_PREFIX}/bin/openssl version 2>/dev/null | awk '{print $2}')
 if [ "$FINAL_VERSION" = "$OPENSSL_VERSION" ]; then
