Fix P12 patch: Add token label to PKCS#11 URI to prevent uninitialized slot scanning

“sahmad154” · “sahmad154” · commit b9bb385768b6 · 2026-02-12T06:14:09.000Z
- Updated PKCS#11 URI from 'pkcs11:id=%02x;type=private' to 'pkcs11:token=RDK_TOKEN;id=%02x;type=private'
- This prevents libp11 from scanning uninitialized SoftHSM slots which caused 'passed a null parameter' errors
- Fixes issue where curl failed with reference P12 files containing sentinel keys
- Works for both SoftHSM test environment and production OP-TEE hardware HSM
diff --git a/native-platform/patches/pkcs11_migration_support_p12.patch b/native-platform/patches/pkcs11_migration_support_p12.patch
@@ -145,7 +145,7 @@ Index: openssl-3.0.5/crypto/pkcs11_reference_key.c
 +
 +  /* Construct PKCS#11 URI with key ID */
 +  ret = snprintf(pkcs11_uri, PKCS11_URI_MAX_LEN,
-+                 "pkcs11:id=%%%02x;type=private", key_id);
++                 "pkcs11:token=RDK_TOKEN;id=%%%02x;type=private", key_id);
 +  if (ret < 0 ) {
 +      ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
 +      return NULL;

Original file line number	Diff line number	Diff line change
`@@ -145,7 +145,7 @@ Index: openssl-3.0.5/crypto/pkcs11_reference_key.c`
`145`	`145`	`+`
`146`	`146`	`+ /* Construct PKCS#11 URI with key ID */`
`147`	`147`	`+ ret = snprintf(pkcs11_uri, PKCS11_URI_MAX_LEN,`
`148`		`-+ "pkcs11:id=%%%02x;type=private", key_id);`
	`148`	`++ "pkcs11:token=RDK_TOKEN;id=%%%02x;type=private", key_id);`
`149`	`149`	`+ if (ret < 0 ) {`
`150`	`150`	`+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);`
`151`	`151`	`+ return NULL;`