Cannot compile on MacOS

[mouse07410]

Env

MacOS Sequoia 15.7.1, Xcode-26.1. OpenSSL-3.5.4 installed by Macports (this matters).

Problem

Fails to compile - unable to find OpenSSL header files:

$ cargo install kryoptic-tools
    Updating crates.io index
  Downloaded kryoptic-tools v1.3.1
  Downloaded 1 crate (17.1KiB) in 0.73s
  Installing kryoptic-tools v1.3.1
    Updating crates.io index
     Locking 109 packages to latest compatible versions
  Downloaded asn1_derive v0.21.3
  Downloaded asn1 v0.21.3
  Downloaded cryptoki v0.10.0
  Downloaded secrecy v0.8.0
  Downloaded cryptoki-sys v0.4.0
.  .  .  .  .
   Compiling serde_derive v1.0.228
   Compiling anstyle v1.0.13
   Compiling toml_writer v1.0.4
error: failed to run custom build command for `ossl v1.3.1`
note: To improve backtraces for build dependencies, set the CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG=true environment variable to enable debug information generation.

Caused by:
  process didn't exit successfully: `/tmp/cargo-installZVLibP/release/build/ossl-71a3c457c521656d/build-script-build` (exit status: 101)
  --- stdout
  cargo::rustc-check-cfg=cfg(ossl_v307,ossl_v320,ossl_v350,ossl_mldsa,ossl_mlkem,ossl_slhdsa)
  cargo:rustc-link-lib=crypto
  Compile Error: "Unable to generate bindings: ClangDiagnostic(\"ossl.h:8:10: fatal error: 'openssl/core_dispatch.h' file not found\\n\")"

  --- stderr
  ossl.h:8:10: fatal error: 'openssl/core_dispatch.h' file not found
warning: build failed, waiting for other jobs to finish...
error: failed to compile `kryoptic-tools v1.3.1`, intermediate artifacts can be found at `/tmp/cargo-installZVLibP`.
To reuse those artifacts with a future compilation, set the environment variable `CARGO_TARGET_DIR` to that path.
$ 

OpenSSL headers live in /opt/local/include/openssl/, libraries - in /opt/local/lib/ (symlinked from /opt/local/libexec/openssl3/):

$ fd core_dispatch.h /opt/local/include/openssl
/opt/local/include/openssl/core_dispatch.h
$ 

There needs to be a way to point kryoptic build process at the location of the OpenSSL binary installation.
Currently set env vars do that, but kryoptic does not look at them:

$ env | grep OPENSSL
OPENSSL_LIB_DIR=/opt/local/lib
OPENSSL_INCLUDE_DIR=/opt/local/include
OPENSSL_APP=/opt/local/libexec/openssl3/bin/openssl
OPENSSL_MODULES=/opt/local/libexec/openssl3/lib/ossl-modules
OPENSSL_CFLAGS=-O3 -std=gnu18 -march=native -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk -I/opt/local/include
OPENSSL_ROOT_DIR=/opt/local/libexec/openssl3
OPENSSL_CONF=/opt/local/etc/openssl/openssl.cnf
OPENSSL_CXXFLAGS=-std=gnu++20 -O3 -march=native -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk -I/opt/local/include
OPENSSL_DIR=/opt/local/libexec/openssl3
$ 

[simo5]

Have you tried setting C_INCLUDE_PATH (and perhaps LIBRARY_PATH) environment variables?

[mouse07410]

$ echo $C_INCLUDE_PATH 
/opt/local/include:/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include
$ echo LIBRARY_PATH
LIBRARY_PATH
$ cargo build --no-default-features --features standard
   Compiling ossl v1.3.1 (/Users/ur20980/src/kryoptic/ossl)
   Compiling serde_derive v1.0.228
   Compiling serial_test_derive v3.2.0
error: failed to run custom build command for `ossl v1.3.1 (/Users/ur20980/src/kryoptic/ossl)`

Caused by:
  process didn't exit successfully: `/Users/ur20980/src/kryoptic/target/debug/build/ossl-dba280a22cb04902/build-script-build` (exit status: 101)
  --- stdout
  cargo::rustc-check-cfg=cfg(ossl_v307,ossl_v320,ossl_v350,ossl_mldsa,ossl_mlkem,ossl_slhdsa,param_clear_free)
  Compile Error: "Env var KRYOPTIC_OPENSSL_SOURCES is not defined: NotPresent"
warning: build failed, waiting for other jobs to finish...
$ 

[simo5]

Only the "dynamic" feature allows you to dynamically build against a pre-compiled openssl version, if you exclude that feature, as you did, only a static build is produced, for which you need to provide the path to the sources in KRYOPTIC_OPENSSL_SOURCES, as the error clearly indicates.

[mouse07410]

if you exclude that feature, as you did, only a static build is produced, for which you need to provide the path to the sources in KRYOPTIC_OPENSSL_SOURCES, as the error clearly indicates.

Well, blame the README for this - I copied the build line exactly from it, after the "normal" cargo build failed. Correct, but not useful.

$ cd kryoptic 
$ env | grep INCL
OPENSSL_INCLUDE_DIR=/opt/local/include
C_INCLUDE_PATH=/opt/local/include:/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include
$ cargo build
   Compiling ossl v1.3.1 (/Users/ur20980/src/kryoptic/ossl)
   Compiling kryoptic-lib v1.3.1 (/Users/ur20980/src/kryoptic)
   Compiling asn1_derive v0.21.3
   Compiling ryu v1.0.20
   Compiling fallible-streaming-iterator v0.1.9
   Compiling either v1.15.0
   Compiling fallible-iterator v0.3.0
   Compiling toml_writer v1.0.4
   Compiling rusqlite v0.31.0
   Compiling toml v0.9.8
   Compiling itertools v0.14.0
   Compiling serde_json v1.0.145
   Compiling asn1 v0.21.3
error: failed to run custom build command for `ossl v1.3.1 (/Users/ur20980/src/kryoptic/ossl)`

Caused by:
  process didn't exit successfully: `/Users/ur20980/src/kryoptic/target/debug/build/ossl-0127f2328be80dc0/build-script-build` (exit status: 101)
  --- stdout
  cargo::rustc-check-cfg=cfg(ossl_v307,ossl_v320,ossl_v350,ossl_mldsa,ossl_mlkem,ossl_slhdsa,param_clear_free)
  cargo:rustc-link-lib=crypto
  Compile Error: "Unable to generate bindings: ClangDiagnostic(\"/opt/local/include/openssl/macros.h:155:4: error: \\\"OPENSSL_API_COMPAT expresses an impossible API compatibility level\\\"\\n\")"

  --- stderr
  /opt/local/include/openssl/macros.h:155:4: error: "OPENSSL_API_COMPAT expresses an impossible API compatibility level"
warning: build failed, waiting for other jobs to finish...
$ openssl version
OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025)
$ 

Update

Investigation showed that OPENSSL_API_COMPAT got set to something less than 908, which caused the above error. I edited /opt/local/include/openssl/macros.h to make the message(s) more meaningful, and got:

143 │  * Check of sane values.
 144 │  */
 145 │ /* Can't go higher than the current version. */
 146 │ # if OPENSSL_API_LEVEL > (OPENSSL_VERSION_MAJOR * 10000 + OPENSSL_VERSION_MINOR * 100)
 147 │ #  error "OPENSSL_API_COMPAT expresses an impossible API compatibility level (too high)"
 148 │ # endif
 149 │ /* OpenSSL will have no version 2.y.z */
 150 │ # if OPENSSL_API_LEVEL < 30000 && OPENSSL_API_LEVEL >= 20000
 151 │ #  error "OPENSSL_API_COMPAT expresses an impossible API compatibility level (b/w 20K and 30K)"
 152 │ # endif
 153 │ /* Below 0.9.8 is unacceptably low */
 154 │ # if OPENSSL_API_LEVEL < 908
 155 │ #  error "OPENSSL_API_COMPAT expresses an impossible API compatibility level (too low: 908)"
 156 │ # endif

and the error

  process didn't exit successfully: `/Users/ur20980/src/kryoptic/target/debug/build/ossl-f0ff41754ae83117/build-script-build` (exit status: 101)
  --- stdout
  cargo::rustc-check-cfg=cfg(ossl_v307,ossl_v320,ossl_v350,ossl_mldsa,ossl_mlkem,ossl_slhdsa,param_clear_free)
  cargo:rustc-link-lib=crypto
  Compile Error: "Unable to generate bindings: ClangDiagnostic(\"/opt/local/include/openssl/macros.h:155:4: error: \\\"OPENSSL_API_COMPAT expresses an impossible API compatibility level (too low: 908)\\\"\\n\")"

  --- stderr
  /opt/local/include/openssl/macros.h:155:4: error: "OPENSSL_API_COMPAT expresses an impossible API compatibility level (too low: 908)"

Any suggestion? (Note: setting explicitly via CFLAGS defines OPENSSL_API_LEVEL and OPENSSL_API_COMPAT to 30500 and 30000 correspondingly did not help.)

[simo5]

do you also have openssl system headers installed?
sounds like a mixup of versions here

[mouse07410]

do you also have openssl system headers installed?

Not sure I understand the question - certainly, I have OpenSSL headers installed in /opt/local/include/ (openssl/*.h) and OpenSSL libraries in /opt/local/lib/. Actually, symlinked from /opt/local/libexec/openssl3/include and /opt/local/libexec/openssl3/lib.

sounds like a mixup of versions here

I rather doubt that. MacOS has LibreSSL installed - but no headers and no user-linkable libraries, AFAIK. So, the main OpenSSL version is Macports-installed openssl v3.5.4.

And

ll /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/openssl
ls: /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/openssl: No such file or directory
$ 

[simo5]

I would suggest looking at how we build openssl and kryoptic in the pkcs11-provider CI:
https://github.com/latchset/pkcs11-provider/blob/main/.github/workflows/openssl.yml

Specifically I think it is critical to point at the right PKG_CONFIG_PATH with the openssl pkgconfig files, which must point at the correct directories where headers and librarues are.

If that doesn't work I can't help further as I am not a Mac OS user.

[simo5]

Actually I got it to compile here locally by setting:

export C_INCLUDE_PATH="/opt/include"
export LIBRARY_PATH="/opt/lib64"

I also had export LD_LIBRARY_PATH="/opt/lib64/" set but not sure this is needed.

In my case openssl was installed in /opt in yout case I think you would set

export C_INCLUDE_PATH="/opt/local/include"
export LIBRARY_PATH="/opt/local/lib"

[mouse07410]

I don't know:

$ cd kryoptic 
$ export C_INCLUDE_PATH="/opt/local/include"
$ export LIBRARY_PATH="/opt/local/lib"
$ git-pull  
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 14 (delta 10), reused 9 (delta 8), pack-reused 0 (from 0)
Unpacking objects: 100% (14/14), 1.98 KiB | 203.00 KiB/s, done.
From https://github.com/latchset/kryoptic
   cdb92ef..14c0e39  main       -> origin/main
Updating cdb92ef..14c0e39
Fast-forward
 cdylib/src/lib.rs     |  6 +++---
 ossl/Cargo.toml       |  4 ++++
 ossl/src/signature.rs | 10 ++++++++--
 3 files changed, 15 insertions(+), 5 deletions(-)
Wed Nov 12 17:42:49 EST 2025
$ cargo build
   Compiling ossl v1.3.1 (/Users/ur20980/src/kryoptic/ossl)
error: failed to run custom build command for `ossl v1.3.1 (/Users/ur20980/src/kryoptic/ossl)`

Caused by:
  process didn't exit successfully: `/Users/ur20980/src/kryoptic/target/debug/build/ossl-f0ff41754ae83117/build-script-build` (exit status: 101)
  --- stdout
  cargo::rustc-check-cfg=cfg(ossl_v307,ossl_v320,ossl_v350,ossl_mldsa,ossl_mlkem,ossl_slhdsa,param_clear_free)
  cargo:rustc-link-lib=crypto
  Compile Error: "Unable to generate bindings: ClangDiagnostic(\"/opt/local/include/openssl/macros.h:155:4: error: \\\"OPENSSL_API_COMPAT expresses an impossible API compatibility level (too low: 908)\\\"\\n\")"

  --- stderr
  /opt/local/include/openssl/macros.h:155:4: error: "OPENSSL_API_COMPAT expresses an impossible API compatibility level (too low: 908)"
$ 

Maybe ossl/build.rs could/should look for (at least some of) those env vars (and also OPENSSL-specific ones that I'll list below) and ensure they are passed to the C compiler for the build? OpenSSL itself for sure does not set OPENSSL_API_COMPAT, because I'm building a ton of OpenSSL-dependent software (mostly in C, some in Rust), and have never seen such a weird error.

$ env | grep OPENSSL
OPENSSL_CONF=/opt/local/etc/openssl/openssl.cnf
OPENSSL_CFLAGS=-O3 -std=gnu18 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include -I/opt/local/include
OPENSSL_DIR=/opt/local/libexec/openssl3
OPENSSL_ROOT_DIR=/opt/local/libexec/openssl3
OPENSSL_APP=/opt/local/libexec/openssl3/bin/openssl
OPENSSL_MODULES=/opt/local/libexec/openssl3/lib/ossl-modules
OPENSSL_INCLUDE_DIR=/opt/local/include
OPENSSL_LIB_DIR=/opt/local/lib

[simo5]

OPENSSL_API_COMPAT is a red hering what oprnssl checks for is OPENSSL_API_LEVEL, which can be influenced by OPENSSL_API_COMPAT but also by OPENSSL_CONFIGURED_API

I suggest running:
grep -r OPENSSL_CONFIGURED_API /usr/include

this will tell if there is any system header mocking with this define (it is not an environment variable, so what is set in environment variables does not matter).

[neverpanic]

I think the issue here is just that this code path doesn't use pkg-config to locate OpenSSL, but it should. PR coming up.

[neverpanic]

With my proposed changes in #368:

     Running `CARGO=/opt/local/bin/cargo CARGO_CFG_FEATURE=dynamic CARGO_CFG_PANIC=unwind CARGO_CFG_TARGET_ABI='' CARGO_CFG_TARGET_ARCH=aarch64 CARGO_CFG_TARGET_ENDIAN=little CARGO_CFG_TARGET_ENV='' CARGO_CFG_TARGET_FAMILY=unix CARGO_CFG_TARGET_FEATURE=aes,crc,dit,dotprod,dpb,dpb2,fcma,fhm,flagm,fp16,frintts,jsconv,lor,lse,neon,paca,pacg,pan,pmuv3,ras,rcpc,rcpc2,rdm,sb,sha2,sha3,ssbs,vh CARGO_CFG_TARGET_HAS_ATOMIC=128,16,32,64,8,ptr CARGO_CFG_TARGET_OS=macos CARGO_CFG_TARGET_POINTER_WIDTH=64 CARGO_CFG_TARGET_VENDOR=apple CARGO_CFG_UNIX='' CARGO_ENCODED_RUSTFLAGS='' CARGO_FEATURE_DYNAMIC=1 CARGO_MANIFEST_DIR=/private/tmp/kryoptic/ossl CARGO_MANIFEST_PATH=/private/tmp/kryoptic/ossl/Cargo.toml CARGO_PKG_AUTHORS='' CARGO_PKG_DESCRIPTION='OpenSSL version 3+ bindings to modern EVP APIs' CARGO_PKG_HOMEPAGE='https://github.com/latchset/kryoptic' CARGO_PKG_LICENSE=Apache-2.0 CARGO_PKG_LICENSE_FILE='' CARGO_PKG_NAME=ossl CARGO_PKG_README=README.md CARGO_PKG_REPOSITORY='https://github.com/latchset/kryoptic' CARGO_PKG_RUST_VERSION='' CARGO_PKG_VERSION=1.3.1 CARGO_PKG_VERSION_MAJOR=1 CARGO_PKG_VERSION_MINOR=3 CARGO_PKG_VERSION_PATCH=1 CARGO_PKG_VERSION_PRE='' DEBUG=false DYLD_FALLBACK_LIBRARY_PATH='/private/tmp/kryoptic/target/release/deps:/private/tmp/kryoptic/target/release:/opt/local/lib/rustlib/aarch64-apple-darwin/lib:/Users/cllang/lib:/usr/local/lib:/usr/lib' HOST=aarch64-apple-darwin NUM_JOBS=12 OPT_LEVEL=3 OUT_DIR=/private/tmp/kryoptic/target/release/build/ossl-72eebef531fcf55e/out PROFILE=release RUSTC=rustc RUSTDOC=rustdoc TARGET=aarch64-apple-darwin /private/tmp/kryoptic/target/release/build/ossl-a2f029be439f629d/build-script-build`
[ossl 1.3.1] cargo::rustc-check-cfg=cfg(ossl_v307,ossl_v320,ossl_v350,ossl_mldsa,ossl_mlkem,ossl_slhdsa,param_clear_free)
[ossl 1.3.1] cargo:rerun-if-env-changed=OPENSSL_NO_PKG_CONFIG
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_aarch64-apple-darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_aarch64_apple_darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=HOST_PKG_CONFIG
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG
[ossl 1.3.1] cargo:rerun-if-env-changed=OPENSSL_STATIC
[ossl 1.3.1] cargo:rerun-if-env-changed=OPENSSL_DYNAMIC
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_PATH_aarch64-apple-darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_PATH_aarch64_apple_darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_PATH
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_aarch64-apple-darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_aarch64_apple_darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_aarch64-apple-darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_aarch64_apple_darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR
[ossl 1.3.1] cargo:rerun-if-env-changed=OPENSSL_STATIC
[ossl 1.3.1] cargo:rerun-if-env-changed=OPENSSL_DYNAMIC
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC
[ossl 1.3.1] cargo:rustc-link-search=native=/opt/local/libexec/openssl3/lib
[ossl 1.3.1] cargo:rustc-link-lib=ssl
[ossl 1.3.1] cargo:rustc-link-lib=crypto
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_aarch64-apple-darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_aarch64_apple_darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=HOST_PKG_CONFIG
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG
[ossl 1.3.1] cargo:rerun-if-env-changed=OPENSSL_STATIC
[ossl 1.3.1] cargo:rerun-if-env-changed=OPENSSL_DYNAMIC
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_PATH_aarch64-apple-darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_PATH_aarch64_apple_darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_PATH
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_aarch64-apple-darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_aarch64_apple_darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_aarch64-apple-darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_aarch64_apple_darwin
[ossl 1.3.1] cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR
[ossl 1.3.1] cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR
[ossl 1.3.1] cargo::rustc-cfg=ossl_v307
[ossl 1.3.1] cargo::rustc-cfg=ossl_v320
[ossl 1.3.1] cargo::rustc-cfg=ossl_v350
[ossl 1.3.1] cargo::rustc-cfg=ossl_mldsa
[ossl 1.3.1] cargo::rustc-cfg=ossl_mlkem
[ossl 1.3.1] cargo::rustc-cfg=ossl_slhdsa
[ossl 1.3.1] cargo:rerun-if-changed=build.rs
     Running `CARGO=/opt/local/bin/cargo CARGO_CRATE_NAME=ossl CARGO_MANIFEST_DIR=/private/tmp/kryoptic/ossl CARGO_MANIFEST_PATH=/private/tmp/kryoptic/ossl/Cargo.toml CARGO_PKG_AUTHORS='' CARGO_PKG_DESCRIPTION='OpenSSL version 3+ bindings to modern EVP APIs' CARGO_PKG_HOMEPAGE='https://github.com/latchset/kryoptic' CARGO_PKG_LICENSE=Apache-2.0 CARGO_PKG_LICENSE_FILE='' CARGO_PKG_NAME=ossl CARGO_PKG_README=README.md CARGO_PKG_REPOSITORY='https://github.com/latchset/kryoptic' CARGO_PKG_RUST_VERSION='' CARGO_PKG_VERSION=1.3.1 CARGO_PKG_VERSION_MAJOR=1 CARGO_PKG_VERSION_MINOR=3 CARGO_PKG_VERSION_PATCH=1 CARGO_PKG_VERSION_PRE='' CARGO_PRIMARY_PACKAGE=1 CARGO_SBOM_PATH='' DYLD_FALLBACK_LIBRARY_PATH='/private/tmp/kryoptic/target/release/deps:/Users/cllang/lib:/usr/local/lib:/usr/lib' OUT_DIR=/private/tmp/kryoptic/target/release/build/ossl-72eebef531fcf55e/out rustc --crate-name ossl --edition=2021 ossl/src/lib.rs --error-format=json --json=diagnostic-rendered-ansi,artifacts,future-incompat --diagnostic-width=240 --crate-type lib --emit=dep-info,metadata,link -C opt-level=3 -C embed-bitcode=no --cfg 'feature="dynamic"' --check-cfg 'cfg(docsrs,test)' --check-cfg 'cfg(feature, values("dummy-integrity", "dynamic", "fips", "log", "ossl320", "ossl350", "rfc9580"))' -C metadata=de9cbf956d38eec1 -C extra-filename=-80fe1ed9639a8386 --out-dir /private/tmp/kryoptic/target/release/deps -C strip=debuginfo -L dependency=/private/tmp/kryoptic/target/release/deps --extern cfg_if=/private/tmp/kryoptic/target/release/deps/libcfg_if-cb13d4269083f6d2.rmeta --extern getrandom=/private/tmp/kryoptic/target/release/deps/libgetrandom-cbd0c1e7d50e15b3.rmeta --extern libc=/private/tmp/kryoptic/target/release/deps/liblibc-ca4cef947c7884c5.rmeta -L native=/opt/local/libexec/openssl3/lib -l ssl -l crypto --cfg ossl_v307 --cfg ossl_v320 --cfg ossl_v350 --cfg ossl_mldsa --cfg ossl_mlkem --cfg ossl_slhdsa --check-cfg 'cfg(ossl_v307,ossl_v320,ossl_v350,ossl_mldsa,ossl_mlkem,ossl_slhdsa,param_clear_free)'`
    Finished `release` profile [optimized] target(s) in 3.04s

[mouse07410]

I suggest running: grep -r OPENSSL_CONFIGURED_API /usr/include

The problem is that Xcode on MacOS (stupidly) done away with /usr/include. The stuff now is in

/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include

Regardless:

$ grep -rn OPENSSL_CONFIGURED_API /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include
$ 
$ fd -u libcrypto /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk
$ 
$ fd -u openssl /Library/Developer/CommandLineTools/SDKs
/Library/Developer/CommandLineTools/SDKs/MacOSX26.1.sdk/usr/include/apache2/mod_ssl_openssl.h
/Library/Developer/CommandLineTools/SDKs/MacOSX15.4.sdk/usr/share/man/man3/Crypt::OpenSSL::RSA.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX15.4.sdk/usr/include/apache2/mod_ssl_openssl.h
/Library/Developer/CommandLineTools/SDKs/MacOSX15.4.sdk/usr/share/man/man3/Crypt::OpenSSL::Random.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX15.4.sdk/usr/share/man/man3/Crypt::OpenSSL::Guess.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX15.4.sdk/usr/share/man/man3/Crypt::OpenSSL::Guess5.34.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX15.4.sdk/usr/share/man/man3/Crypt::OpenSSL::Random5.34.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX26.1.sdk/usr/share/man/man3/Crypt::OpenSSL::RSA.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX26.1.sdk/usr/share/man/man3/Crypt::OpenSSL::Random.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX26.1.sdk/usr/share/man/man3/Crypt::OpenSSL::Guess.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX26.1.sdk/usr/share/man/man3/Crypt::OpenSSL::Guess5.34.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX26.1.sdk/usr/share/man/man3/Crypt::OpenSSL::Random5.34.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX26.1.sdk/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/openssl.rb
/Library/Developer/CommandLineTools/SDKs/MacOSX15.4.sdk/usr/share/man/man3/Crypt::OpenSSL::RSA5.34.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX26.1.sdk/usr/share/man/man3/Crypt::OpenSSL::RSA5.34.3pm
/Library/Developer/CommandLineTools/SDKs/MacOSX26.1.sdk/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/openssl/
/Library/Developer/CommandLineTools/SDKs/MacOSX15.4.sdk/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/openssl.rb
/Library/Developer/CommandLineTools/SDKs/MacOSX15.4.sdk/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/openssl/
$ fd -u libcrypto /Library/Developer/CommandLineTools/SDKs
$ 

As you see, OpenSSL headers or library files are not installed/available by the system.

Again, is it possible to make ossl pay attention to at least some of the following env variables, if they are set?

$ env | grep OPENSSL
OPENSSL_CONF=/opt/local/etc/openssl/openssl.cnf
OPENSSL_CFLAGS=-O3 -std=gnu18 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include -I/opt/local/include
OPENSSL_DIR=/opt/local/libexec/openssl3
OPENSSL_ROOT_DIR=/opt/local/libexec/openssl3
OPENSSL_APP=/opt/local/libexec/openssl3/bin/openssl
OPENSSL_MODULES=/opt/local/libexec/openssl3/lib/ossl-modules
OPENSSL_INCLUDE_DIR=/opt/local/include
OPENSSL_LIB_DIR=/opt/local/lib

[mouse07410]

@neverpanic, with your patch (PR #368) ossl and then kryoptic build successfully and pass tests. Thank you!

@simo5 my recommendation is to merge #368

[mouse07410]

@simo5 one question: I couldn't figure how to use kryoptic for testing of pkcs11-provider. README did not help. Could you shed some light on this, please?

[neverpanic]

See https://github.com/latchset/pkcs11-provider/blob/main/tests/setup.sh and https://github.com/latchset/pkcs11-provider/blob/main/tests/kryoptic-init.sh, that should get you started.

[mouse07410]

See https://github.com/latchset/pkcs11-provider/blob/main/tests/setup.sh and https://github.com/latchset/pkcs11-provider/blob/main/tests/kryoptic-init.sh, that should get you started.

Thanks. Partially on my way.

It looks like I need to at least (a) edit kryoptic-init.sh to make it understand ${KRYOPTIC}/target/debug/libkryoptic_pkcs11.dylib (because that's what it builds on Mac), and (b) set env var KRYOPTIC to point at where my kryoptic sources are.
Correct?

[neverpanic]

It looks like I need to at least (a) edit kryoptic-init.sh to make it understand ${KRYOPTIC}/target/debug/libkryoptic_pkcs11.dylib (because that's what it builds on Mac)

No, see https://github.com/latchset/pkcs11-provider/blob/main/tests/kryoptic-init.sh#L19-L21.
Also, you may want to build with --release.

and (b) set env var KRYOPTIC to point at where my kryoptic sources are. Correct?

For this particular script to work, yes. But you can also just set the few variables that kryoptic and pkcs11-provider actually need and skip the rest. For example, just creating the kryoptic.conf, setting $KRYOPTIC_CONF and $PKCS11_PROVIDER_MODULE to the path of the kryoptic dylib should work. Or, you can add a file to your /opt/local/etc/openssl/openssl.cnf.d/ that configures the path of the PKCS#11 module as documented in the pkcs11-provider manpage and HOWTO.

[mouse07410]

It looks like I need to at least (a) edit kryoptic-init.sh to make it understand ${KRYOPTIC}/target/debug/libkryoptic_pkcs11.dylib (because that's what it builds on Mac)

No, see https://github.com/latchset/pkcs11-provider/blob/main/tests/kryoptic-init.sh#L19-L21.
Also, you may want to build with --release.

MacOS dynamic libraries have extension .dylib, not .so. Therefore, the script failed without my patch.

For example, just creating the kryoptic.conf, setting $KRYOPTIC_CONF and $PKCS11_PROVIDER_MODULE to the path of the kryoptic dylib should work.

So, I have to have KRYOPTIC_CONF. A pity... Is there a description of what should go there, and/or a minimalistic example of .conf file? I saw a ton of those in tests/ subdir, but not sure how applicable/usable those would be.

you can add a file to your /opt/local/etc/openssl/openssl.cnf.d/ that configures the path of the PKCS#11 module

First, MacPorts on MacOS does not create this directory. Second, I already have quite a few providers defined for OpenSSL, including pkcs11-provider. So, not sure what I would add/change there, given that I am not going to switch to kryoptic, and only want to add it to have more tests run on pkcs11-provider.

[neverpanic]

MacOS dynamic libraries have extension .dylib, not .so. Therefore, the script failed without my patch.

I'm saying you don't need to use the script, just read, understand, and apply what you've learned from it.

So, I have to have KRYOPTIC_CONF. A pity... Is there a description of what should go there, and/or a minimalistic example of .conf file? I saw a ton of those in tests/ subdir, but not sure how applicable/usable those would be.

It's best to have a config, yes. See https://github.com/latchset/kryoptic/blob/main/src/config.rs#L265-L285 for methods to avoid setting an environment variable explicitly.

https://github.com/latchset/kryoptic/blob/main/src/config.rs#L228-L234 is the structure of the configuration; https://github.com/latchset/kryoptic/blob/main/src/config.rs#L49-L77 explains the structure of the slot object.

I guess a pull request to add a more easily readable documentation format for that would be welcome.

First, MacPorts on MacOS does not create this directory.

I maintain the openssl3 port in MacPorts, and I made sure this directory exists. If it doesn't exist for you, you aren't on the latest version of the openssl3 port.

Second, I already have quite a few providers defined for OpenSSL, including pkcs11-provider. So, not sure what I would add/change there, given that I am not going to switch to kryoptic, and only want to add it to have more tests run on pkcs11-provider.

You don't have to write the pkcs11-provider configuration into a file, you can also just set the PKCS11_PROVIDER_MODULE environment variable as explained earlier. But you can, if you want to, and a separate file in this directory is the best way that doesn't interfere with MacPorts' packaging of pkcs11-provider, which will provide this file after macports/macports-ports#30212 is merged.

[mouse07410]

I maintain the openssl3 port in MacPorts, and I made sure this directory exists. If it doesn't exist for you, you aren't on the latest version of the openssl3 port.

Correct:

$ ll /opt/local/etc/openssl 
total 0
drwxr-xr-x   9 root  admin   288 Oct  2 21:41 ./
drwxr-xr-x  38 root  wheel  1216 Oct 18 23:04 ../
lrwxr-xr-x   1 root  admin    40 Apr 16  2025 cert.pem@ -> /opt/local/share/curl/curl-ca-bundle.crt
lrwxr-xr-x   1 root  wheel    55 Oct  1 09:21 ct_log_list.cnf@ -> /opt/local/libexec/openssl3/etc/openssl/ct_log_list.cnf
lrwxr-xr-x   1 root  wheel    60 Oct  1 09:21 ct_log_list.cnf.dist@ -> /opt/local/libexec/openssl3/etc/openssl/ct_log_list.cnf.dist
lrwxr-xr-x   1 root  wheel    44 Oct  1 09:21 misc@ -> /opt/local/libexec/openssl3/etc/openssl/misc
lrwxr-xr-x   1 root  wheel    51 Oct  1 09:21 openssl.cnf@ -> /opt/local/libexec/openssl3/etc/openssl/openssl.cnf
lrwxr-xr-x   1 root  wheel    53 Oct  1 09:21 openssl.cnf.d@ -> /opt/local/libexec/openssl3/etc/openssl/openssl.cnf.d
lrwxr-xr-x   1 root  wheel    56 Oct  1 09:21 openssl.cnf.dist@ -> /opt/local/libexec/openssl3/etc/openssl/openssl.cnf.dist
$ ll /opt/local/etc/openssl/openssl.cnf.d
lrwxr-xr-x  1 root  wheel  53 Oct  1 09:21 /opt/local/etc/openssl/openssl.cnf.d@ -> /opt/local/libexec/openssl3/etc/openssl/openssl.cnf.d
$ ll /opt/local/etc/openssl/openssl.cnf.d/
total 8
drwxr-xr-x  4 root  wheel  128 Oct  2 21:41 ./
drwxr-xr-x  9 root  wheel  288 Oct  2 21:41 ../
-rw-r--r--  1 root  wheel    0 Oct  2 21:40 .turd_openssl3
-rw-r--r--  1 root  wheel  233 Apr 10  2025 legacy.cnf
$ 
$ 

My fault - no idea why it did not show up when I looked for it initially.

---

I've added the following:

$ env | grep KRYO
KRYOPTIC=/Users/ur20980/src/kryoptic
KRYOPTIC_CONF=/tmp/kryoptic-test.conf
$ cat $KRYOPTIC_CONF
[[slots]]
slot = 1
dbtype = "sqlite"
dbargs = "/tmp/kryoptic/token.sql"
$ ll /tmp/kryoptic/
total 256
drwxr-xr-x   3 ur20980  wheel     96 Nov 24 20:43 ./
drwxrwxrwt  93 root     wheel   2976 Nov 24 20:47 ../
-rw-r--r--   1 root     wheel  86016 Nov 24 20:43 token.sql
$ 

then attempted to build and test pkcs11-provider. It built fine, and passed most of the other tests - but failed to setup kryoptic (and kryoptic.nss, which I've even fewer clues about than about kryoptic itself):

  3/105 pkcs11-provider:kryoptic / setup           FAIL            1.90s   exit status 1
>>> LIBSPATH=/Users/ur20980/src/pkcs11-provider/build/src TESTBLDDIR=/Users/ur20980/src/pkcs11-provider/build/tests MESON_TEST_ITERATION=1 SHARED_EXT=.dylib MALLOC_PERTURB_=215 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TESTSSRCDIR=/Users/ur20980/src/pkcs11-provider/tests SOFTOKNPATH=/opt/local/lib/nss P11KITCLIENTPATH=/opt/local/lib/pkcs11/p11-kit-client.so UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /Users/ur20980/src/pkcs11-provider/tests/setup.sh kryoptic

You don't have to write the pkcs11-provider configuration into a file, you can also just set the PKCS11_PROVIDER_MODULE environment variable as explained earlier. But you can, if you want to, and a separate file in this directory is the best way that doesn't interfere with MacPorts' packaging of pkcs11-provider, which will provide this file after macports/macports-ports#30212 is merged.

Basically, all I want to accomplish now is to add kryoptic to the set of tests that pkcs11-provider runs when I build it from its source - nothing more. Is there a simple/easy/straightforward way to do so? I don't need another (permanent-ish) soft-token...

Although, once pkcs11-provider is included with the MacPorts OpenSSL-3 binaries, I may not need to build it from the source myself anymore.

[neverpanic]

Basically, all I want to accomplish now is to add kryoptic to the set of tests that pkcs11-provider runs when I build it from its source - nothing more. Is there a simple/easy/straightforward way to do so? I don't need another (permanent-ish) soft-token...

Just export $KRYOPTIC to point to your source tree of kryoptic, have either a release or debug version of it compiled, and fix tests/kryoptic-init.sh to look for the file with the .dylib extension? That's a change you could send a PR for anyway.

Although, once pkcs11-provider is included with the MacPorts OpenSSL-3 binaries, I may not need to build it from the source myself anymore.

It has been available for a while from MacPorts, just install the pkcs11-provider port.

[mouse07410]

That's a change you could send a PR for anyway.

Honestly, I'd rather not create a fork, and I don't know how to submit a PR without forking the repo. At least, I cannot create a branch here.

Anyway, here's the patch for tests/kryoptic-init.sh in pkcs11-provider repo:

diff --git a/tests/kryoptic-init.sh b/tests/kryoptic-init.sh
index 6455d82..8cf669a 100755
--- a/tests/kryoptic-init.sh
+++ b/tests/kryoptic-init.sh
@@ -19,6 +19,8 @@ find_kryoptic() {
 find_kryoptic \
     "${KRYOPTIC}/target/debug/libkryoptic_pkcs11.so" \
     "${KRYOPTIC}/target/release/libkryoptic_pkcs11.so" \
+    "${KRYOPTIC}/target/debug/libkryoptic_pkcs11.dylib" \
+    "${KRYOPTIC}/target/release/libkryoptic_pkcs11.dylib" \
     /usr/local/lib/kryoptic/libkryoptic_pkcs11.so \
     /usr/lib64/pkcs11/libkryoptic_pkcs11.so \
     /usr/lib/pkcs11/libkryoptic_pkcs11.so \

However, it does not seem to help much - now KRYOPTIC initialization fails:

[35/35] Linking target tests/tpkey
  1/105 pkcs11-provider:softokn / setup            OK              3.92s
  2/105 pkcs11-provider:softhsm / setup            OK              3.16s
  3/105 pkcs11-provider:kryoptic / setup           FAIL            2.95s   exit status 1
>>> UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 TESTSSRCDIR=/Users/ur20980/src/pkcs11-provider/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 P11KITCLIENTPATH=/opt/local/lib/pkcs11/p11-kit-client.so MESON_TEST_ITERATION=1 TESTBLDDIR=/Users/ur20980/src/pkcs11-provider/build/tests ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 SOFTOKNPATH=/opt/local/lib/nss SHARED_EXT=.dylib LIBSPATH=/Users/ur20980/src/pkcs11-provider/build/src MALLOC_PERTURB_=148 /Users/ur20980/src/pkcs11-provider/tests/setup.sh kryoptic

  4/105 pkcs11-provider:kryoptic.nss / setup       FAIL            0.15s   exit status 1
>>> MALLOC_PERTURB_=67 UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 TESTSSRCDIR=/Users/ur20980/src/pkcs11-provider/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 P11KITCLIENTPATH=/opt/local/lib/pkcs11/p11-kit-client.so MESON_TEST_ITERATION=1 TESTBLDDIR=/Users/ur20980/src/pkcs11-provider/build/tests ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 SOFTOKNPATH=/opt/local/lib/nss SHARED_EXT=.dylib LIBSPATH=/Users/ur20980/src/pkcs11-provider/build/src /Users/ur20980/src/pkcs11-provider/tests/setup.sh kryoptic.nss

  5/105 pkcs11-provider:softokn / basic            OK              4.43s

Also, does this help?

$ tests/setup.sh kryoptic
+ source /Users/ur20980/src/pkcs11-provider/tests/helpers.sh
++ : .
+++ which openssl3
+++ true
++ OPENSSL=
++ OPENSSL=openssl
++ helper_emit=1
++ sed --version
++ grep -q 'GNU sed'
++ sed_inplace=("-i" "")
++ export sed_inplace
+ _KEYID_COUNTER=0
+ '[' 1 -ne 1 ']'
+ TOKENTYPE=kryoptic
+ SUPPORT_ED25519=1
+ SUPPORT_ED448=1
+ SUPPORT_X25519=1
+ SUPPORT_X448=1
+ SUPPORT_RSA_PKCS1_ENCRYPTION=1
+ SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=1
+ SUPPORT_TLSFUZZER=1
+ SUPPORT_ALLOWED_MECHANISMS=0
+ SUPPORT_SYMMETRIC=1
++ opensc-tool -i
++ grep OpenSC
++ sed -e 's/OpenSC 0\.\([0-9]*\).*/\1/'
+ OPENSC_VERSION=26
+ [[ 26 -le 25 ]]
+ [[ '' = \1 ]]
++ cat /proc/sys/crypto/fips_enabled
cat: /proc/sys/crypto/fips_enabled: No such file or directory
+ [[ '' = \1 ]]
+ PINVALUE=0123456789ABCDEFFEDCBA9876543210
+ SUPPORT_SKEY=0
+ openssl skeyutl -h
+ SUPPORT_SKEY=1
+ TMPPDIR=./kryoptic
+ TOKDIR=./kryoptic/tokens
+ '[' -d ./kryoptic ']'
+ mkdir ./kryoptic
+ mkdir ./kryoptic/tokens
+ PINFILE=./kryoptic/pinfile.txt
+ echo 0123456789ABCDEFFEDCBA9876543210
+ '[' kryoptic == softhsm ']'
+ '[' kryoptic == softokn ']'
+ '[' kryoptic == kryoptic ']'
+ source /Users/ur20980/src/pkcs11-provider/tests/kryoptic-init.sh
++ title SECTION 'Searching for Kryoptic module'
++ case "$1" in
++ shift 1
++ echo '########################################'
########################################
++ echo '## Searching for Kryoptic module'
## Searching for Kryoptic module
++ echo ''

++ find_kryoptic /Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.so /Users/ur20980/src/kryoptic/target/release/libkryoptic_pkcs11.so /Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.dylib /Users/ur20980/src/kryoptic/target/release/libkryoptic_pkcs11.dylib /usr/local/lib/kryoptic/libkryoptic_pkcs11.so /usr/lib64/pkcs11/libkryoptic_pkcs11.so /usr/lib/pkcs11/libkryoptic_pkcs11.so /usr/lib/x86_64-linux-gnu/kryoptic/libkryoptic_pkcs11.so
++ for _lib in '"$@"'
++ test -f /Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.so
++ for _lib in '"$@"'
++ test -f /Users/ur20980/src/kryoptic/target/release/libkryoptic_pkcs11.so
++ for _lib in '"$@"'
++ test -f /Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.dylib
++ echo 'Using kryoptic path /Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.dylib'
Using kryoptic path /Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.dylib
++ P11LIB=/Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.dylib
++ return
++ title LINE 'Creating Kryoptic database'
++ case "$1" in
++ shift 1
++ echo 'Creating Kryoptic database'
Creating Kryoptic database
++ cat
++ export KRYOPTIC_CONF=./kryoptic/tokens/kryoptic.conf
++ KRYOPTIC_CONF=./kryoptic/tokens/kryoptic.conf
++ export 'TOKENLABEL=Kryoptic Token'
++ TOKENLABEL='Kryoptic Token'
++ export TOKENLABELURI=Kryoptic%20Token
++ TOKENLABELURI=Kryoptic%20Token
++ pkcs11-tool --module /Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.dylib --init-token --label 'Kryoptic Token' --so-pin 0123456789ABCDEFFEDCBA9876543210
Using slot 0 with a present token (0x0)
Token successfully initialized
++ pkcs11-tool --module /Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.dylib --so-pin 0123456789ABCDEFFEDCBA9876543210 --login --login-type so --init-pin --pin 0123456789ABCDEFFEDCBA9876543210
Using slot 0 with a present token (0x0)
User PIN successfully initialized
++ export 'TOKENCONFIGVARS=export KRYOPTIC_CONF=./kryoptic/tokens/kryoptic.conf'
++ TOKENCONFIGVARS='export KRYOPTIC_CONF=./kryoptic/tokens/kryoptic.conf'
++ export TESTPORT=34000
++ TESTPORT=34000
++ export SUPPORT_ALLOWED_MECHANISMS=1
++ SUPPORT_ALLOWED_MECHANISMS=1
++ '[' -z '' ']'
++ export SUPPORT_ML_DSA=1
++ SUPPORT_ML_DSA=1
++ '[' -z '' ']'
++ export SUPPORT_ML_KEM=1
++ SUPPORT_ML_KEM=1
+ [[ '' = \1 ]]
+ [[ 1 = \1 ]]
+ [[ 1 = \0 ]]
+ SEEDFILE=./kryoptic/noisefile.bin
+ dd if=/dev/urandom of=./kryoptic/noisefile.bin bs=2048 count=1
+ RAND64FILE=./kryoptic/64krandom.bin
+ dd if=/dev/urandom of=./kryoptic/64krandom.bin bs=2048 count=32
+ P11DEFLOGIN=("--login" "--pin=${PINVALUE}")
+ title LINE 'Generate openssl config file'
+ case "$1" in
+ shift 1
+ echo 'Generate openssl config file'
Generate openssl config file
+ export PKCS11_PROVIDER_MODULE=/Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.dylib
+ PKCS11_PROVIDER_MODULE=/Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.dylib
+ export PKCS11_PROVIDER_DEBUG=file:./kryoptic/p11prov-debug.log
+ PKCS11_PROVIDER_DEBUG=file:./kryoptic/p11prov-debug.log
+ export OPENSSL_CONF=./kryoptic/openssl.cnf
+ OPENSSL_CONF=./kryoptic/openssl.cnf
+ sed -e 's|@libtoollibs@||g' -e 's|@testsblddir@|.|g' -e 's|@testsdir@|./kryoptic|g' -e 's|@SHARED_EXT@||g' -e 's|@PINFILE@|./kryoptic/pinfile.txt|g' -e 's|##TOKENOPTIONS||g' /Users/ur20980/src/pkcs11-provider/tests/openssl.cnf.in
+ SERIAL=0
+ title LINE 'Creating new Self Sign CA'
+ case "$1" in
+ shift 1
+ echo 'Creating new Self Sign CA'
Creating new Self Sign CA
+ get_next_keyid
+ local id_val=0
+ (( _KEYID_COUNTER+=1 ))
++ printf %04x 0
+ KEYID=0000
++ printf %%%02x%%%02x 0 0
+ URIKEYID=%00%00
+ CACRTN=caCert
+ ptool --keypairgen --key-type=RSA:2048 --id=0000 --label=caCert
+ CMDOPTS=(--module="${P11LIB}" --token-label="${TOKENLABEL}")
+ '[' -n --login ']'
+ CMDOPTS+=("${P11DEFLOGIN[@]}")
+ CMDOPTS+=("$@")
+ pkcs11-tool --module=/Users/ur20980/src/kryoptic/target/debug/libkryoptic_pkcs11.dylib '--token-label=Kryoptic Token' --login --pin=0123456789ABCDEFFEDCBA9876543210 --keypairgen --key-type=RSA:2048 --id=0000 --label=caCert
Key pair generated:
Private Key Object; RSA 
  label:      caCert
  ID:         0000
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  4e01613e-ff2b-4a73-838e-6db2db9315a4
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=005dcaa8f92ae805;token=Kryoptic%20Token;id=%00%00;object=caCert;type=private
Public Key Object; RSA 2048 bits
  label:      caCert
  ID:         0000
  Usage:      encrypt, verify
  Access:     local
  Unique ID:  be39e9d5-3906-41ab-a903-7421d41c684f
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=005dcaa8f92ae805;token=Kryoptic%20Token;id=%00%00;object=caCert;type=public
+ crt_selfsign caCert Issuer 0000
+ LABEL=caCert
+ CN=Issuer
+ KEYID=0000
+ (( SERIAL+=1 ))
+ CERTSUBJ=/CN=Issuer/
+ SIGNKEY='pkcs11:object=caCert;token=Kryoptic%20Token;type=private'
+ OPENSSL_CMD='x509
        -new -subj "/CN=Issuer/" -days 365 -set_serial "1"
        -extensions v3_ca -extfile "./kryoptic/openssl.cnf"
        -out "./kryoptic/caCert.crt" -outform DER
        -signkey "pkcs11:object=caCert;token=Kryoptic%20Token;type=private"'
+ ossl 'x509
        -new -subj "/CN=Issuer/" -days 365 -set_serial "1"
        -extensions v3_ca -extfile "./kryoptic/openssl.cnf"
        -out "./kryoptic/caCert.crt" -outform DER
        -signkey "pkcs11:object=caCert;token=Kryoptic%20Token;type=private"'
+ helper_output=
+ [[ '' = \1 ]]
+ echo '# r x509
        -new -subj "/CN=Issuer/" -days 365 -set_serial "1"
        -extensions v3_ca -extfile "./kryoptic/openssl.cnf"
        -out "./kryoptic/caCert.crt" -outform DER
        -signkey "pkcs11:object=caCert;token=Kryoptic%20Token;type=private" '
+ echo ' openssl x509
        -new -subj "/CN=Issuer/" -days 365 -set_serial "1"
        -extensions v3_ca -extfile "./kryoptic/openssl.cnf"
        -out "./kryoptic/caCert.crt" -outform DER
        -signkey "pkcs11:object=caCert;token=Kryoptic%20Token;type=private" '
 openssl x509
        -new -subj "/CN=Issuer/" -days 365 -set_serial "1"
        -extensions v3_ca -extfile "./kryoptic/openssl.cnf"
        -out "./kryoptic/caCert.crt" -outform DER
        -signkey "pkcs11:object=caCert;token=Kryoptic%20Token;type=private" 
++ eval openssl x509 -new -subj '"/CN=Issuer/"' -days 365 -set_serial '"1"' -extensions v3_ca -extfile '"./kryoptic/openssl.cnf"' -out '"./kryoptic/caCert.crt"' -outform DER -signkey '"pkcs11:object=caCert;token=Kryoptic%20Token;type=private"'
+++ openssl x509 -new -subj /CN=Issuer/ -days 365 -set_serial 1 -extensions v3_ca -extfile ./kryoptic/openssl.cnf -out ./kryoptic/caCert.crt -outform DER -signkey 'pkcs11:object=caCert;token=Kryoptic%20Token;type=private'
Could not open file or uri for loading private key from pkcs11:object=caCert;token=Kryoptic%20Token;type=private
C0305C4EF87F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:264:calling stat(pkcs11:object=caCert;token=Kryoptic%20Token;type=private)
C0305C4EF87F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:363:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)
+ __out=