Comment 5 for bug 2003669

------- Comment From <email address hidden> 2023-05-08 08:12 EDT-------
I am about to verify this feature, but noticed the following:

When no 'libopencryptoki-dev' is installed p11sak does not find the libopencryptoki.so:

# p11sak gen ibm-dilithium r3_87 --label kyber --slot 4
Error: failed to open pkcs11 lib 'libopencryptoki.so'

However, 'libopencryptoki.so' is available in '/usr/lib/s390x-linux-gnu/pkcs11/'

By setting environment variable PKCSLIB to '/usr/lib/s390x-linux-gnu/pkcs11/libopencryptoki.so', it works.

Also, after installing the 'libopencryptoki-dev' package, p11sak finds it right away (without setting PKCSLIB), and 'libopencryptoki.so' is available in :

/usr/lib/s390x-linux-gnu/pkcs11/libopencryptoki.so
/usr/lib/s390x-linux-gnu/libopencryptoki.so
/usr/lib/s390x-linux-gnu/opencryptoki/libopencryptoki.so

I don't think that this is as it should be. One should be able to use p11sak without having to install the dev package. Seems to something is wrong with library search path. p11sak does a dlopen() on 'libopencryptoki.so'. PKCS#11 applications will probably also do so and will thus also fail, unless they specify the full path of libopencryptoki.so of set the library search path correctly.

'make install' updates /etc/ld.so.conf.d and adds a 'opencryptoki-$(target_cpu).conf' file that contains the pkcs11 and opencryptoki directories. Maybe this is missing during package install?

@Frank: can you please comment ?