Make sure the openssl pkcs11 engine provided by OpenSC/libp11 can talk to your PKI card:
$ openssl engine pkcs11 -t -c -pre MODULE_PATH:/path/to/your/opensc-pkcs11-plugin-module.so
(pkcs11) pkcs11 engine
[Success]: MODULE_PATH:/path/to/your/OpenSC-pkcs11-plugin-module.so
[RSA]
[ available ]
Now create an openssl config file to pass the MODULE_PATH
parameter
to the pkcs11 engine like this:
cat > pkcs11_engine.conf <<EOF
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib64/engines/libpkcs11.so
MODULE_PATH = /path/to/your/opensc-pkcs11-plugin-module.so
init = 0
EOF
OPENSSL_CONF=pkcs11_engine.conf openssl engine -t -c pkcs11
than check the keys present on your card with either:
pkcs15-tool --list-keys
or:
pkcs11-tool -O
and then use the key id to decrypting the smime pkcs7 file like this:
export OPENSSL_CONF=pkcs11_engine.conf
openssl smime -decrypt -inform der -in email.p7m -engine pkcs11 -keyform engine -inkey the-key-id
Have yoy a version with openssl 3 and providers ? I can use https://github.com/latchset/pkcs11-provider for other application (storeutl show correctly my cert on smard card) but can't manage to decipher mail.