Unable to find private key from uri?

[fabpiaf]

I tried to decrypt an smime.p7m file with openssl

 OPENSSL_CONF=./openssl-pkcs11.cnf openssl smime -decrypt -inkey 'pkcs11:model=PKCS%2315%20emulated;manufacturer=The%20Company;serial=1234;token=Key%20Card;id=%45;object=Key1;type=private' -in smime.p7m -inform DER -out decrypted.txt
Using slot 0 with a present token (0x0)
PKCS#11: Initializing the module: /usr/lib/opensc-pkcs11.so
Found 4 slots
- [0] Identive CLOUD 2700 R Sma  login                                 (IDKey Card)
- [1] Identive CLOUD 2700 R Sma  login                                 (IDKey Card)
- [2] Identive CLOUD 2700 R Sma  login                                 (IDKey Card)
- [3] Identive CLOUD 2700 R Sma  login                                 (IDKey Card)
Searching slots with login for an initialized token containing private key  id=45 label=IDKey1
Found slot: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
Found initialized token: IDKey Card
Found slot: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
Found initialized token: IDKey Card
Found slot: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
Found initialized token: IDKey Card
Found slot: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
Found initialized token: IDKey Card
Multiple matching slots (4); will not try to login
- [1] Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...: IDKey Card
- [2] Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...: IDKey Card
- [3] Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...: IDKey Card
- [4] Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...: IDKey Card
Searching slots without login for an uninitialized token containing private key  id=45 label=IDKey1
Found slot: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
Skipped initialized token: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
Found slot: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
Skipped initialized token: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
Found slot: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
Skipped initialized token: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
Found slot: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
Skipped initialized token: Identive CLOUD 2700 R Smart Card Reader [CCID Interface] (536...
No matching slots found
The private key was not found at: pkcs11:model=PKCS%2315%20emulated;manufacturer=The%20Company;serial=1234;token=Key%20Card;id=%45;object=Key1;type=private
Could not find private key of signing key from pkcs11:model=PKCS%2315%20emulated;manufacturer=The%20Company;serial=1234;token=Key%20Card;id=%45;object=Key1;type=private

openssl_conf = openssl_init
config_diagnostics = 1

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect

[default_sect]
activate = 0

[pkcs11_sect]
activate = 1
module = /usr/lib/ossl-modules/pkcs11prov.so
pkcs11_module=/usr/lib/opensc-pkcs11.so
identity = pkcs11prov
debug_level = 7
force_login = 1

openssl version 
OpenSSL 3.5.2 5 Aug 2025 (Library: OpenSSL 3.5.2 5 Aug 2025)
#(also with OpenSSL 3.6.0-dev  (Library: OpenSSL 3.6.0-dev ))
opensc-tool --version
OpenSC-0.26.0-348-gbd73fc397, rev: bd73fc397, commit-time: 2025-08-13 16:28:42 +0200
pacman -Q libp11-git
libp11-git 0.4.16.r9.g545a323-1

I guess my problem is: Multiple matching slots (4); will not try to login?

[mtrojnar]

You are seeing four slots, each reporting a token labeled “IDKey Card.” A slot is just a reader interface, while a token is what actually holds the keys and enforces the PIN policy. Depending on the hardware and driver, those four slots may all represent the same token exposed multiple times, or they may represent different tokens inserted in different readers.

In either case, the provider refuses to proceed because the PKCS#11 URI you supplied matches more than one slot:

Multiple matching slots (4); will not try to login

To resolve this, the URI must be unambiguous. RFC 7512 defines attributes such as slot-id and slot-description for exactly this purpose. Our implementation does not currently recognize these attributes. Adding support for slot-id would allow the user to specify a single slot and avoid the multiple-match condition. Until then, the practical workaround is to ensure tokens have distinct labels.

[fabpiaf]

Thanks for the explanation. I already expected exactly that. How can I ensure that the tokens have distinct labels? Is that even something I can influence?