I may have hit a bug elsewhere first, though. I'm following what I did for a pkcs11 engine test[1], but with the pkcs11-provider package. I'm able to create the RSA key in the softhsm2 token, and even generate a certificate request with it using openssl -provider pkcs11. But when I sign the request with the same key (nonsense, but technically valid), it does sign it, but core dumps at the end:
# openssl x509 -provider pkcs11 -signkey "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=f4561bbe1b739173;token=apache2-hsm-token;id=%BD%06%9A%2E%16%D0%03%85%AE%AF%12%DE%81%0C%DA%3A%56%F2%51%42;object=apache2-hsm-key;type=private" -in apache2-hsm-key.req -out foo
Enter pass phrase for PKCS#11 Token (Slot 460558707 - SoftHSM slot ID 0x1b739173):
Segmentation fault (core dumped)
The certificate looks ok, and a quick gdb on the core dump shows it was at shutdown time. But I'm also getting a core dump in apache now when configured to use this cert and hsm key. But also at shutdown. And while running, apache ssl isn't working. Still, it could be because softhsm2 usually requires root access, but I straced it and didn't see any EACCESS errors, and I also added the www-data user to the softhsm group.
Still, the segfault isn't good, and seems to be in either softhsm2 or pkcs11-provider, not apache itself.
I may have hit a bug elsewhere first, though. I'm following what I did for a pkcs11 engine test[1], but with the pkcs11-provider package. I'm able to create the RSA key in the softhsm2 token, and even generate a certificate request with it using openssl -provider pkcs11. But when I sign the request with the same key (nonsense, but technically valid), it does sign it, but core dumps at the end:
# openssl x509 -provider pkcs11 -signkey "pkcs11: model=SoftHSM% 20v2;manufactur er=SoftHSM% 20project; serial= f4561bbe1b73917 3;token= apache2- hsm-token; id=%BD% 06%9A%2E% 16%D0%03% 85%AE%AF% 12%DE%81% 0C%DA%3A% 56%F2%51% 42;object= apache2- hsm-key; type=private" -in apache2-hsm-key.req -out foo
Enter pass phrase for PKCS#11 Token (Slot 460558707 - SoftHSM slot ID 0x1b739173):
Segmentation fault (core dumped)
# cat foo Hl/ehMDanzecCjx ubJu2fKX5KMA0GC SqGSIb3DQEBCwUA MBQx taHNtLmx4ZDAeFw 0yNDAzMDYxOTAxN DVaFw0yNDA0MDUx OTAx VBAMMCW4taHNtLm x4ZDCCASIwDQYJK oZIhvcNAQEBBQAD ggEP kFhFN9NtpzchsT1 SlrTDHANe9d5L1N R7FNpXJjCZAkEEk DmP9 9Ge+EMC84ud2Kx6 O5MFoEBi/ h8fmy6FPtRBlLyx +wExGLAeRR G1XvwiUmESVZ4U8 QJiQgF/ 0euu8ldbIyqa8zi 20dqI+T9HiuL 95xUbQ6Lsz8F5zb Eps5BQZmV7MjsAH NnG24CCwjRpQr24 4tVeYLDhtVE8 BypedUxAzzwofLT N3UShb2PX5ffOmT /n0ifxbBC7Lpmbb EWT6 9eME3y3UBs5d928 cSxL8d+ kGisCAwEAATANBg kqhkiG9w0BAQsFA AOC KJtfT5Jgpfk4aBF tcYhJonQ/ woqmEi50KU4bbZM QeFXWnNdVx UVnSaP7Iyef+ 6qI35FgrIefqWLr 98tT6X2kMuZn1mJ U5HuMco kTVXhJkIQSiEYQo GgevKrxOyjOUIg6 OxibWvqATQgWG/ 9THHF D4RvLlwTiUS5g/ TZJwcbj5bxtuNjT BXY5NdqMATlTdVS bmS1E 6/eIRxoD7iGdrvG jA2YXb1OehLTc/ rI8eaHEqbfyNliw iJCOA F24ydDjVYsvbtDV 5VkQ==
-----BEGIN CERTIFICATE-----
MIICrzCCAZcCFHR
EjAQBgNVBAMMCW4
NDVaMBQxEjAQBgN
ADCCAQoCggEBAMC
4CE5dWp7X2RlGeZ
puyBE6GpYWDmUlY
TDcFnD+
/m7y8HGK29eto9c
47mWvtru/
AQEACgeFvFFyugM
ktdWRzbxJgIITll
HL4ibOcNNb2PKCJ
VnAnaSSkCRO9D5F
SRX06Fsk8mwD1I2
wuSORq/
-----END CERTIFICATE-----
The certificate looks ok, and a quick gdb on the core dump shows it was at shutdown time. But I'm also getting a core dump in apache now when configured to use this cert and hsm key. But also at shutdown. And while running, apache ssl isn't working. Still, it could be because softhsm2 usually requires root access, but I straced it and didn't see any EACCESS errors, and I also added the www-data user to the softhsm group.
Still, the segfault isn't good, and seems to be in either softhsm2 or pkcs11-provider, not apache itself.
1. https:/ /git.launchpad. net/ubuntu/ +source/ libp11/ tree/debian/ tests/engine