Ubuntu
apache2 package

  1. Bug #2050017
  2. Comment #18

Comment 18 for bug 2050017

Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider

I may have hit a bug elsewhere first, though. I'm following what I did for a pkcs11 engine test[1], but with the pkcs11-provider package. I'm able to create the RSA key in the softhsm2 token, and even generate a certificate request with it using openssl -provider pkcs11. But when I sign the request with the same key (nonsense, but technically valid), it does sign it, but core dumps at the end:

# openssl x509 -provider pkcs11 -signkey "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=f4561bbe1b739173;token=apache2-hsm-token;id=%BD%06%9A%2E%16%D0%03%85%AE%AF%12%DE%81%0C%DA%3A%56%F2%51%42;object=apache2-hsm-key;type=private" -in apache2-hsm-key.req -out foo
Enter pass phrase for PKCS#11 Token (Slot 460558707 - SoftHSM slot ID 0x1b739173):
Segmentation fault (core dumped)

# cat foo
-----BEGIN CERTIFICATE-----
MIICrzCCAZcCFHRHl/ehMDanzecCjxubJu2fKX5KMA0GCSqGSIb3DQEBCwUAMBQx
EjAQBgNVBAMMCW4taHNtLmx4ZDAeFw0yNDAzMDYxOTAxNDVaFw0yNDA0MDUxOTAx
NDVaMBQxEjAQBgNVBAMMCW4taHNtLmx4ZDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMCkFhFN9NtpzchsT1SlrTDHANe9d5L1NR7FNpXJjCZAkEEkDmP9
4CE5dWp7X2RlGeZ9Ge+EMC84ud2Kx6O5MFoEBi/h8fmy6FPtRBlLyx+wExGLAeRR
puyBE6GpYWDmUlYG1XvwiUmESVZ4U8QJiQgF/0euu8ldbIyqa8zi20dqI+T9HiuL
TDcFnD+95xUbQ6Lsz8F5zbEps5BQZmV7MjsAHNnG24CCwjRpQr244tVeYLDhtVE8
/m7y8HGK29eto9cBypedUxAzzwofLTN3UShb2PX5ffOmT/n0ifxbBC7LpmbbEWT6
47mWvtru/9eME3y3UBs5d928cSxL8d+kGisCAwEAATANBgkqhkiG9w0BAQsFAAOC
AQEACgeFvFFyugMKJtfT5Jgpfk4aBFtcYhJonQ/woqmEi50KU4bbZMQeFXWnNdVx
ktdWRzbxJgIITllUVnSaP7Iyef+6qI35FgrIefqWLr98tT6X2kMuZn1mJU5HuMco
HL4ibOcNNb2PKCJkTVXhJkIQSiEYQoGgevKrxOyjOUIg6OxibWvqATQgWG/9THHF
VnAnaSSkCRO9D5FD4RvLlwTiUS5g/TZJwcbj5bxtuNjTBXY5NdqMATlTdVSbmS1E
SRX06Fsk8mwD1I26/eIRxoD7iGdrvGjA2YXb1OehLTc/rI8eaHEqbfyNliwiJCOA
wuSORq/F24ydDjVYsvbtDV5VkQ==
-----END CERTIFICATE-----

The certificate looks ok, and a quick gdb on the core dump shows it was at shutdown time. But I'm also getting a core dump in apache now when configured to use this cert and hsm key. But also at shutdown. And while running, apache ssl isn't working. Still, it could be because softhsm2 usually requires root access, but I straced it and didn't see any EACCESS errors, and I also added the www-data user to the softhsm group.

Still, the segfault isn't good, and seems to be in either softhsm2 or pkcs11-provider, not apache itself.

1. https://git.launchpad.net/ubuntu/+source/libp11/tree/debian/tests/engine