Comment 21 for bug 2050017

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm having difficulties with openssl-pkcs11-sign-provider. I'm getting a sequence of errors, a segfault, and it looks like it's trying to load the rdrand.so *engine*, which we are not shipping (might not even exist anymore?)

# openssl req -provider pkcs11sign -new -key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private" -out test-key.req -text -x509 -subj "/CN=n-hsm.lxd"
Could not open file or uri for loading private key from pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private
4067AC93797F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
4067AC93797F0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private)
4067AC93797F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=pkcs11
4067AC93797F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/x86_64-linux-gnu/engines-3/rdrand.so): /usr/lib/x86_64-linux-gnu/engines-3/rdrand.so: cannot open shared object file: No such file or directory
4067AC93797F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:152:
4067AC93797F0000:error:13000084:engine routines:dynamic_load:dso not found:../crypto/engine/eng_dyn.c:442:
4067AC93797F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:../crypto/engine/eng_list.c:430:id=rdrand
Segmentation fault (core dumped)

The openssl config is (abbreviated, and note I have disabled the pcks11 provider for this test):

[openssl_init]
providers = provider_sect
alg_section = evp_properties

[evp_properties]
default_properties = ?provider=pkcs11sign

[provider_sect]
default = default_sect
#pkcs11 = pkcs11_sect
pkcs11sign = pkcs11sign_sect

[pkcs11sign_sect]
module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11sign.so
identity = pkcs11sign
pkcs11sign-forward = provider=default
pkcs11sign-module-path = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
activate = 1

[pkcs11_sect]
module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
#pkcs11-module-token-pin = file:/etc/apache2/pin.txt
activate = 0

[default_sect]
activate = 1

The pkcs11sign provider is recognized:

root@n-hsm:~# openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.10
    status: active
  pkcs11sign
    name: PKCS11 signing key provider
    version: 1.0.1
    status: active

softhsm has the private key:
root@n-hsm:~# p11tool --list-privkeys --login
Token 'test-token' with URL 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token' requires user PIN
Enter PIN:
Object 0:
        URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private
        Type: Private key (RSA-2048)
        Label: test-key
        Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
        ID: 96:7f:20:f2:98:18:d7:15:3d:af:87:ab:ec:09:25:c5:14:51:2e:e1

And I'm running as root, to avoid permissions problems in /var/lib/softhsm2/tokens

strace confirms /var/lib/softhsm/tokens/* is being accessed by the openssl command.