I'm having difficulties with openssl-pkcs11-sign-provider. I'm getting a sequence of errors, a segfault, and it looks like it's trying to load the rdrand.so *engine*, which we are not shipping (might not even exist anymore?)
# openssl req -provider pkcs11sign -new -key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private" -out test-key.req -text -x509 -subj "/CN=n-hsm.lxd"
Could not open file or uri for loading private key from pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private
4067AC93797F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
4067AC93797F0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private)
4067AC93797F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=pkcs11
4067AC93797F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/x86_64-linux-gnu/engines-3/rdrand.so): /usr/lib/x86_64-linux-gnu/engines-3/rdrand.so: cannot open shared object file: No such file or directory
4067AC93797F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:152:
4067AC93797F0000:error:13000084:engine routines:dynamic_load:dso not found:../crypto/engine/eng_dyn.c:442:
4067AC93797F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:../crypto/engine/eng_list.c:430:id=rdrand
Segmentation fault (core dumped)
The openssl config is (abbreviated, and note I have disabled the pcks11 provider for this test):
I'm having difficulties with openssl- pkcs11- sign-provider. I'm getting a sequence of errors, a segfault, and it looks like it's trying to load the rdrand.so *engine*, which we are not shipping (might not even exist anymore?)
# openssl req -provider pkcs11sign -new -key "pkcs11: model=SoftHSM% 20v2;manufactur er=SoftHSM% 20project; serial= 148c784165ed428 b;token= test-token; id=%96% 7F%20%F2% 98%18%D7% 15%3D%AF% 87%AB%EC% 09%25%C5% 14%51%2E% E1;object= test-key; type=private" -out test-key.req -text -x509 -subj "/CN=n-hsm.lxd" model=SoftHSM% 20v2;manufactur er=SoftHSM% 20project; serial= 148c784165ed428 b;token= test-token; id=%96% 7F%20%F2% 98%18%D7% 15%3D%AF% 87%AB%EC% 09%25%C5% 14%51%2E% E1;object= test-key; type=private 0:error: 16000069: STORE routines: ossl_store_ get0_loader_ int:unregistere d scheme: ../crypto/ store/store_ register. c:237:scheme= file 0:error: 80000002: system library: file_open: No such file or directory: ../providers/ implementations /storemgmt/ file_store. c:267:calling stat(pkcs11: model=SoftHSM% 20v2;manufactur er=SoftHSM% 20project; serial= 148c784165ed428 b;token= test-token; id=%96% 7F%20%F2% 98%18%D7% 15%3D%AF% 87%AB%EC% 09%25%C5% 14%51%2E% E1;object= test-key; type=private) 0:error: 16000069: STORE routines: ossl_store_ get0_loader_ int:unregistere d scheme: ../crypto/ store/store_ register. c:237:scheme= pkcs11 0:error: 12800067: DSO support routines: dlfcn_load: could not load the shared library: ../crypto/ dso/dso_ dlfcn.c: 118:filename( /usr/lib/ x86_64- linux-gnu/ engines- 3/rdrand. so): /usr/lib/ x86_64- linux-gnu/ engines- 3/rdrand. so: cannot open shared object file: No such file or directory 0:error: 12800067: DSO support routines: DSO_load: could not load the shared library: ../crypto/ dso/dso_ lib.c:152: 0:error: 13000084: engine routines: dynamic_ load:dso not found:. ./crypto/ engine/ eng_dyn. c:442: 0:error: 13000074: engine routines: ENGINE_ by_id:no such engine: ../crypto/ engine/ eng_list. c:430:id= rdrand
Could not open file or uri for loading private key from pkcs11:
4067AC93797F000
4067AC93797F000
4067AC93797F000
4067AC93797F000
4067AC93797F000
4067AC93797F000
4067AC93797F000
Segmentation fault (core dumped)
The openssl config is (abbreviated, and note I have disabled the pcks11 provider for this test):
[openssl_init]
providers = provider_sect
alg_section = evp_properties
[evp_properties] pkcs11sign
default_properties = ?provider=
[provider_sect]
default = default_sect
#pkcs11 = pkcs11_sect
pkcs11sign = pkcs11sign_sect
[pkcs11sign_sect] x86_64- linux-gnu/ ossl-modules/ pkcs11sign. so module- path = /usr/lib/ x86_64- linux-gnu/ softhsm/ libsofthsm2. so
module = /usr/lib/
identity = pkcs11sign
pkcs11sign-forward = provider=default
pkcs11sign-
activate = 1
[pkcs11_sect] x86_64- linux-gnu/ ossl-modules/ pkcs11. so x86_64- linux-gnu/ softhsm/ libsofthsm2. so module- token-pin = file:/etc/ apache2/ pin.txt
module = /usr/lib/
pkcs11-module-path = /usr/lib/
#pkcs11-
activate = 0
[default_sect]
activate = 1
The pkcs11sign provider is recognized:
root@n-hsm:~# openssl list -providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.10
status: active
pkcs11sign
name: PKCS11 signing key provider
version: 1.0.1
status: active
softhsm has the private key: model=SoftHSM% 20v2;manufactur er=SoftHSM% 20project; serial= 148c784165ed428 b;token= test-token' requires user PIN model=SoftHSM% 20v2;manufactur er=SoftHSM% 20project; serial= 148c784165ed428 b;token= test-token; id=%96% 7F%20%F2% 98%18%D7% 15%3D%AF% 87%AB%EC% 09%25%C5% 14%51%2E% E1;object= test-key; type=private EXTRACTABLE; CKA_SENSITIVE; f2:98:18: d7:15:3d: af:87:ab: ec:09:25: c5:14:51: 2e:e1
root@n-hsm:~# p11tool --list-privkeys --login
Token 'test-token' with URL 'pkcs11:
Enter PIN:
Object 0:
URL: pkcs11:
Type: Private key (RSA-2048)
Label: test-key
Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_NEVER_
ID: 96:7f:20:
And I'm running as root, to avoid permissions problems in /var/lib/ softhsm2/ tokens
strace confirms /var/lib/ softhsm/ tokens/ * is being accessed by the openssl command.