Ubuntu
apache2 package

  1. Bug #2050017
  2. Comment #22

Comment 22 for bug 2050017

Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider

It's really trying to open the pkcs11 URI as a file... :/

newfstatat(AT_FDCWD, "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private;pin-value=1234", 0x7ffca135a450, 0) = -1 ENOENT (No such file or directory)

I think something in my setup broke, because it's also failing with the pkcs11 module which worked before(tm).

UPDATE: hm, having only one pkcs11 provider loaded at once seems better. It kind of worked when I commented out (removed) pkcs11sign from ssl.cnf. I still get a core dump, but the request file is generated:

# openssl req -provider pkcs11 -new -key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private;pin-value=1234" -out test-key.req -text -x509 -subj "/CN=n-hsm.lxd"
Segmentation fault (core dumped)

# l test-key.req
-rw-r--r-- 1 root root 4.3K Mar 6 20:18 test-key.req

Still, with just pkcs11sign, and no pkcs11, it still didn't work.

UPDATE2: the stat on the pkcs11 URI as a file also happens with the pkcs11 provider, so it's probably unrelated (like an attempt: is it a file? No? Ok, is it something else? And so on)