Hello,

I'm trying to reproduce this in jammy, but so far things are working. I tried with p11tool, pkcs11-tool, and openssl configured with a pkcs11 engine.

I don't doubt the issue exists, I'm definitely just missing something in this very complicated stack.

My testing has been around loading certificates and keys into a smart card byt forcing specific labels and IDs. In particular, my last test was forcing an empty label, and different ids, and then specifying the object I want via a pkcs11 url of the form "pkcs11:id=%XX". 

The bug report at https://github.com/OpenSC/libp11/issues/435 specifically mentioned the case of different IDs, but same (empty) label, so that's what I tried. That bug report doesn't show the exact commands that were being tried, nor how to produce that debug output.

What I have loaded:
$ p11tool --login --list-all
Token 'label1' with URL 'pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1' requires user PIN
Enter PIN: 
Object 0:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%99;type=cert
	Type: X.509 Certificate (RSA-2048)
	Expires: Sat Sep  3 16:30:50 2022
	Label: 
	Flags: CKA_PRIVATE; 
	ID: 99

Object 1:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=cert
	Type: X.509 Certificate (RSA-2048)
	Expires: Sat Sep  3 16:33:27 2022
	Label: 
	Flags: CKA_PRIVATE; 
	ID: 11

Object 2:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=public
	Type: Public key (RSA-2048)
	Label: 
	Flags: CKA_WRAP/UNWRAP; 
	ID: 11

Object 3:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%99;type=public
	Type: Public key (RSA-2048)
	Label: 
	Flags: CKA_WRAP/UNWRAP; 
	ID: 99

Object 4:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%99;type=private
	Type: Private key (RSA-2048)
	Label: 
	Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; 
	ID: 99

Object 5:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=private
	Type: Private key (RSA-2048)
	Label: 
	Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; 
	ID: 11

Object 6:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;object=User%20Pin
	Type: Unknown
	Label: User Pin
	Flags: CKA_SENSITIVE; 
	ID: 

Object 7:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;object=SO%20Pin
	Type: Unknown
	Label: SO Pin
	Flags: CKA_SENSITIVE; 
	ID: 

Object 8:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1
	Type: Unknown
	Label: 
	ID: 


Filtering by id seems to work fine:
$ p11tool --login --list-all "pkcs11:id=%11"
Token 'label1' with URL 'pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1' requires user PIN
Enter PIN: 
Object 0:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=cert
	Type: X.509 Certificate (RSA-2048)
	Expires: Sat Sep  3 16:33:27 2022
	Label: 
	Flags: CKA_PRIVATE; 
	ID: 11

Object 1:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=public
	Type: Public key (RSA-2048)
	Label: 
	Flags: CKA_WRAP/UNWRAP; 
	ID: 11

Object 2:
	URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=private
	Type: Private key (RSA-2048)
	Label: 
	Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; 
	ID: 11


Likewise for ID 99. I then tried encrypting something using a specific key id, and decrypting it using the same key id (in which case it would have to pick the right private key), and it always worked, regardless if I used key 11 or 99.

$ openssl rsautl -encrypt -inkey "pkcs11:id=%99" -engine pkcs11 -pubin -in secret.txt -out secret.enc -keyform engine
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
Engine "pkcs11" set.

$ openssl rsautl -engine pkcs11 -keyform engine -decrypt -inkey "pkcs11:id=%99" -in secret.enc 
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
Engine "pkcs11" set.
Enter PKCS#11 token PIN for label1:
secret


And if I specify the id of the non-matching private key, decryption doesn't work:
$ openssl rsautl -engine pkcs11 -keyform engine -decrypt -inkey "pkcs11:id=%11" -in secret.enc 
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
Engine "pkcs11" set.
Enter PKCS#11 token PIN for label1:


So, could you please give some steps on how to reproduce the problem, or at least the type of command that was picking up the wrong key or certificate?