Ubuntu
libp11 package

  1. Bug #1987938
  2. Comment #20

Comment 20 for bug 1987938

Revision history for this message
Gil Weis (gilweis) wrote (last edit ):

Performing the verification for Jammy.

First, creating RSA keys for:
- softhsm2
- yubikey5
- lunahsm

Creating openssl configuration files:

openssl_softhsm.cnf:
...
[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so
MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so
PIN = $ENV::engine_pin
init = 0

openssl_yubikey.cnf:
...
[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/libykcs11.so
PIN = $ENV::engine_pin
init = 0

openssl_lunahsm.cnf:
...
[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so
MODULE_PATH = /usr/safenet/lunaclient/lib/libCryptoki2_64.so
PIN = $ENV::engine_pin
init = 0

reproducing the issue:
======================

$ apt policy libengine-pkcs11-openssl
libengine-pkcs11-openssl:
  Installed: 0.4.11-1build3
  Candidate: 0.4.11-1build3
  Version table:
 *** 0.4.11-1build3 500
        500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
        100 /var/lib/dpkg/status

test with softhsm:
export SOFTHSM2_CONF=~/.config/softhsm2/softhsm2.conf
engine_pin=1234 OPENSSL_CONF=~/conf/yubikey/openssl_engine_softhsm.cnf \
 openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=Key pairs;object=aaa;object-type=private" -out /tmp/mytest_softhsm.csr
==> OK

test with yubikey:
engine_pin=123456 OPENSSL_CONF=~/conf/yubikey/openssl_engine_yubikey.cnf \
 openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=YubiKey PIV #13334408;object=Private key for Digital Signature;object-type=private" -out /tmp/mytest_yubikey.csr
==> OK

test with lunahsm:
engine_pin=123456 OPENSSL_CONF=~/conf/yubikey/openssl_engine_lunahsm.cnf \
 openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=Key pairs;object=aaa;object-type=private" -out /tmp/mytest_lunahsm.csr
==> FAIL

confirming that the new package fixes the bug:
==============================================

$ apt policy libengine-pkcs11-openssl
libengine-pkcs11-openssl:
  Installed: 0.4.11-1ubuntu0.22.04.1
  Candidate: 0.4.11-1ubuntu0.22.04.1
  Version table:
 *** 0.4.11-1ubuntu0.22.04.1 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     0.4.11-1build3 500
        500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

test with softhsm:
export SOFTHSM2_CONF=~/.config/softhsm2/softhsm2.conf
engine_pin=1234 OPENSSL_CONF=~/conf/yubikey/openssl_engine_softhsm.cnf \
 openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=Key pairs;object=aaa;object-type=private" -out /tmp/mytest_softhsm.csr
==> OK

test with yubikey:
engine_pin=123456 OPENSSL_CONF=~/conf/yubikey/openssl_engine_yubikey.cnf \
 openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=YubiKey PIV #13334408;object=Private key for Digital Signature;object-type=private" -out /tmp/mytest_yubikey.csr
==> OK

test with lunahsm:
engine_pin=123456 OPENSSL_CONF=~/conf/yubikey/openssl_engine_lunahsm.cnf \
 openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=Key pairs;object=aaa;object-type=private" -out /tmp/mytest_lunahsm.csr
==> OK

This concludes the verification.