Performing the verification for Jammy.
First, creating RSA keys for: - softhsm2 - yubikey5 - lunahsm
Creating openssl configuration files:
openssl_softhsm.cnf: ... [engine_section] pkcs11 = pkcs11_section
[pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so PIN = $ENV::engine_pin init = 0
openssl_yubikey.cnf: ... [engine_section] pkcs11 = pkcs11_section
[pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so MODULE_PATH = /usr/lib/x86_64-linux-gnu/libykcs11.so PIN = $ENV::engine_pin init = 0
openssl_lunahsm.cnf: ... [engine_section] pkcs11 = pkcs11_section
[pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so MODULE_PATH = /usr/safenet/lunaclient/lib/libCryptoki2_64.so PIN = $ENV::engine_pin init = 0
reproducing the issue: ======================
$ apt policy libengine-pkcs11-openssl libengine-pkcs11-openssl: Installed: 0.4.11-1build3 Candidate: 0.4.11-1build3 Version table: *** 0.4.11-1build3 500 500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages 100 /var/lib/dpkg/status
test with softhsm: export SOFTHSM2_CONF=~/.config/softhsm2/softhsm2.conf engine_pin=1234 OPENSSL_CONF=~/conf/yubikey/openssl_engine_softhsm.cnf \ openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=Key pairs;object=aaa;object-type=private" -out /tmp/mytest_softhsm.csr ==> OK
test with yubikey: engine_pin=123456 OPENSSL_CONF=~/conf/yubikey/openssl_engine_yubikey.cnf \ openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=YubiKey PIV #13334408;object=Private key for Digital Signature;object-type=private" -out /tmp/mytest_yubikey.csr ==> OK
test with lunahsm: engine_pin=123456 OPENSSL_CONF=~/conf/yubikey/openssl_engine_lunahsm.cnf \ openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=Key pairs;object=aaa;object-type=private" -out /tmp/mytest_lunahsm.csr ==> FAIL
confirming that the new package fixes the bug: ==============================================
$ apt policy libengine-pkcs11-openssl libengine-pkcs11-openssl: Installed: 0.4.11-1ubuntu0.22.04.1 Candidate: 0.4.11-1ubuntu0.22.04.1 Version table: *** 0.4.11-1ubuntu0.22.04.1 500 500 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 Packages 100 /var/lib/dpkg/status 0.4.11-1build3 500 500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
test with lunahsm: engine_pin=123456 OPENSSL_CONF=~/conf/yubikey/openssl_engine_lunahsm.cnf \ openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=Key pairs;object=aaa;object-type=private" -out /tmp/mytest_lunahsm.csr ==> OK
This concludes the verification.
Performing the verification for Jammy.
First, creating RSA keys for:
- softhsm2
- yubikey5
- lunahsm
Creating openssl configuration files:
openssl_ softhsm. cnf:
...
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section] x86_64- linux-gnu/ engines- 3/libpkcs11. so softhsm/ libsofthsm2. so
engine_id = pkcs11
dynamic_path = /usr/lib/
MODULE_PATH = /usr/lib/
PIN = $ENV::engine_pin
init = 0
openssl_ yubikey. cnf:
...
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section] x86_64- linux-gnu/ engines- 3/libpkcs11. so x86_64- linux-gnu/ libykcs11. so
engine_id = pkcs11
dynamic_path = /usr/lib/
MODULE_PATH = /usr/lib/
PIN = $ENV::engine_pin
init = 0
openssl_ lunahsm. cnf:
...
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section] x86_64- linux-gnu/ engines- 3/libpkcs11. so lunaclient/ lib/libCryptoki 2_64.so
engine_id = pkcs11
dynamic_path = /usr/lib/
MODULE_PATH = /usr/safenet/
PIN = $ENV::engine_pin
init = 0
reproducing the issue: ======= ======= =
=======
$ apt policy libengine- pkcs11- openssl pkcs11- openssl: archive. ubuntu. com/ubuntu jammy/universe amd64 Packages dpkg/status
libengine-
Installed: 0.4.11-1build3
Candidate: 0.4.11-1build3
Version table:
*** 0.4.11-1build3 500
500 http://
100 /var/lib/
test with softhsm: CONF=~/ .config/ softhsm2/ softhsm2. conf CONF=~/ conf/yubikey/ openssl_ engine_ softhsm. cnf \ aaa;object- type=private" -out /tmp/mytest_ softhsm. csr
export SOFTHSM2_
engine_pin=1234 OPENSSL_
openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=Key pairs;object=
==> OK
test with yubikey: CONF=~/ conf/yubikey/ openssl_ engine_ yubikey. cnf \ token=YubiKey PIV #13334408; object= Private key for Digital Signature; object- type=private" -out /tmp/mytest_ yubikey. csr
engine_pin=123456 OPENSSL_
openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:
==> OK
test with lunahsm: CONF=~/ conf/yubikey/ openssl_ engine_ lunahsm. cnf \ aaa;object- type=private" -out /tmp/mytest_ lunahsm. csr
engine_pin=123456 OPENSSL_
openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=Key pairs;object=
==> FAIL
confirming that the new package fixes the bug: ======= ======= ======= ======= ======= ====
=======
$ apt policy libengine- pkcs11- openssl pkcs11- openssl: 1ubuntu0. 22.04.1 1ubuntu0. 22.04.1 1ubuntu0. 22.04.1 500 archive. ubuntu. com/ubuntu jammy-proposed/ universe amd64 Packages dpkg/status archive. ubuntu. com/ubuntu jammy/universe amd64 Packages
libengine-
Installed: 0.4.11-
Candidate: 0.4.11-
Version table:
*** 0.4.11-
500 http://
100 /var/lib/
0.4.11-1build3 500
500 http://
test with softhsm: CONF=~/ .config/ softhsm2/ softhsm2. conf CONF=~/ conf/yubikey/ openssl_ engine_ softhsm. cnf \ aaa;object- type=private" -out /tmp/mytest_ softhsm. csr
export SOFTHSM2_
engine_pin=1234 OPENSSL_
openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=Key pairs;object=
==> OK
test with yubikey: CONF=~/ conf/yubikey/ openssl_ engine_ yubikey. cnf \ token=YubiKey PIV #13334408; object= Private key for Digital Signature; object- type=private" -out /tmp/mytest_ yubikey. csr
engine_pin=123456 OPENSSL_
openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:
==> OK
test with lunahsm: CONF=~/ conf/yubikey/ openssl_ engine_ lunahsm. cnf \ aaa;object- type=private" -out /tmp/mytest_ lunahsm. csr
engine_pin=123456 OPENSSL_
openssl req -new -batch -engine pkcs11 -keyform engine -key "pkcs11:token=Key pairs;object=
==> OK
This concludes the verification.