Hi Andreas,
cms is the subcommand of openssl, the error message does just not print
the original command as there is some foo around. So what is actually
executed is "openssl cms...." using the binary path to openssl
configured in the crypto.yaml.
A word of warning - PKCS11 is "unsupported" with the community edition
as we encountered a lot of such "issues" with debian and most vendors do
not support debian based setups. So it might work, but it also might
not...if you are using HSM we suggest to go for the EE edition (RHEL
based) which we regularly test with several HSM vendors.
Oliver
On 05.08.24 16:17, Andreas Piesk via OpenXPKI-users wrote:
Hello list,
after checking openxpki with democa I tried a setup with an HSM,
actually 2 different HSMs:
1. Utimaco Cryptoserver
2. SoftHSM
the setup with openssl and pkcs11 engine was successful after
upgrading openssl to 3.0.14, otherwise the pkcs11 modules segfault at
exit.
So, I can issue something like that
# openssl req -x509 -engine pkcs11 -keyform engine -extensions
v3_datavault_extensions -batch -new -key
"pkcs11:token=openxpki;object=Datavault;pin-value=12345678" -sha256
-subj "/CN=DataVault" -out "OpenXPKI_DataVault.crt"
and I get a valid certificate OpenXPKI_DataVault.crt.
But with OpenXPKI it's a different story. The config for vault:
vault:
inherit: default
key: "slot_0-label_Datavault"
engine: PKCS11
engine_section: |
engine_id= pkcs11
dynamic_path= /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#MODULE_PATH= /opt/utimaco/lib/libcs_pkcs11_R3.so
MODULE_PATH= /usr/lib/softhsm/libsofthsm2.so
PIN= __PIN__
init= 0
engine_usage: 'ALWAYS'
key_store: ENGINE
secret: signer
secret:
signer:
label: HSM SLOT PIN
method: literal
value: 12345678
cache: daemon
while getting "System Status", the pkcs11 module segfaults, both
modules actually:
Aug 04 22:10:42 pki kernel: openssl[427717]: segfault at 18 ip
00007ffba17cac80 sp 00007ffe0b2914f8 error 4 in
libsofthsm2.so[7ffba173c000+92000] likely on CPU 0 (core 0, socket 0)
I tried to get the exact commandline for openssl exec but I only got
this:
2024-08-04 22:10:42.185326 DEBUG:1 PID:427705
OpenXPKI::Exception::full_message (line 118): exception thrown:
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -decrypt
-inform PEM -engine pkcs11 -keyform engine -inkey
slot_0-label_Datavault -recip /var/tmp/openxpki427705SBvBApJe -in
/var/tmp/openxpki427705kToDZTYG -out /var/tmp/openxpki427705ZtS5r_zi
-passin env:pwd, __EXIT_STATUS__ => 11
The arguments look like openssl arguments but what is 'cms'? Is there
a way to get the actual executed openssl commandline?
I may have have the issue for these segfauls, keyname
"slot_0-label_Datavault" is theroretically correct but the key is not
found, after setting the keyname to 'label_Datavault' the key is found.
Best,
-ap
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
