Am 05.08.24 um 16:51 schrieb Oliver Welter:
cms is the subcommand of openssl, the error message does just not print the original
command as there is some foo around. So what is actually executed is "openssl
cms...." using the binary path to openssl configured in the crypto.yaml.
Funny, i use openssl quite a lot but didn't know about cms, thanks for the
explanation.
A word of warning - PKCS11 is "unsupported" with the community edition as we encountered
a lot of such "issues" with debian and most vendors do not support debian based setups.
So it might work, but it also might not...if you are using HSM we suggest to go for the EE edition
(RHEL based) which we regularly test with several HSM vendors.
Thank you for the warning. If we go to production with openxpki we will use
RHEL. The debian setup ist just to check if openxpki could fulfill our
requirements and to see how it is designed.
Best,
-ap
Oliver
On 05.08.24 16:17, Andreas Piesk via OpenXPKI-users wrote:
Hello list,
after checking openxpki with democa I tried a setup with an HSM, actually 2
different HSMs:
1. Utimaco Cryptoserver
2. SoftHSM
the setup with openssl and pkcs11 engine was successful after upgrading openssl
to 3.0.14, otherwise the pkcs11 modules segfault at exit.
So, I can issue something like that
# openssl req -x509 -engine pkcs11 -keyform engine -extensions v3_datavault_extensions -batch -new -key
"pkcs11:token=openxpki;object=Datavault;pin-value=12345678" -sha256 -subj "/CN=DataVault"
-out "OpenXPKI_DataVault.crt"
and I get a valid certificate OpenXPKI_DataVault.crt.
But with OpenXPKI it's a different story. The config for vault:
vault:
inherit: default
key: "slot_0-label_Datavault"
engine: PKCS11
engine_section: |
engine_id= pkcs11
dynamic_path= /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#MODULE_PATH= /opt/utimaco/lib/libcs_pkcs11_R3.so
MODULE_PATH= /usr/lib/softhsm/libsofthsm2.so
PIN= __PIN__
init= 0
engine_usage: 'ALWAYS'
key_store: ENGINE
secret: signer
secret:
signer:
label: HSM SLOT PIN
method: literal
value: 12345678
cache: daemon
while getting "System Status", the pkcs11 module segfaults, both modules
actually:
Aug 04 22:10:42 pki kernel: openssl[427717]: segfault at 18 ip 00007ffba17cac80
sp 00007ffe0b2914f8 error 4 in libsofthsm2.so[7ffba173c000+92000] likely on CPU
0 (core 0, socket 0)
I tried to get the exact commandline for openssl exec but I only got this:
2024-08-04 22:10:42.185326 DEBUG:1 PID:427705 OpenXPKI::Exception::full_message (line
118): exception thrown: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ =>
cms -decrypt -inform PEM -engine pkcs11 -keyform engine -inkey slot_0-label_Datavault
-recip /var/tmp/openxpki427705SBvBApJe -in /var/tmp/openxpki427705kToDZTYG -out
/var/tmp/openxpki427705ZtS5r_zi -passin env:pwd, __EXIT_STATUS__ => 11
The arguments look like openssl arguments but what is 'cms'? Is there a way to
get the actual executed openssl commandline?
I may have have the issue for these segfauls, keyname "slot_0-label_Datavault"
is theroretically correct but the key is not found, after setting the keyname to
'label_Datavault' the key is found.
Best,
-ap
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
