I may have hit a bug elsewhere first, though. I'm following what I did for a pkcs11 engine test[1], but with the pkcs11-provider package. I'm able to create the RSA key in the softhsm2 token, and even generate a certificate request with it using openssl -provider pkcs11. But when I sign the request with the same key (nonsense, but technically valid), it does sign it, but core dumps at the end:
# openssl x509 -provider pkcs11 -signkey "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=f4561bbe1b739173;token=apache2-hsm-token;id=%BD%06%9A%2E%16%D0%03%85%AE%AF%12%DE%81%0C%DA%3A%56%F2%51%42;object=apache2-hsm-key;type=private" -in apache2-hsm-key.req -out foo Enter pass phrase for PKCS#11 Token (Slot 460558707 - SoftHSM slot ID 0x1b739173): Segmentation fault (core dumped) # cat foo -----BEGIN CERTIFICATE----- MIICrzCCAZcCFHRHl/ehMDanzecCjxubJu2fKX5KMA0GCSqGSIb3DQEBCwUAMBQx EjAQBgNVBAMMCW4taHNtLmx4ZDAeFw0yNDAzMDYxOTAxNDVaFw0yNDA0MDUxOTAx NDVaMBQxEjAQBgNVBAMMCW4taHNtLmx4ZDCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMCkFhFN9NtpzchsT1SlrTDHANe9d5L1NR7FNpXJjCZAkEEkDmP9 4CE5dWp7X2RlGeZ9Ge+EMC84ud2Kx6O5MFoEBi/h8fmy6FPtRBlLyx+wExGLAeRR puyBE6GpYWDmUlYG1XvwiUmESVZ4U8QJiQgF/0euu8ldbIyqa8zi20dqI+T9HiuL TDcFnD+95xUbQ6Lsz8F5zbEps5BQZmV7MjsAHNnG24CCwjRpQr244tVeYLDhtVE8 /m7y8HGK29eto9cBypedUxAzzwofLTN3UShb2PX5ffOmT/n0ifxbBC7LpmbbEWT6 47mWvtru/9eME3y3UBs5d928cSxL8d+kGisCAwEAATANBgkqhkiG9w0BAQsFAAOC AQEACgeFvFFyugMKJtfT5Jgpfk4aBFtcYhJonQ/woqmEi50KU4bbZMQeFXWnNdVx ktdWRzbxJgIITllUVnSaP7Iyef+6qI35FgrIefqWLr98tT6X2kMuZn1mJU5HuMco HL4ibOcNNb2PKCJkTVXhJkIQSiEYQoGgevKrxOyjOUIg6OxibWvqATQgWG/9THHF VnAnaSSkCRO9D5FD4RvLlwTiUS5g/TZJwcbj5bxtuNjTBXY5NdqMATlTdVSbmS1E SRX06Fsk8mwD1I26/eIRxoD7iGdrvGjA2YXb1OehLTc/rI8eaHEqbfyNliwiJCOA wuSORq/F24ydDjVYsvbtDV5VkQ== -----END CERTIFICATE----- The certificate looks ok, and a quick gdb on the core dump shows it was at shutdown time. But I'm also getting a core dump in apache now when configured to use this cert and hsm key. But also at shutdown. And while running, apache ssl isn't working. Still, it could be because softhsm2 usually requires root access, but I straced it and didn't see any EACCESS errors, and I also added the www-data user to the softhsm group. Still, the segfault isn't good, and seems to be in either softhsm2 or pkcs11-provider, not apache itself. 1. https://git.launchpad.net/ubuntu/+source/libp11/tree/debian/tests/engine -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
