I'm having difficulties with openssl-pkcs11-sign-provider. I'm getting a
sequence of errors, a segfault, and it looks like it's trying to load
the rdrand.so *engine*, which we are not shipping (might not even exist
anymore?)
# openssl req -provider pkcs11sign -new -key
"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private"
-out test-key.req -text -x509 -subj "/CN=n-hsm.lxd"
Could not open file or uri for loading private key from
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private
4067AC93797F0000:error:16000069:STORE
routines:ossl_store_get0_loader_int:unregistered
scheme:../crypto/store/store_register.c:237:scheme=file
4067AC93797F0000:error:80000002:system library:file_open:No such file or
directory:../providers/implementations/storemgmt/file_store.c:267:calling
stat(pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private)
4067AC93797F0000:error:16000069:STORE
routines:ossl_store_get0_loader_int:unregistered
scheme:../crypto/store/store_register.c:237:scheme=pkcs11
4067AC93797F0000:error:12800067:DSO support routines:dlfcn_load:could not load
the shared
library:../crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/x86_64-linux-gnu/engines-3/rdrand.so):
/usr/lib/x86_64-linux-gnu/engines-3/rdrand.so: cannot open shared object file:
No such file or directory
4067AC93797F0000:error:12800067:DSO support routines:DSO_load:could not load
the shared library:../crypto/dso/dso_lib.c:152:
4067AC93797F0000:error:13000084:engine routines:dynamic_load:dso not
found:../crypto/engine/eng_dyn.c:442:
4067AC93797F0000:error:13000074:engine routines:ENGINE_by_id:no such
engine:../crypto/engine/eng_list.c:430:id=rdrand
Segmentation fault (core dumped)
The openssl config is (abbreviated, and note I have disabled the pcks11
provider for this test):
[openssl_init]
providers = provider_sect
alg_section = evp_properties
[evp_properties]
default_properties = ?provider=pkcs11sign
[provider_sect]
default = default_sect
#pkcs11 = pkcs11_sect
pkcs11sign = pkcs11sign_sect
[pkcs11sign_sect]
module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11sign.so
identity = pkcs11sign
pkcs11sign-forward = provider=default
pkcs11sign-module-path = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
activate = 1
[pkcs11_sect]
module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
#pkcs11-module-token-pin = file:/etc/apache2/pin.txt
activate = 0
[default_sect]
activate = 1
The pkcs11sign provider is recognized:
root@n-hsm:~# openssl list -providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.10
status: active
pkcs11sign
name: PKCS11 signing key provider
version: 1.0.1
status: active
softhsm has the private key:
root@n-hsm:~# p11tool --list-privkeys --login
Token 'test-token' with URL
'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token'
requires user PIN
Enter PIN:
Object 0:
URL:
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private
Type: Private key (RSA-2048)
Label: test-key
Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_NEVER_EXTRACTABLE;
CKA_SENSITIVE;
ID: 96:7f:20:f2:98:18:d7:15:3d:af:87:ab:ec:09:25:c5:14:51:2e:e1
And I'm running as root, to avoid permissions problems in
/var/lib/softhsm2/tokens
strace confirms /var/lib/softhsm/tokens/* is being accessed by the openssl
command.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2050017
Title:
[FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache
httpd for openSSL 3.0 with PKCS #11 provider
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
