[OpenXPKI-users] HSM via PKCS#11

Mon, 05 Aug 2024 07:18:19 -0700 

Hello list,

after checking openxpki with democa I tried a setup with an HSM, actually 2 
different HSMs:

1. Utimaco Cryptoserver
2. SoftHSM

the setup with openssl and pkcs11 engine was successful after upgrading openssl 
to 3.0.14, otherwise the pkcs11 modules segfault at exit.

So, I can issue something like that

# openssl req -x509 -engine pkcs11 -keyform engine -extensions v3_datavault_extensions -batch -new -key 
"pkcs11:token=openxpki;object=Datavault;pin-value=12345678" -sha256 -subj "/CN=DataVault" 
-out "OpenXPKI_DataVault.crt"

and I get a valid certificate OpenXPKI_DataVault.crt.

But with OpenXPKI it's a different story. The config for vault:

  vault:
    inherit: default
    key: "slot_0-label_Datavault"
    engine: PKCS11
    engine_section: |
      engine_id= pkcs11
      dynamic_path= /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
      #MODULE_PATH= /opt/utimaco/lib/libcs_pkcs11_R3.so
      MODULE_PATH= /usr/lib/softhsm/libsofthsm2.so
      PIN= __PIN__
      init= 0
    engine_usage: 'ALWAYS'
    key_store: ENGINE
    secret: signer

secret:
    signer:
      label: HSM SLOT PIN
      method: literal
      value: 12345678
      cache: daemon

while getting "System Status", the pkcs11 module segfaults, both modules 
actually:
Aug 04 22:10:42 pki kernel: openssl[427717]: segfault at 18 ip 00007ffba17cac80 
sp 00007ffe0b2914f8 error 4 in libsofthsm2.so[7ffba173c000+92000] likely on CPU 
0 (core 0, socket 0)

I tried to get the exact commandline for openssl exec but I only got this:

2024-08-04 22:10:42.185326 DEBUG:1 PID:427705 OpenXPKI::Exception::full_message (line 
118): exception thrown: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => 
cms -decrypt -inform PEM -engine pkcs11 -keyform engine -inkey slot_0-label_Datavault 
-recip /var/tmp/openxpki427705SBvBApJe -in /var/tmp/openxpki427705kToDZTYG -out 
/var/tmp/openxpki427705ZtS5r_zi -passin env:pwd, __EXIT_STATUS__ => 11

The arguments look like openssl arguments but what is 'cms'? Is there a way to 
get the actual executed openssl commandline?

I may have have the issue for these segfauls, keyname "slot_0-label_Datavault" 
is theroretically correct but the key is not found, after setting the keyname to 
'label_Datavault' the key is found.


Best,
-ap


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to