Package: p11-kit
Version: 0.25.5-3
When I attempt to use a key stored in SoftHSM via OpenSSL's pkcs11 provider,
the openssl command hangs forever. I'm trying this from a Debian sid container,
but it also happens in Debian trixie and I first noticed this in a Ubuntu 24.04
instance in GitHub actions. I'm not entirely sure if this is a p11-kit issue,
or a softhsm2 issue - I've got softhsm2 2.6.1-3 installed - or something else.
Here's the reproducer script:
apt update && apt install -y softhsm2 openssl opensc pkcs11-provider p11-kit
softhsm2-util --init-token --slot=0 --label=test --pin=secret-password
--so-pin=1234
pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --login
--pin=secret-password --keypairgen --label=binding-key --key-type=rsa:4096
--usage-decrypt --usage-sign --id=1
# this command hangs on futex
openssl req -x509 -provider pkcs11 -passin pass:secret-password -subj /CN=Test
-key
"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=test;object=binding-key;id=%01;type=private"
-out cert.pem
The backtrace for the openssl command above is:
(gdb) bt
#0 futex_wait (futex_word=0x55f6ae870240, expected=2, private=0) at
../sysdeps/nptl/futex-internal.h:146
#1 __GI___lll_lock_wait (futex=futex@entry=0x55f6ae870240, private=0) at
./nptl/lowlevellock.c:49
#2 0x00007f9798144f72 in lll_mutex_lock_optimized (mutex=0x55f6ae870240) at
./nptl/pthread_mutex_lock.c:48
#3 ___pthread_mutex_lock (mutex=0x55f6ae870240) at
./nptl/pthread_mutex_lock.c:93
#4 0x00007f9797e0ecf2 in lock_mutex (mut=<optimized out>) at
p11-kit/modules.c:276
#5 0x00007f9797d6e59a in Token::isSOLoggedIn (this=0x55f6ae8689b0) at
./src/lib/slot_mgr/Token.cpp:95
#6 0x00007f9797d6bd55 in SessionManager::openSession (this=0x55f6ae870b40,
slot=0x55f6ae868980, flags=flags@entry=4,
pApplication=pApplication@entry=0x55f6ae8748c0,
notify=notify@entry=0x7f9797f85a40 <token_session_callback>,
phSession=phSession@entry=0x55f6ae8748d8) at
./src/lib/session_mgr/SessionManager.cpp:83
#7 0x00007f9797d07984 in SoftHSM::C_OpenSession (this=0x55f6ae852490,
slotID=slotID@entry=2010866895, flags=flags@entry=4,
pApplication=pApplication@entry=0x55f6ae8748c0,
notify=notify@entry=0x7f9797f85a40 <token_session_callback>,
phSession=phSession@entry=0x55f6ae8748d8) at ./src/lib/SoftHSM.cpp:1348
#8 0x00007f9797ce7b07 in C_OpenSession (slotID=2010866895, flags=4,
pApplication=0x55f6ae8748c0,
notify=0x7f9797f85a40 <token_session_callback>, phSession=0x55f6ae8748d8)
at ./src/lib/main.cpp:317
#9 0x00007f9797e0e8df in managed_C_OpenSession (self=<optimized out>,
slot_id=2010866895, flags=<optimized out>,
application=<optimized out>, notify=<optimized out>,
session=0x55f6ae8748d8) at p11-kit/modules.c:1822
#10 0x00007f9797dec59f in proxy_C_OpenSession (self=0x55f6ae850b80,
id=2010866895, flags=4, user_data=0x55f6ae8748c0,
callback=0x7f9797f85a40 <token_session_callback>, handle=0x55f6ae8748d8) at
p11-kit/proxy.c:606
#11 0x00007f9797f6d574 in p11prov_OpenSession (ctx=0x55f6ae7e9330, slotID=17,
flags=flags@entry=4,
pApplication=pApplication@entry=0x55f6ae8748c0,
Notify=Notify@entry=0x7f9797f85a40 <token_session_callback>,
phSession=phSession@entry=0x55f6ae8748d8) at ../src/interface.gen.c:260
#12 0x00007f9797f859a7 in token_session_open
(session=session@entry=0x55f6ae8748c0, flags=flags@entry=4) at
../src/session.c:76
#13 0x00007f9797f876ab in p11prov_get_session (provctx=<optimized out>,
slotid=slotid@entry=0x7ffecd4fcbc8,
next_slotid=next_slotid@entry=0x0, uri=uri@entry=0x0, mechtype=592,
pw_cb=pw_cb@entry=0x0, pw_cbarg=0x0, reqlogin=false, rw=false,
_session=0x55f6ae8748b0) at ../src/session.c:1017
#14 0x00007f9797f64321 in p11prov_digest_init (ctx=0x55f6ae8748a0,
params=<optimized out>) at ../src/digests.c:279
#15 0x00007f9797d46173 in OSSLEVPHashAlgorithm::hashInit (this=0x55f6ae871260)
at ./src/lib/crypto/OSSLEVPHashAlgorithm.cpp:61
#16 0x00007f9797d512e1 in RFC4880::PBEDeriveKey (password=..., salt=...,
ppKey=ppKey@entry=0x7ffecd4fcd28)
at ./src/lib/data_mgr/RFC4880.cpp:74
#17 0x00007f9797d533de in SecureDataManager::login
(this=this@entry=0x55f6ae870360, passphrase=..., encryptedKey=...)
at ./src/lib/data_mgr/SecureDataManager.cpp:264
#18 0x00007f9797d539a1 in SecureDataManager::loginUser (this=0x55f6ae870360,
userPIN=...) at ./src/lib/data_mgr/SecureDataManager.cpp:317
#19 0x00007f9797d6e8a6 in Token::loginUser (this=this@entry=0x55f6ae8689b0,
pin=...) at ./src/lib/slot_mgr/Token.cpp:176
#20 0x00007f9797d08bab in SoftHSM::C_Login (this=0x55f6ae852490,
hSession=hSession@entry=2, userType=userType@entry=1,
pPin=pPin@entry=0x7ffecd4fd160 "secret-password",
ulPinLen=ulPinLen@entry=15) at ./src/lib/SoftHSM.cpp:1472
#21 0x00007f9797ce7c83 in C_Login (hSession=2, userType=1, pPin=0x7ffecd4fd160
"secret-password", ulPinLen=15) at ./src/lib/main.cpp:407
#22 0x00007f9797decd28 in proxy_C_Login (self=<optimized out>,
session=<optimized out>, user_type=1, pin=0x7ffecd4fd160 "secret-password",
pin_len=15) at ./p11-kit/proxy-generated.h:196
#23 0x00007f9797f6df3d in p11prov_Login (ctx=<optimized out>, hSession=18,
userType=userType@entry=1,
pPin=pPin@entry=0x7ffecd4fd160 "secret-password",
ulPinLen=ulPinLen@entry=15) at ../src/interface.gen.c:387
#24 0x00007f9797f85189 in token_login (session=session@entry=0x55f6ae871360,
uri=uri@entry=0x55f6ae872b10,
pw_cb=pw_cb@entry=0x7f9798527280 <ossl_pw_passphrase_callback_dec>,
pw_cbarg=pw_cbarg@entry=0x55f6ae872bf8,
slot=slot@entry=0x55f6ae870cd0, user_type=user_type@entry=1) at
../src/session.c:561
#25 0x00007f9797f86dc0 in slot_login (slot=slot@entry=0x55f6ae870cd0,
uri=uri@entry=0x55f6ae872b10,
pw_cb=pw_cb@entry=0x7f9798527280 <ossl_pw_passphrase_callback_dec>,
pw_cbarg=pw_cbarg@entry=0x55f6ae872bf8,
reqlogin=reqlogin@entry=true, _session=_session@entry=0x0) at
../src/session.c:828
#26 0x00007f9797f872a6 in p11prov_get_session (provctx=0x55f6ae7e9330,
slotid=slotid@entry=0x7ffecd4fd3a0,
next_slotid=next_slotid@entry=0x7ffecd4fd3a8, uri=0x55f6ae872b10,
mechtype=mechtype@entry=18446744073709551615,
pw_cb=pw_cb@entry=0x7f9798527280 <ossl_pw_passphrase_callback_dec>,
pw_cbarg=0x55f6ae872bf8, reqlogin=true, rw=false,
_session=0x55f6ae872a48) at ../src/session.c:962
#27 0x00007f9797f8e0cc in store_fetch (ctx=0x55f6ae8729c0, pw_cb=0x7f9798527280
<ossl_pw_passphrase_callback_dec>, pw_cbarg=0x55f6ae872bf8)
at ../src/store.c:124
#28 p11prov_store_load (pctx=0x55f6ae8729c0, object_cb=0x7f979865f6e0
<ossl_store_handle_load_result>, object_cbarg=0x7ffecd4fd4a0,
pw_cb=0x7f9798527280 <ossl_pw_passphrase_callback_dec>,
pw_cbarg=0x55f6ae872bf8) at ../src/store.c:255
#29 0x00007f979865cd68 in OSSL_STORE_load (ctx=ctx@entry=0x55f6ae872bb0) at
../crypto/store/store_lib.c:441
#30 0x000055f677d8af78 in load_key_certs_crls (uri=<optimized out>,
format=format@entry=0, maybe_stdin=maybe_stdin@entry=0,
pass=<optimized out>, desc=0x55f677d98cbe "private key",
quiet=quiet@entry=0, ppkey=<optimized out>, ppubkey=<optimized out>,
pparams=<optimized out>, pcert=<optimized out>, pcerts=0x0, pcrl=<optimized
out>, pcrls=0x0) at ../apps/lib/apps.c:1057
#31 0x000055f677d8bee5 in load_key (uri=<optimized out>,
uri@entry=0x7ffecd4fee8f
"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=test;object=binding-key;id=%01;type=private",
format=0, may_stdin=may_stdin@entry=0, pass=<optimized out>, e=e@entry=0x0,
desc=desc@entry=0x55f677d98cbe "private key")
at ../apps/lib/apps.c:620
#32 0x000055f677d5a56c in req_main (argc=<optimized out>, argv=0x7ffecd4fdf90)
at ../apps/req.c:627
#33 0x000055f677d4e951 in do_cmd (prog=prog@entry=0x55f6ae7fd8c0,
argc=argc@entry=12, argv=argv@entry=0x7ffecd4fdf90)
at ../apps/openssl.c:428
#34 0x000055f677d23b46 in main (argc=<optimized out>, argv=<optimized out>) at
../apps/openssl.c:309
It's worth noting this does not happen in Fedora 42, which includes the same
(upstream) versions of both packages. Using the fedora:42 container, the
following script works:
dnf install -y p11-kit opensc softhsm openssl pkcs11-provider
softhsm2-util --init-token --slot=0 --label=test --pin=secret-password
--so-pin=1234
pkcs11-tool --module=/usr/lib64/softhsm/libsofthsm.so --login
--pin=secret-password --keypairgen --label=binding-key --key-type=rsa:4096
--usage-decrypt --usage-sign --id=1
openssl req -x509 -provider pkcs11 -passin pass:secret-password -subj /CN=Test
-key
"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=test;object=binding-key;id=%01;type=private"
-out cert.pem
I don't see an obvious patch Fedora is carrying to make this work, and at first
inspection the configurations look the same for p11-kit and softhsm2.
