Hi Andreas, On Tue, Sep 9, 2025, at 1:14 PM, Andreas Metzler wrote: > On 2025-09-09 Jeremy Cline <[email protected]> wrote: >> Package: p11-kit >> Version: 0.25.5-3 > >> When I attempt to use a key stored in SoftHSM via OpenSSL's pkcs11 provider, >> the openssl command hangs forever. I'm trying this from a Debian sid >> container, but it also happens in Debian trixie and I first noticed this in >> a Ubuntu 24.04 instance in GitHub actions. I'm not entirely sure if this is >> a p11-kit issue, or a softhsm2 issue - I've got softhsm2 2.6.1-3 installed - >> or something else. > >> Here's the reproducer script: > >> apt update && apt install -y softhsm2 openssl opensc pkcs11-provider p11-kit >> softhsm2-util --init-token --slot=0 --label=test --pin=secret-password >> --so-pin=1234 >> pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --login >> --pin=secret-password --keypairgen --label=binding-key --key-type=rsa:4096 >> --usage-decrypt --usage-sign --id=1 > >> # this command hangs on futex >> openssl req -x509 -provider pkcs11 -passin pass:secret-password -subj >> /CN=Test -key >> "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=test;object=binding-key;id=%01;type=private" >> -out cert.pem > [...] > > Hello, > > Might be I am missing the obvious but I just do not see where this > involves p11-kit? Neither pkcs11-provider nor pkcs11-tool (from opensc) > nor openenssl are using p11-kit afaict. >
Thanks for taking a look. I don't think you're missing the obvious, I'm afraid. I don't know which piece of this puzzle isn't working, or even how all the components work together internally. I guessed p11-kit purely based on the 4th frame in the stack, but it could also be a SoftHSM, OpenSSL, or pkcs11-provider issue. Fedora ships mostly the same versions and works which makes me think it's either a patch being carried or some system configuration I'm missing. What I do know is if you don't install p11-kit on Debian, the openssl command fails as follows: root@cc0bb8b7f986:/# openssl req -x509 -provider pkcs11 -passin pass:secret-password -subj /CN=Test -key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=test;object=binding-key;id=%01;type=private" -out cert.pem Could not open file or uri for loading private key from pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=test;object=binding-key;id=%01;type=private 4057C6AD917F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:../crypto/store/store_meth.c:363:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (file : 0), Properties (<null>) 4057C6AD917F0000:error:40000005:pkcs11:p11prov_ctx_status:General Error:../src/provider.c:488:Module initialization failed! Cheers, Jeremy
