Bug#1114767: Using a pkcs11 key via openssl's pkcs11 provider hangs
Andreas Metzler
ametzler at bebt.de
Tue Sep 9 18:14:42 BST 2025
On 2025-09-09 Jeremy Cline <debian at jcline.org> wrote:
> Package: p11-kit
> Version: 0.25.5-3
> When I attempt to use a key stored in SoftHSM via OpenSSL's pkcs11 provider, the openssl command hangs forever. I'm trying this from a Debian sid container, but it also happens in Debian trixie and I first noticed this in a Ubuntu 24.04 instance in GitHub actions. I'm not entirely sure if this is a p11-kit issue, or a softhsm2 issue - I've got softhsm2 2.6.1-3 installed - or something else.
> Here's the reproducer script:
> apt update && apt install -y softhsm2 openssl opensc pkcs11-provider p11-kit
> softhsm2-util --init-token --slot=0 --label=test --pin=secret-password --so-pin=1234
> pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --login --pin=secret-password --keypairgen --label=binding-key --key-type=rsa:4096 --usage-decrypt --usage-sign --id=1
> # this command hangs on futex
> openssl req -x509 -provider pkcs11 -passin pass:secret-password -subj /CN=Test -key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=test;object=binding-key;id=%01;type=private" -out cert.pem
[...]
Hello,
Might be I am missing the obvious but I just do not see where this
involves p11-kit? Neither pkcs11-provider nor pkcs11-tool (from opensc)
nor openenssl are using p11-kit afaict.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list