Bug#1114767: Using a pkcs11 key via openssl's pkcs11 provider hangs

Jeremy Cline debian at jcline.org
Tue Sep 9 19:01:44 BST 2025 

Hi Andreas,

On Tue, Sep 9, 2025, at 1:14 PM, Andreas Metzler wrote:
> On 2025-09-09 Jeremy Cline <debian at jcline.org> wrote:
>> Package: p11-kit
>> Version: 0.25.5-3
>
>> When I attempt to use a key stored in SoftHSM via OpenSSL's pkcs11 provider, the openssl command hangs forever. I'm trying this from a Debian sid container, but it also happens in Debian trixie and I first noticed this in a Ubuntu 24.04 instance in GitHub actions. I'm not entirely sure if this is a p11-kit issue, or a softhsm2 issue - I've got softhsm2 2.6.1-3 installed - or something else.
>
>> Here's the reproducer script:
>
>> apt update && apt install -y softhsm2 openssl opensc pkcs11-provider p11-kit
>> softhsm2-util --init-token --slot=0 --label=test --pin=secret-password --so-pin=1234
>> pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --login --pin=secret-password --keypairgen --label=binding-key --key-type=rsa:4096 --usage-decrypt --usage-sign --id=1
>
>> # this command hangs on futex
>> openssl req -x509 -provider pkcs11 -passin pass:secret-password -subj /CN=Test -key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=test;object=binding-key;id=%01;type=private" -out cert.pem
> [...]
>
> Hello,
>
> Might be I am missing the obvious but I just do not see where this
> involves p11-kit? Neither pkcs11-provider nor pkcs11-tool (from opensc)
> nor openenssl are using p11-kit afaict.
>

Thanks for taking a look. I don't think you're missing the obvious, I'm afraid. I don't know which piece of this puzzle isn't working, or even how all the components work together internally. I guessed p11-kit purely based on the 4th frame in the stack, but it could also be a SoftHSM, OpenSSL, or pkcs11-provider issue. Fedora ships mostly the same versions and works which makes me think it's either a patch being carried or some system configuration I'm missing.

What I do know is if you don't install p11-kit on Debian, the openssl command fails as follows:

root at cc0bb8b7f986:/# openssl req -x509 -provider pkcs11 -passin pass:secret-password -subj /CN=Test -key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=test;object=binding-key;id=%01;type=private" -out cert.pem
Could not open file or uri for loading private key from pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=test;object=binding-key;id=%01;type=private
4057C6AD917F0000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:../crypto/store/store_meth.c:363:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (file : 0), Properties (<null>)
4057C6AD917F0000:error:40000005:pkcs11:p11prov_ctx_status:General Error:../src/provider.c:488:Module initialization failed!

Cheers,
Jeremy

More information about the Pkg-gnutls-maint mailing list