Description of problem: I have generated a SoftHSM2 backed key called ecc on token DNS. However, I cannot access the token unless I provide pin-value. I want to use pin-source. One problem is it does not properly parse PKCS#11 URI. Moreover, it does crash when it fails. Version-Release number of selected component (if applicable): rpm -q openssl-pkcs11 softhsm openssl openssl-pkcs11-0.4.8-2.fc29.x86_64 openssl-pkcs11-0.4.8-2.fc29.i686 softhsm-2.5.0-2.fc29.x86_64 openssl-1.1.1a-1.fc29.x86_64 How reproducible: always Steps to Reproduce: 1. p11tool --list-all 'pkcs11:token=DNS;object=ecc?pin-source=/etc/named/pkcs11-pin' 2. openssl dgst -hex -engine pkcs11 -keyform engine -sign 'pkcs11:token=DNS;object=ecc?pin-source=/etc/named/pkcs11-pin' /etc/redhat-release 3. Actual results: # p11tool Object 0: URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=0e7082540070b451;token=DNS;object=ecc;type=public Type: Public key (EC/ECDSA-SECP384R1) Label: ecc Flags: CKA_WRAP/UNWRAP; ID: # openssl dgst -hex -engine pkcs11 -keyform engine -sign 'pkcs11:token=DNS;object=ecc?pin-source=/etc/named/pkcs11-pin' /etc/redhat-release engine "pkcs11" set. The key ID is not a valid PKCS#11 URI The PKCS#11 URI format is defined by RFC7512 The key ID is not a valid PKCS#11 URI The PKCS#11 URI format is defined by RFC7512 PKCS11_get_private_key returned NULL cannot load key file from engine 140412282758976:error:80065064:pkcs11 engine:ctx_load_key:invalid id:eng_back.c:636: 140412282758976:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78: unable to load key file Neoprávněný přístup do paměti (SIGSEGV) (core dumped [obraz paměti uložen]) Expected results: # Same output as command # openssl dgst -hex -engine pkcs11 -keyform engine -sign "pkcs11:token=DNS;object=ecc?pin-value=$(cat /etc/named/pkcs11-pin)" /etc/redhat-release engine "pkcs11" set. EC-SHA256(/etc/redhat-release)= 3065023079d08cc0918a977d7e9172fc7840616295a47ee5a5639f2acd784c6db725b5d81a40fae548e1875a9c503a683532d284023100bbddaec466be3eff9bde7504195429e1f0275b8b96d47001e04b3f7fbd3b33b0b3266cd3004f5041ebdc83354a3167ef Additional info: It seems this is related to long closed issue [1]. It was not fixed as well as it should. Another issue is SoftHSM does not accept pin-value, so they are now mutually incompatible. I would like eventually remove support of native PKCS#11 from named-pkcs11 special build and handle all tokens from OpenSSL. But this issue prevents reusing of keys created by dnssec-keyfromlabel. This tool stores used pkcs11 URI into private key. In order to use such keys, OpenSSL has to accept the same parameters. PIN from file might be security issue, but it would be stored in each private key in the other case. Moreover it crashes. 1. https://github.com/OpenSC/engine_pkcs11/issues/28
I can reproduce both issues (missing 'pin-source' parser and crash at the end). I opened an issue upstream to track this [0]. [0] https://github.com/OpenSC/libp11/issues/273
David, do you remember why pin-source was not handled originally in the code?
Upstream fix: https://github.com/OpenSC/libp11/pull/309
FEDORA-2019-8beaeedf08 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8beaeedf08
FEDORA-2019-6b0df61357 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6b0df61357
FEDORA-2019-747809e4c5 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-747809e4c5
openssl-pkcs11-0.4.10-3.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-747809e4c5
openssl-pkcs11-0.4.10-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6b0df61357
openssl-pkcs11-0.4.10-3.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8beaeedf08
openssl-pkcs11-0.4.10-3.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
openssl-pkcs11-0.4.10-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
openssl-pkcs11-0.4.10-3.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.