When using openssl with pkcs11-provider to sign something using softhsm with the db-backend, OpenSSL fails with
+ openssl cms -sign -inkey 'pkcs11:token=store;object=test;pin-value=1111' -signer /openssl_error/files/cert.pem -in /openssl_error/files/test.input -out /openssl_error/files/test.output
Error writing CMS output
4097AC5EB97F0000:error:0200008C:rsa routines:RSA_setup_blinding:no public exponent:../crypto/rsa/rsa_crpt.c:139:
This does not happen, if the files backend in softhsm is used to sign the file.
To Reproduce
I created to following shell script to reproduce the bug: testcase.sh
It was tested with softhsm 2.7.0, with db-backend enabled.
Applications used
- Device: softhsm 2.7.0 (also 2.6.1)
- PKCS11 Driver version: pkcs11-provider 1.2 (also 1.1 and 1.0)
- Application openssl 3.5.5 (also 3.5.4)
Specification
The relevant part of the spec seems to be https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.2/pkcs11-spec-v3.2.html#_Toc195693098
As a general guideline, private keys of any type SHOULD store sufficient information to retrieve the public key information. In particular, the RSA private key description has been modified in PKCS#11 V2.40 to add the CKA_PUBLIC_EXPONENT to the list of attributes required for an RSA private key. All other private key types described in this specification contain sufficient information to recover the associated public key.
When using openssl with pkcs11-provider to sign something using softhsm with the db-backend, OpenSSL fails with
This does not happen, if the files backend in softhsm is used to sign the file.
To Reproduce
I created to following shell script to reproduce the bug: testcase.sh
It was tested with softhsm 2.7.0, with db-backend enabled.
Applications used
Specification
The relevant part of the spec seems to be https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.2/pkcs11-spec-v3.2.html#_Toc195693098