Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl engine pkcs11 signing does not invoke C_CloseAllSessions/C_CloseSession call #583

Open
jamyam opened this issue Mar 3, 2025 · 0 comments
Open

openssl engine pkcs11 signing does not invoke C_CloseAllSessions/C_CloseSession call #583

jamyam opened this issue Mar 3, 2025 · 0 comments

Comments

@jamyam
Copy link

jamyam commented Mar 3, 2025
edited
Loading

We are using the Utimaco Security server simulator for our secure image signing. During our regression test, we observe that openssl egnine -> pkcs11.so does not invoke the pkcs11 C_CloseAllSessions/C_CloseSession call, causing the server exceed the connection limit. By looking at the libp11 signing code, I do not see C_CloseAllSessions/C_CloseSession call. Please check and confirm this issue.

// A openssl command example:
openssl rand 1024 > ~/fip.bin
openssl dgst -engine pkcs11 -sign "pkcs11:token=CryptoServer PKCS11 Token;object=MCU_SecureImage_SigningKey00;type=private" -keyform engine -sha256 -out ~/fip.bin.sig ~/fip.bin; xxd ~/fip.bin.sig

// pkcs11 log from the server side
03.03.2025 08:53:30.729 | [00353860:00353860] C_FindObjectsInit | T: enter C_FindObjectsInit(hSession: 0x00000001, pTemplate: CK_ATTRIBUTE[2])
03.03.2025 08:53:30.729 | [00353860:00353860] C_FindObjectsInit | T: Attributes in: 2
CKA_CLASS:
CKA_ID:
03.03.2025 08:53:30.729 | [00353860:00353860] C_FindObjectsInit | T: leave C_FindObjectsInit()
03.03.2025 08:53:30.729 | [00353860:00353860] C_FindObjects | T: enter C_FindObjects(hSession: 0x00000001, ulMaxObjectCount: 0x00000001)
03.03.2025 08:53:30.729 | [00353860:00353860] C_FindObjects | T: leave C_FindObjects()
03.03.2025 08:53:30.729 | [00353860:00353860] C_FindObjectsFinal | T: enter C_FindObjectsFinal(hSession: 0x00000001)
03.03.2025 08:53:30.729 | [00353860:00353860] C_FindObjectsFinal | T: leave C_FindObjectsFinal()
03.03.2025 08:53:30.729 | [00353860:00353860] C_GetSessionInfo | T: enter C_GetSessionInfo(hSession: 0x00000001)
03.03.2025 08:53:30.729 | [00353860:00353860] C_GetSessionInfo | T: leave C_GetSessionInfo()
03.03.2025 08:53:30.729 | [00353860:00353860] C_SignInit | T: enter C_SignInit(hSession: 0x00000001, pMechanism: CKM_ECDSA (0x1041), hKey: 0x00000001)
03.03.2025 08:53:30.729 | [00353860:00353860] C_SignInit | T: leave C_SignInit()
03.03.2025 08:53:30.729 | [00353860:00353860] C_Sign | T: enter C_Sign(hSession: 0x00000001)
03.03.2025 08:53:30.730 | [00353860:00353860] C_Sign | T: leave C_Sign()
@jamyam jamyam changed the title openssl engine pkcs11 signing does not invoke C_CloseAllSessions/C_CloseAllSessions call openssl engine pkcs11 signing does not invoke C_CloseAllSessions/C_CloseSession call Mar 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jamyam