I am trying to use sbsign with netHSM (docker image at this point, while we are waiting for the delivery), however I get a crash, which looks to be a carsh in pkcs11 module provided by Nitrokey. From the netHSM logs, everything looks fine, every request is responded with 200. However, on the RUST side:

[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 0 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 256 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 258 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 3 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 3 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 514 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 0 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 256 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 258 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 3 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 3 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 514 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 0 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 256 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 258 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 3 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 3 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 514 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 0 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 256 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 258 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 3 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 3 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 514 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 288 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 288 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 290 | code : 0
[2025-02-28T09:33:28Z DEBUG nethsm_pkcs11::backend::db::object] fill_attr_template: 290 | code : 0
Segmentation fault (core dumped)

The key has now been created offline and tested to work with sbsign in offline (non HSM mode). However, when I import it to the netHSM and try to operate via PKCS11 engine, it crashes with SIGSEGV.

Here is the sbsign command line for reference:

sbsign --engine pkcs11 --key 6334383634623630306237313736316663323134 --cert sign.crt --detached vmlinuz-6.8.0-52-generic

openssl.cnf

openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so

p11nethsm.conf

log_file: /tmp/p11nethsm.log

log_level: Trace

enable_set_attribute_value: false

slots:

• label: LocalHSM
  description: Local HSM (docker)
  operator:
  username: “b8572ac6d875df03add8”
  password: “mytestpassword”
  administrator:
  username: “admin”
  password: “Administrator”
  instances:
  • url: “https://mycorrecthost:8443/api/v1”
    max_idle_connections: 16
    danger_insecure_cert: true

    sha256_fingerprints:

    - “31:92:8E:A4:5E:16:5C:A7:33:44:E8:E9:8E:64:C4:AE:7B:2A:57:E5:77:43:49:F3:69:C9:8F:C4:2F:3A:3B:6E”

  retries:
  count: 10
  delay_seconds: 1
  timeout_seconds: 10

Could someone please advice? I will be more than happy to provide more logs and run more experiments if required.

For the benefit of others who may encounter the same issue, I would like to clarify that the problem is not inherently caused by the Nitrokey software. Instead, the issue arises from the fact that SBSIGN relies on low-level APIs from OpenSSL, many of which have been deprecated.

One potential workaround is to revert to OpenSSL 1.1.1 along with compatible tooling. However, this approach is questionable, as reverting to an older software version introduces inherent security and compatibility concerns. An alternative solution would be to rewrite SBSIGN to ensure compatibility with the latest OpenSSL versions.