test-certificate failed using SoftHSM

[Sangeetha-E]

Hi,

While running the tests, I encountered the following issue.

Initializing pkcs11-helper
Registering pkcs11-helper hooks
Adding provider '/usr/lib/softhsm/libsofthsm2.so'
Please remove all tokens, press <Enter>: Enumerating token certificate (list should be empty, no prompt)
Please insert token, press <Enter>: No certificates found - 0 - CKR_OK
Getting certificate cache, should be available certificates
FAIL test-certificate (exit status: 1)

Here are the steps I followed to run the tests:

./configure  --enable-tests --with-test-provider=/usr/lib/softhsm/libsofthsm2.so --enable-debug
make
make check

Kindly give me suggestions to solve this issue.

[alonbl]

Is the certificate object public?

[Sangeetha-E]

Sorry. I am not familiar with the concept. I am unsure about the process of creating a public certificate. Could you kindly provide me with the necessary steps and guidance on how to create a public certificate?

[alonbl]

Please dump the content of the token using opensc pkcs11-tool list objects, make sure tha the CKO_CERTIFICATE object available and has the same CKA_ID of the CKO_PRIVATE_KEY object's CKA_ID. Please also make sure that the CKO_CERTIFICATE object is set as CKA_PRIVATE=FALSE, this way access will be permitted without authentication. Please contact someone who can help you set everything up and reopen issue if you are sure these settings are correct and attach the output of the dump.

[Sangeetha-E]

I have implemented the settings as per your instructions. But, I continue to encounter the same issue. For your reference, I have attached a document detailing the steps taken and the log files. Please consider reviewing and rectifying any errors I may have made.

pkcs11-helper-with-softhsm2.txt

[alonbl]

Hi, The certificate looks OK, however, you dumped the token content without login so I cannot see the private objects. Oh, you are using /usr/lib/softhsm/libsofthsm2.so to test, it does not support slot events[1], you cannot use the unit test to test it. What application you want to use? Maybe better to skip this unit test and go ahead and try to use it. Alon

[1] https://github.com/opendnssec/SoftHSMv2/issues/370

[Sangeetha-E]

Hi Thank you for your prompt response. Is there any way to test this package without real hardware?

[alonbl]

Testing is not trivial. You should first make sure your token content is correct by dumping with login. You should not use sudo at all, please see [1], use SOFTHSM2_CONF and define your own user configuration. You can specify --with-test-log-level=255 to see some more logs in test-certificate which should pass if you set up everything correctly.

[1] https://man.archlinux.org/man/softhsm2.conf.5.en#SOFTHSM2_CONF

[Sangeetha-E]

Thank you for your recommendation. I will certainly give it a try.

[Sangeetha-E]

I followed your suggestions, but I am still encountering the same issue. I have attached the log for your reference, and I kindly request your assistance in reviewing it to confirm if this is the expected result.

test-certificate.log

Here are the steps I've taken as per your suggestions:

1. I set the SOFTHSM2_CONF environment variable as you suggested. This allowed me to run test programs without needing to use sudo.
2. I also reconfigured SoftHSM2 with the --with-test-log-level=255 option.

One thing to note about SoftHSM2 is that it behaves like this:

• Initially, SoftHSM2 has Slot 0.
• When I initialize a token for a slot, it changes the slot number.
• If the token has been initialized and is reassigned to a slot with a different number (e.g., 138779972), Slot 1 is created. This process continues incrementally.

Here's a sample log:

$ softhsm2-util --show-slots
Available slots:
Slot 138779972
    Slot info:
        Description:      SoftHSM slot ID 0x8459d44                                       
        Manufacturer ID:  SoftHSM project                 
        Hardware version: 2.5
        Firmware version: 2.5
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project                 
        Model:            SoftHSM v2      
        Hardware version: 2.5
        Firmware version: 2.5
        Serial number:    42042b5808459d44
        Initialized:      yes
        User PIN init.:   yes
        Label:            MyToken                         
Slot 611509298
    Slot info:
        Description:      SoftHSM slot ID 0x2472e432                                      
        Manufacturer ID:  SoftHSM project                 
        Hardware version: 2.5
        Firmware version: 2.5
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project                 
        Model:            SoftHSM v2      
        Hardware version: 2.5
        Firmware version: 2.5
        Serial number:    8966120c2472e432
        Initialized:      yes
        User PIN init.:   yes
        Label:            MyToken                         
Slot 2
    Slot info:
        Description:      SoftHSM slot ID 0x2                                             
        Manufacturer ID:  SoftHSM project                 
        Hardware version: 2.5
        Firmware version: 2.5
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project                 
        Model:            SoftHSM v2      
        Hardware version: 2.5
        Firmware version: 2.5
        Serial number:                    
        Initialized:      no
        User PIN init.:   no
        Label:                                            

Ref: https://github.com/opendnssec/SoftHSMv2/issues/334

[selvanair]

The test-certificate test would never succeed with softhsm2 as it first asks you to remove all tokens and expects to find zero certificates at that point. This is not possible with softhsm.

However, one can still use it as a manual test by running at a high log level as you have done --- it would then print the DN of all certificates found before erroring out with "No certificates should be found". This works for me. The uninitialized slot automatically created by softhsm2 is not a problem.

In your case, even this initial scanning finds no objects. For the two initialized slots in the token, logs show zero objects found: PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=0. Please confirm that pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --list-objects (run without sudo) does list your certificates with the new SOFTHSM2_CONF setting active.