tls.connect error with PKCS#11

[micaelmbagira]

Version

16.13.1

Platform

arm9

Subsystem

imx6 with Trusted Platform Module

What steps will reproduce the bug?

The issue happens when

• mqtt client reconnects using tls.connect (first connection works fine)
• the options given to tls.connect are {'cert': '/path/to/tpmCert.pem', 'privateKeyEngine': '/usr/lib/engines-1.1/pkcs11.so', 'privateKeyIdentifier': 'foo', 'ca': '/path/to/root.ca.pem'}

How often does it reproduce? Is there a required condition?

The initial connection works fine but after ~1 hour, mqtt reconnects to the server using tls.connect again with the same options as for the initial connection.

What is the expected behavior?

The secure connection should be established with the given certificates.

What do you see instead?

Unable to check if already logged in
Login failed
Login to token failed, returning NULL...
PKCS11_get_private_key returned NULL
node:internal/tls/secure-context:196
        context.setEngineKey(privateKeyIdentifier, privateKeyEngine);
                ^

Error: error:820780B1: mPKCS#11odule:pkcs11_open_session:Session count
    at configSecureContext (node:internal/tls/secure-context:196:17)
    at Object.createSecureContext (node:_tls_common:116:3)
    at Object.connect (node:_tls_wrap:1621:48)
    at Object.buildBuilder (/home/node/node_modules/mqtt/lib/connect/tls.js:17:20)
    at MqttClient.wrapper [as streamBuilder] (/home/node/node_modules/mqtt/lib/connect/index.js:154:36)
    at MqttClient._setupStream (/home/node/node_modules/mqtt/lib/client.js:298:22)
    at MqttClient._reconnect (/home/node/node_modules/mqtt/lib/client.js:938:10)
    at Timeout.<anonymous> (/home/node/node_modules/mqtt/lib/client.js:958:12)
    at listOnTimeout (node:internal/timers:557:17)
    at processTimers (node:internal/timers:500:7) {
  opensslErrorStack: [
    'error:26096080:engine routines:ENGINE_load_private_key:failed loading private key',
    'error:820780B1:PKCS#11 module:pkcs11_open_session:Session count'
  ],
  library: 'PKCS#11 module',
  function: 'pkcs11_open_session',
  reason: 'Session count',
  code: 'ERR_OSSL_SESSION_COUNT'
}

Additional information

No response

[bnoordhuis]

Since no one replied so far... can you try whittling this down to a minimal test case, like calling tls.connect() in a loop?

My hunch is that this is a problem with the PKCS#11 plugin you're using to make your keys and certificates available, not node, but there's currently not enough information to say for sure.