-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"The specified key handle is not valid" error unless pkcs11-module-load-behavior = early #419
Comments
Looks like a duplicate of #352 honestly, do you have any other data that would identify this as a different issue? |
Could be related to issues we are investigating in #395 as well .. |
I see no mention of the issue in #395 disappearing with early loading. You also seem to be not able to reproduce that other issue. |
Sorry, vacation time robbed me of the bandwidth to follow-up on this. |
qpid-proton seem to have huge dependencies, but even after installing everything ina rawhide container I get this when runnign make:
|
A smaller reproducer would be easier to deal with ... |
@a3f I believe this should be fixed now in main with the last three PRs that land, so closing. Feel free to reopen if you still see any issue. |
Sorry, I have been planning to reproduce this in a Fedora container, but haven't had the time yet.
I can confirm that starting with commit 52929d5 ("signature: Do not check mechanisms on nonexisting slots") merged in #453, this issue isn't reproducible anymore. |
Describe the bug
qpid-proton uses client certificates/keys located in PEM files by default. When attempting to use a PKCS#11 URI for the private key instead, whether by encoding it into a PEM file or by patching Proton to use the PROVIDER API, the
connect_config_test
1 test in Proton fails, unless early loading is enabled. Other tests don't suffer from this issue.The issue is similar to #352 in that it disappears when
pkcs11-module-load-behavior = early
is set in the OpenSSL config.To Reproduce
Expected behavior
The test should succeed like it does with early loading enabled:
Operating environment:
Token and application used:
Additional Context:
A reproducer that builds both pkcs11-provider and qpid-proton and runs the test to trigger the issue is available at: https://github.com/a3f/pkcs11-provider-qpid-proton-bug-reproduction
Footnotes
The test was modified to accept the certificate path or PKCS#11 URI via environment variable ↩
The text was updated successfully, but these errors were encountered: