engine causes segmantation fault

[jetbee]

Hello,
Thanks for great work.

I've tried to use this engine.
At first, I examined your nginx example.
I've do as followed the document sequence.
Then, it occured Segmentation Fault.
Is my procedure is wrong?
Thanks.

• If run command with $1 (as documented) cause an error below:

root@tubuntu:~# openssl req -new -x509 -engine e_akv -keyform engine -key vault:
$1:test-rsa-key -out cert.pem
engine "e_akv" set.
cannot load Private Key from engine
139940651017536:error:8010E102:lib(128):akv_load_key_cert:parse key id error:/us
r/local/src/AzureKeyVaultManagedHSMEngine-main/src/dllmain.c:177:
139940651017536:error:26096080:engine routines:ENGINE_load_private_key:failed lo
ading private key:../crypto/engine/eng_pkey.c:77:
unable to load Private Key

• is $1 points HSM name?
• Then, replace $1 to HSM name cause Segmentation Fault.

root@tubuntu:~# openssl req -new -x509 -engine e_akv -keyform engine -key vault:
managed-hsm-for-tsa:test-rsa-key -out cert.pem
engine "e_akv" set.
Segmentation fault (core dumped)

[liupums]

in the engine, vault is for azure key vault. If you created a key in HSM, please use managedHsm as the prefix. I am adding the Managed HSM example soon.

[liupums]

1. the HSM example is available https://github.com/microsoft/AzureKeyVaultManagedHSMEngine/blob/main/samples/nginx-managedHsm/readme.md
2. I was trying to reproduce the core dump, but no luck. If the prefix "vault" is used for an existing HSM, what I got is

azureuser@hsmlinux:~/AzureKeyVaultManagedHSMEngine/samples/nginx-managedHsm$ openssl req -new -x509 -engine e_akv -keyform engine -key vault:poptryhsmengine:tescckey -out certecc.pem
engine "e_akv" set.
[e] AkvGetKey curl.c(400) curl_easy_perform() failed: Couldn't resolve host name

cannot load Private Key from engine
140637073995072:error:8010E103:lib(128):akv_load_key_cert:load public key error:/home/azureuser/AzureKeyVaultManagedHSMEngine/src/dllmain.c:203:
140637073995072:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:77:
unable to load Private Key

I noticed that in your error message, there is no

[e] AkvGetKey curl.c(400) curl_easy_perform() failed: Couldn't resolve host name

Maybe you are using the old code, could you pull the latest code and rebuild/retry?

[liupums]

not reproduceable

[jetbee]

Thanks for new example.
I've run the command step by step.
Then, It worked!
Thank you very much!

And in my environment some commands occured errors.
There's my corrections:

(1)

openssl req -newkey rsa:2048 -nodes -keyout cert_1.key -x509 -days 365 -out cert_1.cer -config openssl.cnf

In my windows 10 environment, I can use default openssl.cnf as not specified.

openssl req -newkey rsa:2048 -nodes -keyout cert_1.key -x509 -days 365 -out cert_1.cer

(2)
before run this command:

az keyvault key create --curve p-256 --kty EC-HSM --name testecckey --hsm-name [HSM NAME] --ops sign

In my case it was nesessary to assign hsm local role to my account via this command:

az keyvault role assignment create --hsm-name [HSM NAME] --assignee xxx --scope / --role "Managed HSM Crypto User"

(3)

maybe p-256 is mistyped of P-256

az keyvault key create --curve P-256 --kty EC-HSM --name testecckey --hsm-name [HSM NAME] --ops sign

[liupums]

(1) the sample openssl.cnf is provided in the repo
(2) this is a good point.
(3) p-256 should work (it is case-insensitive)