using osslsigncode with cloudhsm

[jyanga]

hi. I saw the closed issue regarding this but I still cannot get it working. I am hoping that you guys may help me with getting it working. I have tried may things and the closest I got is using the distros' osslsigncode with the CloudHSM module. Below is the error I encounterred.

$ TEMPDIR='/app/cloudhsm'
$ export HSM_USER=testuser
$ export HSM_PASSWORD=testpassword
$ export n3fips_password="$HSM_USER:$HSM_PASSWORD"
$ sudo osslsigncode sign \
>     -pkcs11module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \
>     -key pkcs11:token="hsm1;object=cloud_hsm_label" \
>     -certs /opt/cloudhsm/etc/cert_for_login.crt \
>     -pass $HSM_PASSWORD \
>     -ts 'http://timestamp.digicert.com' \
>     -i 'https://www.example.com' \
>     -n cloud_hsm_label \
>     -h sha256 \
>     -in $TEMPDIR/sample_unsigned.dll \
>     -out $TEMPDIR/sample_signed.dll
Engine "pkcs11" set.

Unable to enumerate private keys
Login failed
Login to token failed, returning NULL...
PKCS11_get_private_key returned NULL
Failed to load private key pkcs11:token=hsm1;object=cloud_hsm_label
140364728805440:error:820740A0:PKCS#11 module:pkcs11_login:PIN incorrect:p11_slot.c:240:
140364728805440:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:
Failed

Help.

[olszomal]

Try to use the -login option to force login to the token.

[jyanga]

I tried that but I get the error below.

$ sudo osslsigncode sign \
>     -pkcs11module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \
>     -key pkcs11:token="hsm1;object=cloud_hsm_label" \
>     -certs /opt/cloudhsm/etc/cert_for_login.crt \
>     -pass $HSM_PASSWORD \
>     -ts 'http://timestamp.digicert.com' \
>     -i 'https://www.example.com' \
>     -n cloud_hsm_label \
>     -h sha256 \
>     -in $TEMPDIR/sample_unsigned.dll \
>     -out $TEMPDIR/sample_signed.dll
>     -login 
Unknown option: -login
...
$ osslsigncode --version
osslsigncode 2.9, using:
        OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
Default -CAfile location: /etc/pki/tls/certs/ca-bundle.crt

Please send bug-reports to Michal.Trojnara@stunnel.org

[mtrojnar]

Try:

     -out $TEMPDIR/sample_signed.dll \

instead of:

     -out $TEMPDIR/sample_signed.dll

[jyanga]

ooops. nice catch. I added the \ and still got the same error.

[olszomal]

The -login option is supported in version 2.9.
To help debug this, could you please provide the following information:

• Your operating system and distribution.
• How you installed osslsigncode (e.g., via package manager, compiled from source, etc.)
• The version of the osslsigncode package as reported by your system's package manager (if applicable)
• The full output of the command osslsigncode sign --help
• The complete command and exact error message that follows Unknown option: -login

This will help us determine whether the issue is with the build, packaging, or usage. Thanks!

[jyanga]

Here are the answers.

• Your operating system and distribution.
  RHEL 8.10
• How you installed osslsigncode (e.g., via package manager, compiled from source, etc.)
  I compiled the binary v2.9 from this repo.
• The version of the osslsigncode package as reported by your system's package manager (if applicable)
  provided above. I have uninstalled the package installed using the system's package manager.
• The full output of the command osslsigncode sign --help

$ /apps/osslsigncode-2.9/bin/osslsigncode sign --help

Use the "sign" command to sign files using embedded signatures.
Signing  protects a file from tampering, and allows users to verify the signer
based on a signing certificate. The options below allow you to specify signing
parameters and to select the signing certificate you wish to use.

Options:
-ac                     = additional certificates to be added to the signature block
-add-msi-dse            = sign a MSI file with the add-msi-dse option
-addUnauthenticatedBlob = add an unauthenticated blob to the PE/MSI file
-askpass                = ask for the private key password
-certs, -spc            = the signing certificate to use
-comm                   = set commercial purpose (default: individual purpose)
-h                      = {md5|sha1|sha2(56)|sha384|sha512}
                          set of cryptographic hash functions
-i                      = specifies a URL for expanded description of the signed content
-in                     = input file
-jp                     = low | medium | high
                          levels of permissions in Microsoft Internet Explorer 4.x for CAB files
                          only "low" level is now supported
-nolegacy               = disable legacy mode and don't automatically load the legacy provider
-key                    = the private key to use or PKCS#11 URI identifies a key in the token
-n                      = specifies a description of the signed content
-nest                   = add the new nested signature instead of replacing the first one
-noverifypeer           = do not verify the Time-Stamp Authority's SSL certificate
-out                    = output file
-p                      = proxy to connect to the desired Time-Stamp Authority server or CRL distribution point
-pass                   = the private key password
-pem                    = PKCS#7 output data format PEM to use (default: DER)
-ph                     = generate page hashes for executable files
-pkcs11cert             = PKCS#11 URI identifies a certificate in the token
-pkcs11engine           = PKCS#11 engine
-pkcs11module           = PKCS#11 module
-login                  = force login to the token
-pkcs12                 = PKCS#12 container with the certificate and the private key
-readpass               = the private key password source
-t                      = specifies that the digital signature will be timestamped
                          by the Time-Stamp Authority (TSA) indicated by the URL
                          this option cannot be used with the -ts option
-ts                     = specifies the URL of the RFC 3161 Time-Stamp Authority server
                          this option cannot be used with the -t option
-time                   = the unix-time to set the signing and/or verifying time
-HTTPS-CAfile           = the file containing one or more HTTPS certificates in PEM format
-HTTPS-CRLfile          = the file containing one or more HTTPS CRLs in PEM format
-TSA-certs              = built-in Time-Stamp Authority signing certificate
-TSA-key                = built-in Time-Stamp Authority private key or PKCS#11 URI identifies a key in the token
-TSA-time               = the unix-time to set the built-in Time-Stamp Authority signing
-verbose                = include additional output in the log

Usage: /apps/osslsigncode-2.9/bin/osslsigncode [ sign ] ( -pkcs12 <pkcs12file>
              | ( -certs <certfile> | -spc <certfile> ) -key <keyfile>
              | [ -pkcs11engine <engine> ] [ -login ] -pkcs11module <module>
                ( -pkcs11cert <pkcs11 cert id> | -certs <certfile> ) -key <pkcs11 key id> )
            [ -nolegacy ]
            [ -pass <password>  [ -askpass ] [ -readpass <file> ]
            (use "-" with readpass to read from stdin)
            [ -ac <crosscertfile> ]
            [ -h {md5,sha1,sha2(56),sha384,sha512} ]
            [ -n <desc> ] [ -i <url> ] [ -jp <level> ] [ -comm ]
            [ -ph ]
            [ -t <timestampurl> [ -t ... ] [ -p <proxy> ] [ -noverifypeer  ]
            [ -ts <timestampurl> [ -ts ... ] [ -p <proxy> ] [ -noverifypeer ] ]
            [ -TSA-certs <TSA-certfile> ] [ -TSA-key <TSA-keyfile> ]
            [ -TSA-time <unix-time> ]
            [ -HTTPS-CAfile <infile> ]
            [ -HTTPS-CRLfile <infile> ]
            [ -time <unix-time> ]
            [ -addUnauthenticatedBlob ]
            [ -nest ]
            [ -verbose ]
            [ -add-msi-dse ]
            [ -pem ]
            [ -in ] <infile> [-out ] <outfile>

Failed

• The complete command and exact error message that follows Unknown option: -login
  I only get the -login error if I use the package installed in the OS. Otherwise, i get the error below.

$ sudo /apps/osslsigncode-2.9/bin/osslsigncode sign \
>     -pkcs11module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \
>     -key pkcs11:token="hsm1;object=cloud_hsm_label" \
>     -certs /opt/cloudhsm/etc/cert_for_login.crt \
>     -pass $HSM_PASSWORD \
>     -ts 'http://timestamp.digicert.com' \
>     -i 'https://www.example.com' \
>     -n cloud_hsm_label \
>     -h sha256 \
>     -in $TEMPDIR/sample_unsigned.dll \
>     -out $TEMPDIR/sample_signed.dll \
>     -login
Engine "pkcs11" set.
Login failed
Login to token failed, returning NULL...
The private key was not found at: pkcs11:token=hsm1;object=cloud_hsm_label
PKCS11_get_private_key returned NULL
Failed to load private key pkcs11:token=hsm1;object=cloud_hsm_label
Failed to read key or certificates
4097B4B6387F0000:error:430000A0:PKCS#11 module:ERR_CKR_error:PIN incorrect:p11_slot.c:243:
4097B4B6387F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:79:
Failed

[olszomal]

It looks like the password you're currently passing $HSM_PASSWORD only contains the raw password, but AWS CloudHSM requires the PIN in the format:

<username>:<password>

In your case, you're already exporting the correct value into the n3fips_password variable:

export n3fips_password="$HSM_USER:$HSM_PASSWORD"

So when using osslsigncode, make sure to use that combined value -pass "$n3fips_password"

Passing only the password without the username will cause login to fail with CKR_PIN_INCORRECT, as seen in your logs.
Let me know if that helps.

[jyanga]

We got past the CKR_PIN_INCORRECT. Woot! The next error is below.

Engine "pkcs11" set.
The private key was not found at: pkcs11:token=hsm1;object=cloud_hsm_label
PKCS11_get_private_key returned NULL
Failed to load private key pkcs11:token=hsm1;object=cloud_hsm_label
Failed to read key or certificates
4087A805C87F0000:error:42000065:pkcs11 engine:ERR_ENG_error:object not found:eng_back.c:1028:
4087A805C87F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:79:
Failed

[olszomal]

Please try accessing the key directly using OpenSSL with the PKCS#11 engine:

# Generate a test file
openssl rand 1024 > ~/fip.bin

# Try signing using the key on the HSM
PKCS11_MODULE_PATH=/opt/cloudhsm/lib/libcloudhsm_pkcs11.so \
openssl dgst -engine pkcs11 -passin pass:$n3fips_password \
-keyform engine -sign pkcs11:token="hsm1;object=cloud_hsm_label" \
-sha256 -out ~/fip.bin.sig ~/fip.bin

This test will help determine whether the issue lies with osslsigncode itself or if the private key URI is invalid.

To view the available objects on your CloudHSM token, use the following command:

pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \
  --login --pin $n3fips_password \
  --list-objects

[olszomal]

@jyanga Quick check-in 🔍 — did you get a chance to run the openssl dgst test? Let me know how it goes.

[jyanga]

@olszomal

I did. I encountered the error below. I am guessing that I need to work with the CloudHSM to get this working before I can work with osslsigncode. Is this correct?

Engine "pkcs11" set.
Unable to enumerate private keys

[mtrojnar]

Thank you for the detailed follow-up, @jyanga.

Based on the current state of your testing and the output of the openssl dgst command, it is clear that the PKCS#11 module is unable to enumerate or access the private keys directly. This indicates that the issue is not with osslsigncode itself but rather with the CloudHSM configuration or the availability of the private key in the token.

As a reminder, osslsigncode relies on the underlying PKCS#11 implementation and the OpenSSL engine to handle cryptographic operations. If these components cannot successfully locate or access the key, osslsigncode will also be unable to proceed.

I recommend resolving the HSM configuration and verifying access to the private key using pkcs11-tool and openssl dgst before revisiting signing with osslsigncode. Once the key is accessible via standard PKCS#11 calls, osslsigncode should work as expected.

For now, I am closing this issue as it is not directly caused by a defect in osslsigncode. Feel free to reopen it or open a new issue once the HSM side is fully functional and if you still encounter problems.

Thank you for your understanding.

[jyanga]

Thank you. :)