Failed to cache key due to invalid object handle

[bukka]

Describe the bug

It might happen that the object with no handle gets to cache_key which then result in unnecessary failure when caching the key.

In my case following backtrace leads to it:

Thread 2.1 "nginx" hit Breakpoint 1, cache_key (obj=0x5555559a7b80) at ../src/objects.c:407
407	        P11PROV_raise(obj->ctx, ret, "Failed to cache key");
(gdb) bt
#0  cache_key (obj=0x5555559a7b80) at ../src/objects.c:407
#1  0x00007ffff7d8c823 in p11prov_obj_ref (obj=0x5555559a7b80) at ../src/objects.c:451
#2  0x00007ffff7da9f27 in p11prov_sig_op_init (ctx=0x555555838f20, provkey=0x5555559a7b80, operation=2048, digest=0x7ffff7c1580f "SHA256") at ../src/signature.c:768
#3  0x00007ffff7dadc2a in p11prov_ecdsa_digest_sign_init (ctx=0x555555838f20, digest=0x7ffff7c1580f "SHA256", provkey=0x5555559a7b80, params=0x0) at ../src/signature.c:2016
#4  0x00007ffff7a44b3f in do_sigver_init (ctx=0x5555557140f0, pctx=0x0, type=0x0, mdname=0x7ffff7c1580f "SHA256", libctx=0x0, props=0x0, e=0x0, pkey=0x5555559a9fc0, ver=0, params=0x0)
    at crypto/evp/m_sigver.c:273
#5  0x00007ffff7a45090 in EVP_DigestSignInit_ex (ctx=0x5555557140f0, pctx=0x0, mdname=0x7ffff7c1580f "SHA256", libctx=0x0, props=0x0, pkey=0x5555559a9fc0, params=0x0)
    at crypto/evp/m_sigver.c:379
#6  0x00007ffff7a4cab6 in EVP_PKEY_digestsign_supports_digest (pkey=0x5555559a9fc0, libctx=0x0, name=0x7ffff7c1580f "SHA256", propq=0x0) at crypto/evp/p_lib.c:1371
#7  0x00007ffff7e4fc8d in check_cert_usable (s=0x555555711440, sig=0x5555559a37f0, x=0x5555559a7010, pkey=0x5555559a9fc0) at ssl/t1_lib.c:3103
#8  0x00007ffff7e4fe20 in has_usable_cert (s=0x555555711440, sig=0x5555559a37f0, idx=3) at ssl/t1_lib.c:3155
#9  0x00007ffff7e5035f in tls_choose_sigalg (s=0x555555711440, fatalerrs=1) at ssl/t1_lib.c:3292
#10 0x00007ffff7e95d30 in tls_post_process_client_hello (s=0x555555711440, wst=WORK_MORE_B) at ssl/statem/statem_srvr.c:2227
#11 0x00007ffff7e92f26 in ossl_statem_server_post_process_message (s=0x555555711440, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:1236
#12 0x00007ffff7e7bbab in read_state_machine (s=0x555555711440) at ssl/statem/statem.c:675
#13 0x00007ffff7e7b441 in state_machine (s=0x555555711440, server=1) at ssl/statem/statem.c:442
#14 0x00007ffff7e7aec7 in ossl_statem_accept (s=0x555555711440) at ssl/statem/statem.c:270
#15 0x00007ffff7e39b06 in SSL_do_handshake (s=0x555555711440) at ssl/ssl_lib.c:3974
#16 0x00005555555a981f in ngx_ssl_handshake (c=c@entry=0x7ffff77c8758) at src/event/ngx_event_openssl.c:1724
#17 0x00005555555c499d in ngx_http_ssl_handshake (rev=0x5555559f2310) at src/http/ngx_http_request.c:779
#18 0x00005555555a59f1 in ngx_epoll_process_events (cycle=0x555555692250, timer=<optimised out>, flags=<optimised out>) at src/event/modules/ngx_epoll_module.c:901
#19 0x0000555555599f67 in ngx_process_events_and_timers (cycle=cycle@entry=0x555555692250) at src/event/ngx_event.c:248
#20 0x00005555555a3557 in ngx_worker_process_cycle (cycle=0x555555692250, data=<optimised out>) at src/os/unix/ngx_process_cycle.c:721
#21 0x00005555555a19b1 in ngx_spawn_process (cycle=cycle@entry=0x555555692250, proc=proc@entry=0x5555555a343b <ngx_worker_process_cycle>, data=data@entry=0x0, 
    name=name@entry=0x555555618eec "worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:199
#22 0x00005555555a2c88 in ngx_start_worker_processes (cycle=cycle@entry=0x555555692250, n=1, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:344
#23 0x00005555555a3e78 in ngx_master_process_cycle (cycle=cycle@entry=0x555555692250) at src/os/unix/ngx_process_cycle.c:130
#24 0x000055555557787e in main (argc=<optimised out>, argv=<optimised out>) at src/core/nginx.c:384

This particular case is not a big issue as it doesn't fail handshake but I saw copying failed in other situation where it was resulted in failed handshake (however I have just logs for this case so might need to dig into it more and see if my fix fixes it too). In any case trying to do copy when handle is 0 is unnecessary so it's better to skip it.

To Reproduce

Use pkcs11-provider with nginx with keys stored on device

Expected behavior

No error

Operating environment (please complete the following information):

• OS: Ubuntu
• Version: 24.04

Token and application used (please complete the following information):

• Device: SoftHSMv2
• PKCS11 Driver version: latest develop
• Application nginx
• Version 1.29.0

[bukka]

Btw I realise that it's probably better to completely disable key caching for SoftHSMv2 but for devices that can profit from caching, it might be still an issue.