Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

cloudhsm_pkcs11: "Notify callback function is not supported"

0

i'm using cloudhsm_pkcs11 with openssl3.5 and i'm getting error after calling (in C++)

auto uri = "pkcs11:token=hsm1;object=ca-signing-key;type=private;pin-value=user:pass";
::OSSL_STORE_open(uri, 0, 0, 0);

ERROR: Notify callback function is not supported, please pass in NULL_PTR for both pApplication and Notify

I'm using cloudhsm 5.17.1 with openssl 3.5.1 on rocky 9.7 (gcc 13.3.1).

i'm not using the pkcs functions directly, so I have no idea how to affect this. it looks to me like a bug in the cloudhsm_pkcs11 implementation, or some incompatibility with it and openssl.

DEBUG [88800] ThreadId(8) [cloudhsm_provider::factory][][] Found 1 element(s) in clusters array
DEBUG [88800] ThreadId(8) [cloudhsm_provider::factory][][] Instantiating cluster providers
DEBUG [88800] ThreadId(8) [cloudhsm_provider::factory][][] Instantiating cluster provider of type Hsm1
DEBUG [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection::config_utils][][] server_info_map: {"hostname":"192.168.10.97","port":2223,"enable":true}
DEBUG [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection][][] Hsm1Connection initializing ConnectionPool...
DEBUG [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection::connection_pool][][] Initializing ConnectionPool with HSMs: [HSM { IP: "192.168.10.97", Port: 2223 }]
INFO  [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection::connection_pool][][] Adding HSM connection to connection pool: HSM { IP: "192.168.10.97", Port: 2223 }
INFO  [88800] ThreadId(8) [cloudhsm_provider::hsm1::hsm_connection::hsm_connection_impl][][] HSM 192.168.10.97:2223 is connecting
INFO  [88800] ThreadId(8) [cloudhsm_provider_common::server_connection::common][][] Initializing new connection: HSM { IP: "192.168.10.97", Port: 2223 }
INFO  [88800] ThreadId(8) [cloudhsm_provider::hsm1::hsm_connection::server_properties][][] Version handshake with server succeeded. Received version: ComponentVersion { major: 2, minor: 9 }
INFO  [88800] ThreadId(8) [hsm1_marshaling::server_handshake][][] Reporting sdk version Pkcs11:5.17.1-el9:Linux 9.7 Rocky Linux:CodeBuildBatchProject-uFu5sNXfquqK:fb929116-c531-48e3-ae93-24e1ae5b564d
DEBUG [88800] ThreadId(1) [cloudhsm_provider_common::dispatcher::dispatcher_strategy][][] UX000: Discarding HSM response because it does not match a pending request. Response header: HsmResponse { header: cav_msg_fixed { req_id: 0, inconnid: 0, session_handle: "0x0", in_len: 24, out_len: 0, operation: 0, opcode: "0x0", msg_type: 85, weights: AvailableWeight { mgmt_weight: Some(BoundedWeight(0)), symm_weight: None, asymm_weight: None }, status: "HSM Return: SUCCESS", e2e_msg: 0, srv_flag: 0, app_sess_handle: 0, op_ctx: 0, req_type: 0 }, payload: [150, 197, 102, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] }
DEBUG [88800] ThreadId(8) [cloudhsm_provider_common::e2e_encryption::e2e_encryption][][] Read 517 bytes of TLS handshake packets
DEBUG [88800] ThreadId(8) [cloudhsm_provider_common::e2e_encryption::openssl_connector::negotiate_future][][] Certificate verification callback with verify result from OpenSSL: true, at depth: 1
DEBUG [88800] ThreadId(8) [cloudhsm_provider_common::e2e_encryption::openssl_connector::negotiate_future][][] Certificate verification callback with verify result from OpenSSL: true, at depth: 0
DEBUG [88800] ThreadId(8) [cloudhsm_provider_common::e2e_encryption::e2e_encryption][][] Read 138 bytes of TLS handshake packets
DEBUG [88800] ThreadId(6) [cloudhsm_provider::hsm1::hsm_connection::server_connection::out_of_band][][] Received out of band message
DEBUG [88800] ThreadId(6) [cloudhsm_provider::hsm1::hsm_connection::server_connection::out_of_band][][] Received cluster-info OOB message. Sending to connection pool.
INFO  [88800] ThreadId(6) [cloudhsm_provider::hsm1::connection::connection_pool::cluster_info_message][][] Current cluster version is 0; incoming cluster version is 291947926
INFO  [88800] ThreadId(8) [cloudhsm_provider_common::server_connection::common][][] Initializing new connection: HSM { IP: "192.168.10.97", Port: 2223 }
DEBUG [88800] ThreadId(8) [cloudhsm_provider_common::e2e_encryption::e2e_encryption][][] Read 517 bytes of TLS handshake packets
DEBUG [88800] ThreadId(8) [cloudhsm_provider_common::e2e_encryption::openssl_connector::negotiate_future][][] Certificate verification callback with verify result from OpenSSL: true, at depth: 1
DEBUG [88800] ThreadId(8) [cloudhsm_provider_common::e2e_encryption::openssl_connector::negotiate_future][][] Certificate verification callback with verify result from OpenSSL: true, at depth: 0
DEBUG [88800] ThreadId(8) [cloudhsm_provider_common::e2e_encryption::e2e_encryption][][] Read 138 bytes of TLS handshake packets
INFO  [88800] ThreadId(8) [cloudhsm_provider::hsm1::hsm_connection::hsm_connection_impl][][] HSM 192.168.10.97:2223 has fips state 2
INFO  [88800] ThreadId(8) [cloudhsm_provider::hsm1::hsm_connection::hsm_connection_impl][][] Updating the state of HSM 192.168.10.97:2223
DEBUG [88800] ThreadId(8) [cloudhsm_utils::future_extensions][][] Aborting future on drop
INFO  [88800] ThreadId(8) [cloudhsm_provider::hsm1::hsm_connection::hsm_connection_impl][][] HSM 192.168.10.97:2223 is connected and ready
DEBUG [88800] ThreadId(1) [cloudhsm_provider::hsm1::connection::connection_pool::cluster_info_message][][] Incoming HSMs list: [HSM { IP: "192.168.10.97", Port: 2223 }]
DEBUG [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection][][] Hsm1Connection finished initializing ConnectionPool
INFO  [88800] ThreadId(1) [cloudhsm_provider::hsm1::connection::connection_pool::cluster_info_message][][] HSMs to be added: {HSM { IP: "192.168.10.97", Port: 2223 }}
INFO  [88800] ThreadId(1) [cloudhsm_provider::hsm1::connection::connection_pool::cluster_info_message][][] HSMs to be removed: {}
INFO  [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection::client_data][][] Received allowed features: {EcdhWithKdf, EcdhWithDigestKdf, CertificateOperations, CryptoAuditLoggingConfiguration, MtlsConfiguration, InsertMaskedUserObject}
DEBUG [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection][][] Hsm1Connection finished initializing ClientData
DEBUG [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection][][] Hsm1Connection initializing LoadBalancer...
DEBUG [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection][][] Hsm1Connection finished initializing LoadBalancer
DEBUG [88800] ThreadId(8) [cloudhsm_provider::factory][][] Finished instantiating cluster providers
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::facade::pkcs11_facade][][] Created and set connection in the slot. Connection: Hsm1Connection { load_balancer: DefaultLoadBalancer { data_freshness_window: 120s, weight_provider: DefaultWeightProvider { max_weight_factor: 100, min_weight_factor: 0 } }, session_id_generator: ProviderSessionIdGenerator { counter: 1 }, disable_key_availability_check: true, validate_key_at_init: true }
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::slots::slot_manager][][] Added slot with handle 0xHHHH
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::general::C_Initialize][][] C_Initialize completed, returning CKR_OK
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::general::C_GetInfo][][] C_GetInfo invoked
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::general::C_GetInfo][][] C_GetInfo completed, returning CKR_OK
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::utils::buffer_utils][][] Setting output buffer len to 1
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::utils::buffer_utils][][] Setting output buffer len to 1
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::utils::buffer_utils][][] Writing data(length: 1) to output buffer
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::slots::C_GetSlotInfo][][] C_GetSlotInfo invoked
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::slots::slot_manager][][] Retrieved slot with id 0xHHHH
INFO  [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection::device][][] Retrieving HSM information.
DEBUG [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection::load_balancer][][] Best connection: 192.168.10.97:2223
DEBUG [88800] ThreadId(8) [hsm1_marshaling::util][][] Operation: hsm info was successful.
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::slots::C_GetSlotInfo][][] C_GetSlotInfo completed, returning CKR_OK
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::slots::C_GetTokenInfo][][] C_GetTokenInfo invoked
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::slots::slot_manager][][] Retrieved slot with id 0xHHHH
INFO  [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection::device][][] Retrieving HSM information.
DEBUG [88800] ThreadId(8) [cloudhsm_provider::hsm1::connection::load_balancer][][] Best connection: 192.168.10.97:2223
DEBUG [88800] ThreadId(8) [hsm1_marshaling::util][][] Operation: hsm info was successful.
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::slots::C_GetTokenInfo][][] C_GetTokenInfo completed, returning CKR_OK
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::slots::slot_manager][][] Retrieved slot with id 0xHHHH
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::utils::buffer_utils][][] Setting output buffer len to 55
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::slots::slot_manager][][] Retrieved slot with id 0xHHHH
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::utils::buffer_utils][][] Setting output buffer len to 55
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::utils::buffer_utils][][] Writing data(length: 55) to output buffer
DEBUG [88800] ThreadId(8) [cloudhsm_pkcs11::session::C_OpenSession][][] C_OpenSession invoked
ERROR [88800] ThreadId(8) [cloudhsm_pkcs11::session::C_OpenSession][][] BP000: Notify callback function is not supported, please pass in NULL_PTR for both pApplication and Notify
ERROR [88800] ThreadId(8) [cloudhsm_pkcs11::session::C_OpenSession][][] C_OpenSession failed, returning 0x00000007
Topics
Security, Identity, & Compliance
Tags
AWS CloudHSM
Language
English
asked 2 months ago47 views
1 Answer
7
Accepted Answer

I never faced this error, however as far as I know, error BP000: Notify callback function is NOT supported occurs because the AWS CloudHSM PKCS#11 library strictly enforces the PKCS#11 specification regarding the C_OpenSession arguments.

So, in the PKCS#11 standard, the C_OpenSession function includes two parameters: pApplication and Notify.

  • CloudHSM Implementation: AWS CloudHSM does not support notification callbacks. According to the AWS documentation, both of these arguments must be set to NULL_PTR.
  • OpenSSL 3.5 / Provider behavior: When calling OSSL_STORE_open, the underlying PKCS#11 provider (or the libp11 bridge) is passing a non-null value for these parameters. CloudHSM rejects this with CKR_ARGUMENTS_BAD (0x00000007).

I would try the following:

  • Update libp11 / Engine: If you are using pkcs11-helper or libp11, ensure you are on the latest version. Older versions often pass pointers for application context that CloudHSM does not accept.
  • Explicit Provider Configuration: Ensure that the OpenSSL PKCS#11 provider is configured to use "empty" or "null" callbacks. In some provider versions, this can be controlled via the configuration file (openssl.cnf) to prevent the library from attempting to register callback functions.
  • Validate via pkcs11-tool: To isolate the issue from OpenSSL, run:
pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --list-objects --login --pin-value <USER:PASS>

If this works, the issue is confirmed to be how OpenSSL 3.5's OSSL_STORE interface interacts with the PKCS#11 slot session initialization.

From what I know: CloudHSM PKCS#11 5.x is sensitive to the C_OpenSession signature. Any implementation that automatically populates the Notify parameter for asynchronous events will fail. You must ensure the middleware calling the .so file passes NULL for the 3rd and 4th arguments of C_OpenSession.

EXPERT
answered 2 months ago
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content