Cannot get private key using CloudHSM

[urcheon]

I don't know if I'm doing something wrong, if there's a bug with CloudHSM PKCS11 client, or a bug in pkcs11 engine.

I'm trying to sign a smime message using openssl 1.0.1e-fips, the latest versions of pkcs11 engine, CloudHSM PKCS11 client.

I get the error "Found slot without user PIN". Using pkcs11-spy I see that the flags returned by C_GetTokenInfo is 404 (CKF_LOGIN_REQUIRED | CKF_TOKEN_INITIALIZED)

In eng_back.c (ctx_load_key), isPrivate is true, userPinSet is false, readOnly is false

	/* The following check is non-critical to ensure interoperability
	 * with some other (which ones?) PKCS#11 libraries */
	if (!tok->initialized)
		ctx_log(ctx, 0, "Found uninitialized token\n");
	if (isPrivate && !tok->userPinSet && !tok->readOnly) {
		ctx_log(ctx, 0, "Found slot without user PIN\n");
		return NULL;
	}

I do not see and C_Login in the pkcs11-spy log.

Steps to reproduce:

$ openssl genrsa -out private.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
..........+++
e is 65537 (0x10001)

$ openssl req -new -x509 -days 3650 -subj "/C=ZA/ST=State/L=Locality/O=Organization/OU=OrganizationalUnit/CN=localhost/emailAddress=test@test.lan" -sha256 -key private.key -out certificate.pem

$ /opt/cloudhsm/bin/key_mgmt_util
Command:  loginHSM -u CU -s crypto_user -p <password>

        Cfm3LoginHSM returned: 0x00 : HSM Return: SUCCESS

        Cluster Error Status
        Node id 0 and err state 0x00000000 : HSM Return: SUCCESS

Command:  genSymKey -t 31 -s 16 -sess -l wrapping_key_for_import

        Cfm3GenerateSymmetricKey returned: 0x00 : HSM Return: SUCCESS

        Symmetric Key Created.  Key Handle: 6

        Cluster Error Status
        Node id 0 and err state 0x00000000 : HSM Return: SUCCESS

Command:  importPrivateKey -f private.key -l rsa2048 -w 6
BER encoded key length is 1217

        Cfm3WrapHostKey returned: 0x00 : HSM Return: SUCCESS

        Cfm3CreateUnwrapTemplate returned: 0x00 : HSM Return: SUCCESS

        Cfm3UnWrapKey returned: 0x00 : HSM Return: SUCCESS

        Private Key Imported.  Key Handle: 8

        Cluster Error Status
        Node id 0 and err state 0x00000000 : HSM Return: SUCCESS

Command:  ^C

$ echo "ABC" > file.txt

$ openssl smime -sign -engine pkcs11 -keyform engine -inkey 'pkcs11:object=rsa2048;type=private' -signer certificate.pem -in file.txt -out file.sgn 
        SDK Version: 2.03
engine "pkcs11" set.
Found slot without user PIN
Found slot without user PIN
PKCS11_get_private_key returned NULL
cannot load signing key file from engine
140149400663880:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862:
140149400663880:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key
:eng_pkey.c:126:
unable to load signing key file

pkcs11spy_log_pre_fix.txt

In that example I'm importing the private key, but it also fails if I get CloudHSM to generate the private key.
If I modify the line in eng_back.c (ctx_load_key) to

if (isPrivate && !tok->userPinSet && !tok->readOnly && !tok->loginRequired) {

I can run and sign the file (although it does display a warning that may be another bug),
also I don't know if this is the right modification.

$ openssl smime -sign -engine pkcs11 -keyform engine -inkey 'pkcs11:object=rsa2048;type=private' -signer certificate.pem -in file.txt -out file.sgn
        SDK Version: 2.03
engine "pkcs11" set.

C_GetAttributeValue failed with error CKR_ATTRIBUTE_TYPE_INVALID : 0x00000012
Missing CKA_ALWAYS_AUTHENTICATE attribute

pkcs11spy_log_post_fix.txt

openssl.cnf contains:

openssl_conf = openssl_init

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/ssl/engines/pkcs11.so
MODULE_PATH = /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
PIN = crypto_user:<password>
init = 0

Is there something I'm doing wrong or missing ?