libp11 fails with public key absent

[dwmw2]

Once upon a time, the self tests in http:https://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/Makefile.am#l193 used to work when built with OpenSSL + libp11.

Now they fail on the token where only private keys were imported without corresponding public keys.

Connecting to obtain cookie (token openconnect-test1 key object=RSA)... SSL connection failure
139951977556608:error:8107A005:PKCS#11 module:pkcs11_private_encrypt:General Error:p11_rsa.c:116:

To reproduce, build openconnect with libp11. Run 'make check'

[dwmw2]

Seen with 0.4.10 on Fedora 30: https://gitlab.com/openconnect/openconnect/-/jobs/314002609

[ansasaki]

Is the test trying to negotiate TLS 1.3?
I'm asking because this might be related with OpenSSL's difficulty to generate RSA-PSS signatures using the engine. This problem is caused by the fact that PKCS#11 does not differentiate RSA-PSS keys from RSA keys, but OpenSSL does. If X509_check_private_key() is called, then the matching of the key from the device and the public key from the certificate will fail.