Bug 1177086
| Summary: | A marked as trusted certificate cannot be written in a softhsmv2 db | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nikos Mavrogiannopoulos <nmavrogi> | ||||
| Component: | softhsm | Assignee: | Paul Wouters <pwouters> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 22 | CC: | pspacek, pwouters | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | softhsm-2.1.0-1.fc24 softhsm-2.1.0-1.fc23 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-07-05 05:00:17 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Reported upstream as: https://issues.opendnssec.org/browse/SUPPORT-151 Fix available at: https://github.com/opendnssec/SoftHSMv2/pull/102 Still present in F22. It is fixed upstream in SoftHSM 2.0.0b3. usptream is about to release 2.0.0 final. If that does not happen within the next week, I'll update the current 2.0.0b3 BTW latest release is 2.0.0rc1. There was no final release done so far. Please update to 2.0.0rc1 which fixes all known bugs. Is there any reason this fix is not backported? This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions softhsm-2.1.0-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c43dd0091f softhsm-2.1.0-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-376bda6d1d softhsm-2.1.0-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c43dd0091f softhsm-2.1.0-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-376bda6d1d softhsm-2.1.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. softhsm-2.1.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 972674 [details] PKCS #11 spy log file Trying to write a certificate in a softhsm db with CKA_TRUSTED fails with: P11Attributes.cpp(407): A trusted certificate cannot be modified How reproducible: 1. cat >config directories.tokendir = db objectstore.backend = file 2. export SOFTHSM2_CONF=config 3. mkdir db 4. softhsm2-util --init-token --slot 0 --label test --so-pin 1234 --pin 1234 5. p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so --write --mark-trusted --load-certificate any-cert.pem --label test --so-login Output: Error writing certificate: PKCS #11 error in attribute Expected Output: Success. Writing the same certificate without the mark-trusted flag works fine. This seems to be a regression from version 1, as this use case works properly with softhsmv1 in F20.