Bug 1177086

Summary: A marked as trusted certificate cannot be written in a softhsmv2 db
Product: [Fedora] Fedora Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: softhsmAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: pspacek, pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: softhsm-2.1.0-1.fc24 softhsm-2.1.0-1.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-05 05:00:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
PKCS #11 spy log file none

Description Nikos Mavrogiannopoulos 2014-12-24 06:31:03 UTC
Created attachment 972674 [details]
PKCS #11 spy log file

Trying to write a certificate in a softhsm db with CKA_TRUSTED fails with:
P11Attributes.cpp(407): A trusted certificate cannot be modified

How reproducible:
1. cat >config
directories.tokendir = db
objectstore.backend = file

2. export SOFTHSM2_CONF=config
3. mkdir db
4. softhsm2-util --init-token --slot 0 --label test --so-pin 1234 --pin 1234
5. p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so --write --mark-trusted --load-certificate any-cert.pem  --label test --so-login

Output:
Error writing certificate: PKCS #11 error in attribute

Expected Output:
Success.

Writing the same certificate without the mark-trusted flag works fine.

This seems to be a regression from version 1, as this use case works properly with softhsmv1 in F20.

Comment 1 Nikos Mavrogiannopoulos 2014-12-24 06:40:44 UTC
Reported upstream as: https://issues.opendnssec.org/browse/SUPPORT-151

Comment 2 Nikos Mavrogiannopoulos 2015-01-12 11:00:05 UTC
Fix available at:
https://github.com/opendnssec/SoftHSMv2/pull/102

Comment 3 Nikos Mavrogiannopoulos 2015-06-11 14:48:11 UTC
Still present in F22. It is fixed upstream in SoftHSM 2.0.0b3.

Comment 4 Paul Wouters 2015-06-11 15:49:46 UTC
usptream is about to release 2.0.0 final. If that does not happen within the next week, I'll update the current 2.0.0b3

Comment 5 Petr Spacek 2015-06-12 07:45:44 UTC
BTW latest release is 2.0.0rc1.

Comment 6 Nikos Mavrogiannopoulos 2015-07-03 09:04:36 UTC
There was no final release done so far. Please update to 2.0.0rc1 which fixes all known bugs.

Comment 7 Nikos Mavrogiannopoulos 2015-08-03 12:19:24 UTC
Is there any reason this fix is not backported?

Comment 8 Mike McCune 2016-03-28 23:23:30 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 9 Fedora Update System 2016-06-22 12:32:52 UTC
softhsm-2.1.0-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c43dd0091f

Comment 10 Fedora Update System 2016-06-22 12:33:13 UTC
softhsm-2.1.0-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-376bda6d1d

Comment 11 Fedora Update System 2016-06-22 22:59:30 UTC
softhsm-2.1.0-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c43dd0091f

Comment 12 Fedora Update System 2016-06-22 23:02:36 UTC
softhsm-2.1.0-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-376bda6d1d

Comment 13 Fedora Update System 2016-07-05 05:00:05 UTC
softhsm-2.1.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2016-07-05 08:25:32 UTC
softhsm-2.1.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.