Bug 1272453

Summary: A marked as CA certificate cannot be written in a softhsmv2 db
Product: [Fedora] Fedora Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: softhsmAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: pspacek, pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: softhsm-2.1.0-1.fc24 softhsm-2.1.0-1.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-05 05:00:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
pkcs11 spy output none

Description Nikos Mavrogiannopoulos 2015-10-16 12:38:12 UTC 
Trying to write a certificate in a softhsm db with CKA_CERTIFICATE_CATEGORY fails with: CKR_ATTRIBUTE_READ_ONLY

How reproducible:
1. cat >config
directories.tokendir = db
objectstore.backend = file

2. export SOFTHSM2_CONF=config
3. mkdir db
4. softhsm2-util --init-token --slot 0 --label test --so-pin 1234 --pin 1234
5. p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so --write --mark-ca --load-certificate any-cert.pem  --label test --so-login

Output:
Error writing certificate: PKCS #11 error in attribute

Expected Output:
Success.

Writing the same certificate without the mark-ca flag works fine.

This is a regression from version 1, as this use case works properly with softhsmv1 in F20.
Comment 1 Nikos Mavrogiannopoulos 2015-10-16 12:38:38 UTC 
Created attachment 1083641 [details]
pkcs11 spy output
Comment 2 Nikos Mavrogiannopoulos 2016-01-27 08:50:48 UTC 
https://github.com/opendnssec/SoftHSMv2/issues/162
Comment 3 Nikos Mavrogiannopoulos 2016-02-25 16:20:13 UTC 
Could that patch be included in F23? The gnutls PKCS#11 test suite depends on softhsm having this functionality and since the softhsm v1->v2 transition I cannot run this part of test suite in Fedora.

https://github.com/opendnssec/SoftHSMv2/pull/164
Comment 4 Paul Wouters 2016-02-25 16:33:27 UTC 
We were going to wait for the next upstream release in 1-2 weeks, but I can do another build with just the patches for #162
Comment 5 Fedora Update System 2016-06-22 12:32:56 UTC 
softhsm-2.1.0-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c43dd0091f
Comment 6 Fedora Update System 2016-06-22 12:33:15 UTC 
softhsm-2.1.0-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-376bda6d1d
Comment 7 Fedora Update System 2016-06-22 22:59:32 UTC 
softhsm-2.1.0-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c43dd0091f
Comment 8 Fedora Update System 2016-06-22 23:02:38 UTC 
softhsm-2.1.0-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-376bda6d1d
Comment 9 Fedora Update System 2016-07-05 05:00:07 UTC 
softhsm-2.1.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2016-07-05 08:25:34 UTC 
softhsm-2.1.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.