Bug 1375307

Summary: Deleting softhsm PKCS#11 objects does not work with p11tool --(so-)login
Product: Red Hat Enterprise Linux 7 Reporter: Stanislav Zidek <szidek>
Component: gnutlsAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED ERRATA QA Contact: Stanislav Zidek <szidek>
Severity: low Docs Contact:
Priority: medium    
Version: 7.3CC: ansasaki, szidek
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnutls-3.3.29-4.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 07:56:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1561481    

Description Stanislav Zidek 2016-09-12 16:53:06 UTC 
Description of problem:
It only works without login.

Version-Release number of selected component (if applicable):
gnutls-3.3.24-1.el7

How reproducible:
always

Steps to Reproduce:
0. export GNUTLS_PIN=1234; export GNUTLS_SO_PIN=1234
1. softhsm2-util --init-token --free --label softhsm --pin $GNUTLS_PIN --so-pin $GNUTLS_SO_PIN
2. p11tool --so-login --batch --label '$CA_LABEL' --mark-trusted --mark-ca --load-certificate <<CAcert>> --write '<<token>>'
3. p11tool --login --batch --delete '<<CERT URL>>'

Actual results:
Error in pkcs11_delete:82: Error in provided PIN.

Expected results:
If it's possible to delete certificate without --login, it should be probably also possible with it. Or the error message should give some good reason why it does not work.
Comment 1 Nikos Mavrogiannopoulos 2017-06-02 08:37:30 UTC 
There is something strange there. What is the use case handled? You write as a security officer, and you try to delete as a user. Is that the intention?
Comment 2 Stanislav Zidek 2017-06-02 12:02:15 UTC 
Removing worked with neither --login nor --so-login. It only works without any of these arguments.
Comment 3 Nikos Mavrogiannopoulos 2017-06-02 12:59:14 UTC 
That may be a quirk of softhsm2 and p11tool may not be the right place to address that. Do you see the same behavior if you use pkcs11-tool from opensc?
Comment 4 Stanislav Zidek 2017-06-08 15:13:23 UTC 
I can delete fine with
pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so --delete-object --type cert --label 'Example CA' --pin 1234 -v --login

I think that might have been the reason why I filed this bug for 'gnutls' component.
Comment 5 Nikos Mavrogiannopoulos 2018-01-17 18:27:23 UTC 
https://gitlab.com/gnutls/gnutls/merge_requests/583
Comment 13 errata-xmlrpc 2018-10-30 07:56:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3050