Bug 1443488

Summary: pkcs11-tool aborts when initializing new pin
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: openscAssignee: Jakub Jelen <jjelen>
Status: CLOSED NOTABUG QA Contact: Release Test Team <release-test-team>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4Keywords: Regression
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-19 11:13:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
The init_token.sh script used in the reproducer. none

Description Patrik Kis 2017-04-19 10:57:00 UTC 
Created attachment 1272575 [details]
The init_token.sh script used in the reproducer.

Description of problem:
There is the following test case, which stared failing after opensc rebase to opensc-0.16.
It worked with no issue with opensc-0.14.

Version-Release number of selected component (if applicable):
opensc-0.16.0-4.20170227git777e2a3.el7

How reproducible:
always

Steps to Reproduce:

# find /var/lib/opencryptoki/ -type f -exec rm {} \;
# service pkcsslotd start
Redirecting to /bin/systemctl start  pkcsslotd.service
# service pkcsslotd status
Redirecting to /bin/systemctl status  pkcsslotd.service
● pkcsslotd.service - Daemon which manages cryptographic hardware tokens for the openCryptoki package
   Loaded: loaded (/usr/lib/systemd/system/pkcsslotd.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-04-19 10:46:52 CEST; 3s ago
... SNIP ...

# ./init_token.sh 3 87654321 1234
spawn /usr/sbin/pkcsconf -c 3 -I
Enter the SO PIN: 
Enter a unique token label: swvtoken
spawn /usr/sbin/pkcsconf -c 3 -P
Enter the SO PIN: 
Enter the new SO PIN: 
Re-enter the new SO PIN: 
Error setting PIN: 0xA1 (CKR_PIN_INVALID)
spawn /usr/sbin/pkcsconf -c 3 -u
Enter the SO PIN: 
Enter the new user PIN: 
Re-enter the new user PIN: 
spawn /usr/sbin/pkcsconf -c 3 -p
Enter user PIN: 
Enter the new user PIN: 
Re-enter the new user PIN: 
#
#
# pkcsconf -t
Token #3 Info:
	Label: swvtoken                        
	Manufacturer: IBM Corp.                       
	Model: IBM SoftTok     
	Serial Number: 123             
	Flags: 0x80044D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|SO_PIN_TO_BE_CHANGED)
	Sessions: 0/18446744073709551614
	R/W Sessions: 18446744073709551615/18446744073709551614
	PIN Length: 4-8
	Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
	Hardware Version: 1.0
	Firmware Version: 1.0
	Time: 10:47:28
# pkcs11-tool -v --module /usr/lib64/pkcs11/libopencryptoki.so --init-token --label swvtoken --so-pin 87654321
Using slot 0 with a present token (0x3)
Token successfully initialized
#
# pkcs11-tool -v --module /usr/lib64/pkcs11/libopencryptoki.so --init-pin --so-pin 87654321 --pin 1234 --login alice
error: invalid option(s) given
Aborting.
# rpm -q opensc
opensc-0.16.0-4.20170227git777e2a3.el7.x86_64
#
# rpm -Uvh --oldpackage opensc-0.14.0-2.el7.x86_64.rpm 
Preparing...                          ################################# [100%]
Updating / installing...
   1:opensc-0.14.0-2.el7              ################################# [ 50%]
Cleaning up / removing...
   2:opensc-0.16.0-4.20170227git777e2a################################# [100%]
## pkcs11-tool -v --module /usr/lib64/pkcs11/libopencryptoki.so --init-pin --so-pin 87654321 --pin 1234 --login alice
Using slot 0 with a present token (0x3)
User PIN successfully initialized
Comment 2 Jakub Jelen 2017-04-19 11:13:20 UTC 
Hello Patrik,
the --login switch does not have any argument.

If I remember well, I saw this problem in some tests before and was fixing it somewhere (but it probably survived in some places). Just remove "alice" at the end of your command and you are fine.

# pkcs11-tool -v --module /usr/lib64/pkcs11/libopencryptoki.so --init-pin --so-pin 87654321 --pin 1234 --login

Before it was ignoring bogus arguments, but it is certainly not a bug to be strict about what is being passed to this tool.
Comment 3 Patrik Kis 2017-04-19 12:38:49 UTC 
Ahh, my bad, I did not notice it does not take argument. The test was fixed. Thanks.