Bug 1557740

Summary: Fails to write EC public key with SafeNet HSM
Product: Red Hat Enterprise Linux 7 Reporter: Richard Chan <rc556677>
Component: openscAssignee: Jakub Jelen <jjelen>
Status: CLOSED DUPLICATE QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: nmavrogi, rc556677
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-25 16:40:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1563596    

Description Richard Chan 2018-03-18 09:44:38 UTC 
Description of problem:

pkcs11-tool fails to write an EC public key with libCryptoki2_64.so from SafeNet/Cloud HSM

Version-Release number of selected component (if applicable):
opensc-0.16.0-5.20170227git777e2a3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. create a EC public key in DER
2. write with pkcs11-tool --module /usr/lib/libCryptoki2_64.so --write ec_public_key.der
3.

Actual results:
SafeNet error 0x8000002f meaning EC_POINT is invalid


Expected results:
public key is created on token


Additional info:
1. pkcs11-tool sends the OCTET STRING *content bytes* as EC POINT
2. SafeNet expects the OCTET STRING DER including TAG and LENGTH
3. this is related to compilation flags: 2. requires EC_POINT_NO_ASN1_OCTET_STRING to be defined

The affected lines are
memcpy(point, buf, point_len);
		gost->public.len = header_len+point_len;
#ifndef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
		gost->public.len   -= header_len;
		gost->public.value += header_len;
#endif
Comment 2 Richard Chan 2018-03-19 06:21:48 UTC 
Our packaging seems wrong. Since we don't define EC_POINT_NO_ASN1_OCTET_STRING we are writing the plain binary bytes but we should get the full DER TLV.

https://github.com/OpenSC/libp11/issues/79
Comment 3 Richard Chan 2018-03-19 06:31:02 UTC 
s/we don't define EC_POINT_NO_ASN1_OCTET_STRING/we don't define EC_POINT_NO_ASN1_OCTET_STRING  in the spec file/

s/but we should get the full DER TLV/but the standard, and correct implementations like SafeNet HSM, expect the full DER TLV/
Comment 4 Jakub Jelen 2018-03-19 09:58:46 UTC 
It looks like most of the tools that I test against accept already both conventions since it was common bug some years ago and therefore I did not detect the issue in pkcs11-tool itself (well ... it was quite a new feature in pkcs11-tool). This is issue also in upstream, so can you open an issue/PR on OpenSC project [1]? I don't think this is a reasonable default to use non-standard formatting and we should certainly fix that.

[1] https://github.com/OpenSC/OpenSC/
Comment 5 Jakub Jelen 2018-03-19 15:56:42 UTC 
I finally, got through all the other things to find your PR upstream:

https://github.com/OpenSC/OpenSC/pull/1287/

Yes, this change clearly makes sense and I will consider it for the next release. Thank you for the bug report.
Comment 7 Jakub Jelen 2018-04-25 16:40:45 UTC 

*** This bug has been marked as a duplicate of bug 1562572 ***