Bug 1565839

Summary: The epel-stable version libp11-0.4.7-1.el7 forces pkcs11 engine sign to always prompt for Yubikey 4 PIN
Product: Red Hat Enterprise Linux 7 Reporter: Dave Dykstra <dwd>
Component: libp11Assignee: Stef Walter <stefw>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-15 07:38:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave Dykstra 2018-04-10 21:54:45 UTC
Description of problem:

Even though I pass a PIN to the pkcs11 engine with -passin, version 0.4.7-1 always prompts for a PIN.  This did not happen with version 0.4.6-1.  This is using a Yubikey 4 on an el7.4 system.

Version-Release number of selected component (if applicable):
0.4.7-1

How reproducible:
Very

Steps to Reproduce:
1. install libp11-0.4.7-1.el7 and engine_pkcs11-0.4.7-1.el7
2. plug in a Yubikey 4 into USB drive with a certificate in slot 9c, for example with these instruction and yubico-piv-tool:
   2a. openssl genrsa 2048 > private.pem
   2b. openssl req -x509 -days 1000 -new -key private.pem -out public.pem
   2c. openssl pkcs12 -export -in public.pem -inkey private.pem -out mycert.pfx
   2d. yubico-piv-tool -s9c -i mycert.pfx -K PKCS12 -a import-key -a import-cert
3. sha1sum /etc/motd >motd.sha1
4. openssl rsautl -engine pkcs11 -inkey pkcs11: -keyform engine -passin pass:123456 -sign -in motd.sha1 -out motd.sig


Actual results:

engine "pkcs11" set.
Enter PKCS#11 key PIN for SIGN key:

Expected results:

engine "pkcs11" set.

and a motd.sig without prompting for a PIN

Additional info:

I can't seem to find any way to stop it from prompting, but it works with 0.4.6-1.el7.

Comment 2 Dave Dykstra 2018-08-21 18:01:27 UTC
I see that 0.4.8 was released upstream 16 days ago https://github.com/OpenSC/libp11/releases/tag/libp11-0.4.8.  Will this be built soon?  Maybe the problem has been fixed, although I don't see it specifically mentioned in the list of changes.

Comment 3 Dave Dykstra 2019-07-08 18:53:27 UTC
The 0.4.8 version has been built, and in addition to the new problem with it reported in bug #1565836, the problem in this bug report still exists.

There have since been two more versions upstream, 0.4.9 and 0.4.10.

Comment 4 Dave Dykstra 2019-07-08 19:57:58 UTC
This has been replaced by bug #1728016.

Please close this bug, I am not given the option.

Comment 7 RHEL Program Management 2021-02-15 07:38:20 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.