Bug 1664802

Summary: httpd fails to use RSA-PSS keys and certificates on PKCS#11 device
Product: Red Hat Enterprise Linux 8 Reporter: Stanislav Zidek <szidek>
Component: openssl-pkcs11Assignee: Jakub Jelen <jjelen>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: medium    
Version: 8.0CC: ansasaki, bnater, igkioka, jjelen, jorton, lmanasko, luhliari, mjahoda, pasik, szidek, tmraz
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.Apache `httpd` fails to start if it uses an RSA private key stored in a PKCS#11 device and an RSA-PSS certificate The PKCS#11 standard does not differentiate between RSA and RSA-PSS key objects and uses the `CKK_RSA` type for both. However, OpenSSL uses different types for RSA and RSA-PSS keys. As a consequence, the `openssl-pkcs11` engine cannot determine which type should be provided to OpenSSL for PKCS#11 RSA key objects. Currently, the engine sets the key type as RSA keys for all PKCS#11 `CKK_RSA` objects. When OpenSSL compares the types of an RSA-PSS public key obtained from the certificate with the type contained in an RSA private key object provided by the engine, it concludes that the types are different. Therefore, the certificate and the private key do not match. The check performed in the `X509_check_private_key()` OpenSSL function returns an error in this scenario. The `httpd` web server calls this function in its startup process to check if the provided certificate and key match. Since this check always fails for a certificate containing an RSA-PSS public key and a RSA private key stored in the PKCS#11 module, `httpd` fails to start using this configuration. There is no workaround available for this issue.
 Story Points: ---
Clone Of:
: 1664807 (view as bug list) Environment:
Last Closed: 2021-02-01 07:31:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1682502    
Bug Blocks:    

Description Stanislav Zidek 2019-01-09 17:02:36 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
httpd-2.4.37-7.module+el8+2443+605475b7.x86_64
openssl-pkcs11-0.4.8-2.el8.x86_64
openssl-1.1.1-8.el8.x86_64
softhsm-2.4.0-1.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. cd into directory with /CoreOS/p11-kit/Integration/httpd-pkcs11-uri
2. change KEYTYPES array to test rsa-pss - "KEYTYPES=(rsa-pss)"
3. 1minutetip --buildroot rhel8

Actual results:

/var/log/httpd/error_log:
Found 1 private key:
   1 P  id=6b5ff7c0537fde29df51c95d3d022be4fdfd0ffd label=httpd
AH00016: Configuration Failed

/var/log/httpd/ssl_error_log:
[ssl:debug] [...] ssl_engine_pphrase.c(872): Init: Initialized engine pkcs11 for private key pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%6b%5f%f7%c0%53%7f%de%29%df%51%c9%5d%3d%02%2b%e4%fd%fd%0f%fd;object=httpd;type=private?pin-value=123456
[ssl:emerg] [...] AH02565: Certificate and private key host-8-250-204.host.centralci.eng.rdu2.redhat.com:443:0 from pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%52%36%d8%ea%58%ea%70%02%b2%27%f4%0f%2b%07%de%1b%72%d2%aa%b3;object=httpd;type=cert and pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%6b%5f%f7%c0%53%7f%de%29%df%51%c9%5d%3d%02%2b%e4%fd%fd%0f%fd;object=httpd;type=private?pin-value=123456 do not match


Expected results:
no problems
Comment 8 Anderson Sasaki 2019-03-13 17:28:07 UTC 
This issue was set to high priority because it has no workaround and it has high impact on a small amount of users.
Comment 17 RHEL Program Management 2021-02-01 07:31:52 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.