Bug 1705505

Summary: openssl fails with PKCS#11 URIs without module specification
Product: Red Hat Enterprise Linux 8 Reporter: Stanislav Zidek <szidek>
Component: openssl-pkcs11Assignee: Anderson Sasaki <ansasaki>
Status: CLOSED ERRATA QA Contact: Alexander Sosedkin <asosedki>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 8.0CC: ansasaki, asosedki, mjahoda, szidek
Target Milestone: rcKeywords: Triaged
Target Release: 8.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl-pkcs11-0.4.10-1.el8 Doc Type: Bug Fix
Doc Text:
.`openssl-pkcs11` no longer locks devices by attempting to log in to multiple devices Previously, the `openssl-pkcs11` engine attempted to log in to the first result of a search using the provided PKCS #11 URI and used the provided PIN even if the first result was not the intended device and the PIN matched another device. These failed authentication attempts locked the device. `openssl-pkcs11` now attempts to log in to a device only if the provided PKCS #11 URI matches only a single device. The engine now intentionally fails in case the PKCS #11 search finds more than one device. For this reason, you must provide a PKCS #11 URI that matches only a single device when using `openssl-pkcs11` to log in to the device.
 Story Points: ---
Clone Of:
: 1760751 (view as bug list) Environment:
Last Closed: 2020-04-28 16:58:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1760751    

Description Stanislav Zidek 2019-05-02 12:24:39 UTC 
Description of problem:
If we provide openssl PKCS#11 URI such as "pkcs11:id=%01", it is not able use the referenced object.

Version-Release number of selected component (if applicable):
openssl-1.1.1-8.el8.x86_64
p11-kit-0.23.14-4.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. set up softhsm token with private key; echo "secret" >in.txt
2. openssl pkeyutl -engine pkcs11 -keyform engine -inkey 'pkcs11:token=softhsm;id=%9b%c9%62%90%a2%46%c1%37%1b%83%4c%10%65%fa%7e%6e%ac%a9%59%ad;type=private?pin-value=123456' -encrypt -out output.bin -in in.txt
3. openssl pkeyutl -engine pkcs11 -keyform engine -inkey 'pkcs11:id=%9b%c9%62%90%a2%46%c1%37%1b%83%4c%10%65%fa%7e%6e%ac%a9%59%ad;type=private?pin-value=123456' -encrypt -out output.bin -in in.txt

Actual results:
3: fails
engine "pkcs11" set.
Found uninitialized token
Unable to check if already logged in
Login failed
Login to token failed, returning NULL...
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140399542032192:error:820780E1:PKCS#11 module:pkcs11_open_session:PKCS#11 token not recognized:p11_slot.c:156:
140399542032192:error:820780E1:PKCS#11 module:pkcs11_open_session:PKCS#11 token not recognized:p11_slot.c:156:
140399542032192:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:
unable to load Private Key
pkeyutl: Error initializing context
Segmentation fault (core dumped)


Expected results:
both 2. and 3. pass
Comment 3 Anderson Sasaki 2019-10-02 08:39:06 UTC 
Upstream fix:
https://github.com/OpenSC/libp11/pull/303
Comment 16 errata-xmlrpc 2020-04-28 16:58:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1871