Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionAnderson Sasaki
2019-11-25 10:43:07 UTC
Created attachment 1639439[details]
Reproducer
Description of problem:
When a certificate with the public key matching a private key present in the PKCS#11 device is imported, p11tool sets a different ID. This breaks the expectation of many applications which rely on matching ID's for matching objects (private key, public key, and certificate).
Version-Release number of selected component (if applicable):
gnutls-3.6.8-9.el8.x86_64
How reproducible:
always
Steps to Reproduce:
To run the attached reproducer it is required to have SoftHSM, openssl, openssl-pkcs11, and gnutls-utils installed
1. Copy the reproducer and extract the files
2. Run the reproducer script "test-softhsm-ecdsa.sh"
Actual results:
Notice that the certificate and the private object ID's don't match although the signature generated with the private key can be successfully verified using the key extracted from the certificate.
Expected results:
The object ID's for all three objects imported (private key, public key, and certificate) should be the same.
Additional info:
The ID used for the certificate object matches the value set in the X509v3 extension "X509v3 Subject Key Identifier" from the certificate. Probably a different algorithm is used to derive the ID for the private key object.
The workaround for the issue is to set the ID explicitly.
I think the behavior depends on the order of import. If the public key is imported beforehand, the same ID will be assigned to the certificate:
https://gitlab.com/gnutls/gnutls/-/blob/master/src/pkcs11.c#L1224
It might worth mentioning the behavior in the documentation.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: gnutls and nettle security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2021:4451
Created attachment 1639439 [details] Reproducer Description of problem: When a certificate with the public key matching a private key present in the PKCS#11 device is imported, p11tool sets a different ID. This breaks the expectation of many applications which rely on matching ID's for matching objects (private key, public key, and certificate). Version-Release number of selected component (if applicable): gnutls-3.6.8-9.el8.x86_64 How reproducible: always Steps to Reproduce: To run the attached reproducer it is required to have SoftHSM, openssl, openssl-pkcs11, and gnutls-utils installed 1. Copy the reproducer and extract the files 2. Run the reproducer script "test-softhsm-ecdsa.sh" Actual results: Notice that the certificate and the private object ID's don't match although the signature generated with the private key can be successfully verified using the key extracted from the certificate. Expected results: The object ID's for all three objects imported (private key, public key, and certificate) should be the same. Additional info: The ID used for the certificate object matches the value set in the X509v3 extension "X509v3 Subject Key Identifier" from the certificate. Probably a different algorithm is used to derive the ID for the private key object. The workaround for the issue is to set the ID explicitly.