Bug 1857272
| Summary: | negative option for token.mechanism not working correctly | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Kaleem <ksiddiqu> |
| Component: | softhsm | Assignee: | Alexander Bokovoy <abokovoy> |
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | abokovoy, jjelen, mpolovka, pcech, twoerner |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | softhsm-2.6.0-4 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 15:48:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The fix for this issue is submitted in the following PR on upstream project: https://github.com/opendnssec/SoftHSMv2/pull/561 Moving back in ASSIGNED state as the PR has not been merged upstream, yet. Manually pre-verified using softhsm-2.6.0-5.module+el8.4.0+9973+3d202164.x86_64 from test compose http://artifacts.osci.redhat.com/comp/rhel-8.4.0-mbs/9973-1386-idm using RHEL8.4 Fixed version: 1. # install softhsm-2.6.0-5.module+el8.4.0+9973+3d202164.x86_64.rpm 2. # install opensc 3. softhsm2-util --init-token --slot 0 --label "My token" 4. grep -r slots.mechanisms /etc/softhsm2.conf # Enable and disable PKCS#11 mechanisms using slots.mechanisms. slots.mechanisms = ALL 5. pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > all.txt 6. sed -i 's/ALL/- CKM_RSA_PKCS,CKM_RSA_X_509/' /etc/softhsm2.conf 7. grep -r slots.mechanisms /etc/softhsm2.conf # Enable and disable PKCS#11 mechanisms using slots.mechanisms. slots.mechanisms = - CKM_RSA_PKCS,CKM_RSA_X_509 8. pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > custom.txt 9. diff all.txt custom.txt 47d46 < RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, wrap, unwrap 51d49 < RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify Non-fixed version softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64 9. diff all.txt custom.txt51d50 < RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify Therefore marking as pre-verified: tested. Verified manually using nightly compose of RHEL8.4 with softhsm-2.6.0-5.module+el8.4.0+9973+3d202164.x86_64
1. install softhsm and opensc
2. softhsm2-util --init-token --slot 0 --label "My token"
3. grep -r slots.mechanisms /etc/softhsm2.conf
# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = ALL
4. pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > all.txt
5. sed -i 's/ALL/-CKM_RSA_PKCS,CKM_RSA_X_509/' /etc/softhsm2.conf
6. grep -r slots.mechanisms /etc/softhsm2.conf# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = -CKM_RSA_PKCS,CKM_RSA_X_509
7. pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > custom.txt
8. diff all.txt custom.txt
47d46
< RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, wrap, unwrap
51d49
< RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify
Therefore marking as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1846 |
Description of problem: when one value is specified with - option its not picked and ALL mechanism are shown [root@master tokens]# grep -r slots.mechanisms /etc/softhsm2.conf # Enable and disable PKCS#11 mechanisms using slots.mechanisms. slots.mechanisms = - CKM_RSA_PKCS [root@master tokens]# pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > custom.txt Using slot 0 with a present token (0x73e7cba2) [root@master tokens]# diff all.txt custom.txt [root@master tokens]# when two values specified with - option only later one is picked [root@master tokens]# grep -r slots.mechanisms /etc/softhsm2.conf # Enable and disable PKCS#11 mechanisms using slots.mechanisms. slots.mechanisms = - CKM_RSA_PKCS,CKM_RSA_X_509 [root@master tokens]# pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > custom.txt Using slot 0 with a present token (0x73e7cba2) [root@master tokens]# diff all.txt custom.txt 51d50 < RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify [root@master tokens]# Version-Release number of selected component (if applicable): [root@master tokens]# rpm -q softhsm softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64 [root@master tokens]# How reproducible: Always Steps to Reproduce: 1. Specify token mechanism with negative option in /etc/softhsm2.conf e.g slots.mechanisms = -CKM_RSA_X_509,CKM_RSA_PKCS 2. Check for mechanism list supported. Actual results: Only the later one in the list mechanism is not shown but first one is shown in the list displayed Expected results: None of the mechanism listed with '-' should displayed.