Bug 2027452

Summary: Softhsm permissions error: unusable from httpd
Product: [Fedora] Fedora EPEL Reporter: Graham Leggett <minfrin>
Component: softhsmAssignee: Paul Wouters <paul.wouters>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel8CC: abokovoy, crypto-team, paul.wouters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Graham Leggett 2021-11-29 17:33:01 UTC 
Description of problem:

When attempting to use Apache httpd's PKCS11 support against a softhsm token, all SSL connections fail with the following logged:

Nov 29 19:20:45 gatekeeper httpd[224798]: File.cpp(94): Could not open the file (Permission denied): /var/lib/softhsm/tokens//2f6dd39f-ddc9-d647-4dbd-a11886be9cd2/3ba76108-42de-094f-6c02-e626ec4e5f20.object

The error is accurate - there are no meaningful permissions set on the softhsm directory:

[root@gatekeeper ~]# ls -al /var/lib/softhsm/
total 4
drwxr-x---.  3 ods  ods    20 May  6  2021 .
drwxr-xr-x. 42 root root 4096 Nov 20 08:24 ..
drwxrwx--T.  3 ods  ods    50 May  6  2021 tokens

[root@gatekeeper ~]# ls -al /var/lib/softhsm/tokens/
total 4
drwxrwx--T. 3 ods  ods    50 May  6  2021 .
drwxr-x---. 3 ods  ods    20 May  6  2021 ..
drwx------. 2 root root 4096 Nov 29 18:21 2f6dd39f-ddc9-d647-4dbd-a11886be9cd2

Softhsm should have a group of it's own, and by default daemons that support PKCS11 should automatically be a member of the group.

The directory should have the setgid bit set, so that tokens created by one user aren't invisible to others.

Version-Release number of selected component (if applicable):

2.6.1

How reproducible:

Always

Steps to Reproduce:
1. Install a key into softhsm as root.
2. Attempt to access this key using httpd and SSLCertificateKey pkcs11:[url-of-key]
3.

Actual results:

Client failure as follows:

curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Server log entry as follows:

Could not open the file (Permission denied): 

Expected results:

Successful connection.

Additional info:
Comment 1 Alexander Bokovoy 2021-11-29 17:44:33 UTC 
SoftHSM in EPEL8 cannot deviate in its packaging from RHEL. The only reason why it exists in EPEL8 is to allow building against it without enabling RHEL IdM module idm:DL1 stream (which is not enabled by default, thus cannot be used for building EPEL packages directly).

In RHEL SoftHSM is provided exclusively to be used with RHEL IdM to provide DNSSEC setup and RHEL IdM does configure SoftHSM to use own environment.

If you want to use SoftHSM for something else, you can configure it for your own environment using environmental variables and configuration files. It is practically impossible to make defaults to fit for all use cases.

Please see README.md in the package documentation for the details and how to set your own environment.