Bug 2073274

Summary: Kerberos pkinit should follow consistent pkcs11 support [fedora-rawhide]
Product: [Fedora] Fedora Reporter: Julien Rische <jrische>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, antorres, dpal, fdvorak, ftrivino, jjelen, jrische, j, npmccallum, sbose, ssorce, tapazogl
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.19.2-11.fc37 krb5-1.19.2-11.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2030981 Environment:
Last Closed: 2022-06-16 06:19:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2030981    
Bug Blocks:    

Description Julien Rische 2022-04-08 06:08:58 UTC 
+++ This bug was initially created as a clone of Bug #2030981 +++

Description of problem:
The pkinit hardcodes the path to the opensc-pkcs11.so module, which is not aligned to the rest of the RHEL's consistent pkcs11 support, which we introduced in RHEL8

krb5-1.19.1/src/plugins/preauth/pkinit/pkinit.h:#define PKCS11_MODNAME "opensc-pkcs11.so"

The pkinit should use p11-kit-proxy.so, which is installed by default on RHEL and which automatically loads any installed pkcs11 module on the system to simplify configuration and usage.

Version-Release number of selected component (if applicable):
current rhel8 and rhel9

How reproducible:
always

Steps to Reproduce:
0. Install and configure softhsm or any other pkcs11 module other than opensc to provide certificate for pkinit
1. kinit -X kinit -X X509_user_identity=PKCS11: ipauser1

Actual results:
The pkinit is unable to find the certificate

Expected results:
The pkinit finds the certificate (without specifying the pkcs11 module with PKCS11:module_name=/usr/lib64/libsofthsm2.so or PKCS11:module_name=/usr/lib64/p11-kit-proxy.so

Additional info:
Similar behavior is described by the PKCS#11 URIs:

https://datatracker.ietf.org/doc/html/rfc7512

and is implemented by most of the software using smart cards in the operating system including openssh, wget, curl, librewan, ngingx, httpd, ...

https://www.redhat.com/en/blog/consistent-pkcs-11-support-red-hat-enterprise-linux-8

--- Additional comment from Alexander Bokovoy on 2022-04-04 05:56:47 UTC ---

Julien,

this looks like a sensible downstream change for a define.

I think we should do it both in Fedora and RHEL.
Comment 1 Julien Rische 2022-04-08 06:45:11 UTC 
I've prepared a test setup with opencryptoki on Fedora Rawhide, but I am unable to complete pre-authentication. With the current krb5 release, the following error is raised after I enter the PIN code:

kinit: Pre-authentication failed: Preauthentication failed while getting initial credentials

But it works on Fedora 36.

I used the following configuration for testing the PKCS#11 opencryptoki module:
https://gitlab.com/-/snippets/2286806
Comment 3 Julien Rische 2022-04-08 07:27:35 UTC 
I confirm that defining PKCS11_MODNAME as "p11-kit-proxy.so" and using the above configuration, it is possible to complete PKINIT pre-authentication on Fedora 36 without configuring the module library explicitly:

pkinit_identities = PKCS11::certlabel=alice.cert

While on current version, it requires to be explicitly set:

pkinit_identities = PKCS11:/usr/lib64/pkcs11/libopencryptoki.so:certlabel=alice.cert
Comment 4 Julien Rische 2022-04-08 14:41:21 UTC 
@jjelen are you aware of any known issue with opencryptoki on Fedora Rawhide? Could it be related to the upgrade from OpenSSL 1.1 to 3.0?
Comment 5 Jakub Jelen 2022-04-08 15:09:17 UTC 
Sounds like opencryptoki is broken now, most probably because of OpenSSL changes. I would suggest you to try the SoftHSM, which looks like working for me just fine in both Fedora 26 and rawhide.
Comment 6 Julien Rische 2022-04-12 13:12:09 UTC 
We did some tests and it works with SoftHSM indeed, but it requires the CA certificate to be configured as a file in krb5.conf with "pkinit_anchors". The issue is when both the CA and the user (and private key) certificates are imported into the module, per-authentication fails:

kinit -X X509_user_identity='PKCS11::certlabel=alice.cert' -X X509_anchors='PKCS11::certlabel=ca.cert' alice
...
[7818] 1649688775.627891: Preauth module pkinit (147) (info) returned: 0/Success
[7818] 1649688775.627892: PKINIT client received freshness token from KDC
[7818] 1649688775.627893: Preauth module pkinit (150) (info) returned: 0/Success
swvtoken                         PIN:
[7818] 1649688778.984875: PKINIT client has no configured identity; giving up
[7818] 1649688778.984876: Preauth module pkinit (16) (real) returned: 95/Operation not supported
...
Comment 7 Jakub Jelen 2022-04-12 13:53:22 UTC 
The CA certificate is usually not located in the token (pkcs11 module) so I think this would be a low-priority issue if you would like to solve it. The CA certificate/bundle is usually a file as reading it from the external hardware does not add any security but just makes things even slower than needed.
Comment 8 Julien Rische 2022-04-12 14:10:06 UTC 
Okay, if this is not a requirement I suppose we can proceed. I opened a PR for Rawhide:
https://src.fedoraproject.org/rpms/krb5/pull-request/12
Comment 9 Julien Rische 2022-04-19 16:03:52 UTC 
I will open a PR upstream to configure the default PKCS#11 module as a build parameter instead.
Comment 12 Julien Rische 2022-04-22 16:48:45 UTC 
Upstream pull request:
https://github.com/krb5/krb5/pull/1246
Comment 13 Julien Rische 2022-05-02 08:40:57 UTC 
Upstream PR merged:
https://github.com/krb5/krb5/commit/855c715e90f4f115e77136f42b4570c03d325cae
Comment 14 Julien Rische 2022-05-02 16:28:20 UTC 
The patch[1] is ready to be submitted, but I will wait for the currently open rawhide PR[2] to be merged to do so.

[1] https://src.fedoraproject.org/fork/jrische/rpms/krb5/c/893f1af99311296bb07c182f9ea6195140b3c2d9?branch=rawhide
[2] https://src.fedoraproject.org/rpms/krb5/pull-request/13
Comment 15 Fedora Update System 2022-06-16 06:17:31 UTC 
FEDORA-2022-4ab4a17207 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-4ab4a17207
Comment 16 Fedora Update System 2022-06-16 06:19:31 UTC 
FEDORA-2022-4ab4a17207 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 17 Fedora Update System 2022-06-16 06:30:52 UTC 
FEDORA-2022-f277d02a73 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-f277d02a73
Comment 18 Fedora Update System 2022-06-17 02:01:48 UTC 
FEDORA-2022-f277d02a73 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-f277d02a73`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-f277d02a73

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 19 Fedora Update System 2022-06-20 00:39:52 UTC 
FEDORA-2022-f277d02a73 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.