Bug 2298882

Description of problem:

On Fedora/RHEL platforms pkcs11-helper has been patched such that it mangles URIs in a manner that breaks other software, including GNU Privacy Guard when using PKCS#11 through gnupg-pkcs11-scd.  This problem does not occur on Debian, on Ubuntu or even on RHEL 9 when compiling pkcs11-helper from upstream sources.  The specific problem demonstrated here is importing a PKCS#11 key into gpg but any use of patched pkcs11-helper is potentially going to cause surprising problems that will be difficult to debug.

Version-Release number of selected component (if applicable):

Observed with pkcs11-helper 1.27-6.el9.x86_64 but probably affects any version on any RHEL compatible platform.

How reproducible:

Always

Steps to Reproduce:

1. Install pkcs11-helper
   $ sudo dnf install epel-release && \
     sudo dnf install -y \
        git gnupg pinentry-tty patch libtool pkg-config \
        libgpg-error-devel libassuan-devel libgcrypt-devel \
        pkcs11-helper-devel

2. Compile gnupg-pkcs11-helper (no EPEL or RHEL package seems to exist)
    $ git clone https://github.com/alonbl/gnupg-pkcs11-scd.git
    $ cd gnupg-pkcs11-scd
    $ patch -p1 <<EOF
    diff --git a/configure.ac b/configure.ac
    index 2d31368..6598757 100644
    --- a/configure.ac
    +++ b/configure.ac
    @@ -36,6 +36,7 @@ define([PACKAGE_VERSION_FIX], [1])
     define([PACKAGE_SUFFIX], [_master])
    
     AC_INIT([gnupg-pkcs11-scd], [PACKAGE_VERSION_MAJOR.PACKAGE_VERSION_MINOR.PACKAGE_VERSION_FIX[]PACKAGE_SUFFIX])
    +AC_CONFIG_MACRO_DIR([m4])
     AC_CONFIG_AUX_DIR([.])
     AC_CONFIG_HEADERS([config.h])
     AC_CONFIG_SRCDIR([gnupg-pkcs11-scd/common.h])
    EOF
    $ libtoolize --automake && \
      aclocal && \
      autoheader && \
      automake --add-missing --foreign && \
      autoconf && \
      ./configure && make && sudo make install

3. Configure a PKCS#11 provider with GnuPG
    $ mkdir -p ~/.gnupg/ && chmod 0700 ~/.gnupg/
    $ cat <<EOF > ~/.gnupg/gpg-agent.conf
    scdaemon-program `find /usr/bin /usr/local/bin -name gnupg-pkcs11-scd`
    pinentry-program /usr/bin/pinentry-tty
    EOF
    $ cat <<EOF > ~/.gnupg/gnupg-pkcs11-scd.conf
    verbose
    providers p1
    provider-p1-library /opt/nfast/toolkits/pkcs11/libcknfast.so
    EOF
4. Attempt to import a PKCS#11 protected key pair
    $ echo -e 'RELOADAGENT\nSCD LEARN' | gpg-agent --server gpg-connect-agent
    $ gpg --expert --full-generate-key

Actual results:

Your selection? 14
Serial number of the card: D2760001240111503131AD4306431111
Available keys:
   (1) 258DAF945486847792A1AC4F9E69487B7F6EF2A2
pkcs11:model=;token=loadshared%20accelerator;manufacturer=nCipher%20Corp.%20Ltd;serial=;id=%25%8d%af%94T%86%84w%92%a1%acO%9eiH%7b%7fn%f2%a2
(null)

[... prompts for validity, username and email address ...]

gpg: [internal]:0: invalid algorithm

Expected results:

Your selection? 14
Serial number of the card: D2760001240111503131AD4306431111
Available keys:
   (1) 258DAF945486847792A1AC4F9E69487B7F6EF2A2 nCipher\x20Corp\x2E\x20Ltd///loadshared\x20accelerator/258DAF945486847792A1AC4F9E69487B7F6EF2A2 rsa2048

[... same prompts this time without errors ...]

Additional info:

Actual and expected results above are copied from the output the same system.  The second was collected after "rpm -e pkcs11-helper" and compiling both pkcs11-helper and gnupg-pkcs11-scd from upstream sources.  With the expected results, I was able to sign and verify using gpg with the imported PGP key.

In other words, Fedora and RHEL have patched pkcs11-helper such that it mangles URI values in a manner that confuses GNU Privacy Guard when attempting to use PKCS#11 keys.  Other distributions such as Debian are not affected.  Building pkcs11-helper from upstream sources after uninstalling the RPM also eliminates this problem.