Bug 1128615 - one misbehaving module in p11-kit prevents others from showing up in nssdb (list-modules is ok)
Summary: one misbehaving module in p11-kit prevents others from showing up in nssdb (l...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: p11-kit
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Stef Walter
QA Contact: Aleš Mareček
URL:
Whiteboard:
Depends On:
Blocks: 1153110
TreeView+ depends on / blocked
 
Reported: 2014-08-11 08:13 UTC by David Jaša
Modified: 2015-03-05 07:55 UTC (History)
2 users (show)

Fixed In Version: p11-kit-0.20.6-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1153110 (view as bug list)
Environment:
Last Closed: 2015-03-05 07:55:04 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0339 normal SHIPPED_LIVE p11-kit bug fix and enhancement update 2015-03-05 12:22:29 UTC
FreeDesktop.org 83651 None None None Never

Description David Jaša 2014-08-11 08:13:09 UTC
Description of problem:
one misbehaving module in p11-kit prevents others from showing up in nssdb (list-modules is ok)

Version-Release number of selected component (if applicable):
p11-kit-0.20.4-1.el7.x86_64
coolkey-1.1.0-27.el7.x86_64
pcsc-lite-1.8.8-4.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. install coolkey and pcsc-lite packages
2. add coolkey to p11-kit:
cat > /etc/pkcs11/modules/coolkey.module << EOF
module: /usr/lib64/pkcs11/libcoolkeypk11.so
critical: no
EOF
3. add p11-kit to nss configuration:
modutil -dbdir /etc/pki/nssdb -add p11-kit -libfile /usr/lib64/p11-kit-proxy.so
4. stop pcscd: service pcscd stop
5. list pkcs11 modules in nss: modutil -dbdir /etc/pki/nssdb -list
p11-kit list-modules

Actual results:
p11-kit is listed as not loaded:
$ modutil -dbdir /etc/pki/nssdb -list
p11-kit: coolkey: module failed to initialize: Internal error
p11-kit: coolkey: module failed to initialize: Internal error

Listing of PKCS #11 Modules
-----------------------------------------------------------
...

  2. p11-kit
	library name: /usr/lib64/p11-kit-proxy.so
	 slots: There are no slots attached to this module
	status: Not loaded
-----------------------------------------------------------


Expected results:
the same as with pcscd running (well without Gemalto SC reader slot):
  2. p11-kit
	library name: /usr/lib64/p11-kit-proxy.so
	 slots: 7 slots attached
	status: loaded

	 slot: /etc/pki/ca-trust/source
	token: System Trust

	 slot: /usr/share/pki/ca-trust-source
	token: Default Trust

	 slot: Gemalto PC Twin Reader 00 00
	token: 

	 slot: SSH Keys
	token: SSH Keys

	 slot: Secret Store
	token: Secret Store

	 slot: Gnome2 Key Storage
	token: Gnome2 Key Storage

	 slot: User Key Storage
	token: User Key Storage
-----------------------------------------------------------


Additional info:
output of "p11-kit list-modules" with pcscd turned off:
$ p11-kit list-modules
p11-kit: coolkey: module failed to initialize, skipping: Internal error
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.20
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.20
        flags:
               write-protected
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.20
        flags:
               write-protected
               token-initialized
gnome-keyring: gnome-keyring-pkcs11.so
    library-description: GNOME Keyring Daemon Core
    library-manufacturer: GNOME Keyring
    library-version: 1.1
    token: SSH Keys
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:SSH:HOME
        flags:
               write-protected
               user-pin-initialized
               protected-authentication-path
               token-initialized
    token: Secret Store
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:SECRET:MAIN
        flags:
               login-required
               user-pin-initialized
               protected-authentication-path
               token-initialized
    token: Gnome2 Key Storage
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:USER:DEFAULT
        flags:
               login-required
               user-pin-initialized
               protected-authentication-path
               token-initialized
    token: User Key Storage
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:XDG:DEFAULT
        flags:
               protected-authentication-path
               token-initialized

Comment 1 David Jaša 2014-08-12 12:03:02 UTC
Created attachment 926057 [details]
P11_KIT_DEBUG=all modutil -list

Comment 2 David Jaša 2014-08-12 12:05:04 UTC
Created attachment 926059 [details]
P11_KIT_DEBUG=all p11-kit list-modules

Comment 3 Stef Walter 2014-09-09 07:10:18 UTC
Can duplicate.

Comment 4 Stef Walter 2014-09-09 07:41:57 UTC
David, could you try this patched version of p11-kit, which contains a patch to fix the issue:

https://brewweb.devel.redhat.com/taskinfo?taskID=7932463

Comment 6 David Jaša 2014-09-09 08:29:15 UTC
(In reply to Stef Walter from comment #4)
> David, could you try this patched version of p11-kit, which contains a patch
> to fix the issue:
> 
> https://brewweb.devel.redhat.com/taskinfo?taskID=7932463

Works fine, only the unavailable module is omitted in modutil output.

Comment 10 errata-xmlrpc 2015-03-05 07:55:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0339.html


Note You need to log in before you can comment on or make changes to this bug.