Red Hat Bugzilla – Bug 1272127
Explicitly set CKA_PRIVATE to false when writing certificates (backport upstream patch 4df35b92)
Last modified: 2016-07-28 19:53:53 EDT
Description of problem:
pkcs11-tool should explicitly set CKA_PRIVATE to "false" for certificates and public keys, since the PKCS#11 spec doesn't specify a default and some drivers use "private" as the default, making it impossible to add a public key/cert using pkcs11-tool.
The patch is available upstream at
Version-Release number of selected component (if applicable):
Write a certificate to the softhsm2 PKCS#11 module and try to read it without login in
Steps to Reproduce:
1. pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so --slot 0 -w ./cert.der -y cert -l
2. pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so --slot 0 -O
Certificate Object, type = X.509 cert
- plus additional data -
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
Thank you for reporting this bug and we are sorry it could not be fixed.
I am actually building this update.
opensc-0.15.0-6.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-efb513eaf3
opensc-0.15.0-6.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-efb513eaf3
opensc-0.15.0-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.