Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1272128

Summary: Explicitly set CKA_PRIVATE to false when writing certificates (backport upstream patch 4df35b92)
Product: Red Hat Enterprise Linux 7 Reporter: Sumit Bose <sbose>
Component: openscAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: aakkiang, extras-qa, gmazyland, jjelen, jstodola, klember, nmavrogi, pvrabec, rpattath, stefw, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: opensc-0.16.0-1.20170227git777e2a3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1272127 Environment:
Last Closed: 2017-08-01 20:49:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1272127    
Bug Blocks:    
Attachments:
Description Flags
list certs on softhsm none

Description Sumit Bose 2015-10-15 14:29:58 UTC
+++ This bug was initially created as a clone of Bug #1272127 +++

Description of problem:
pkcs11-tool should explicitly set CKA_PRIVATE to "false" for certificates and public keys, since the PKCS#11 spec doesn't specify a default and some drivers use "private" as the default, making it impossible to add a public key/cert using pkcs11-tool.

The patch is available upstream at
https://github.com/OpenSC/OpenSC/commit/4df35b922c8eb7e0776a23260b65e570b33e4d42

Version-Release number of selected component (if applicable):


How reproducible:
Write a certificate to the softhsm2 PKCS#11 module and try to read it without login in

Steps to Reproduce:
1. pkcs11-tool --module  /usr/lib64/pkcs11/libsofthsm2.so --slot 0   -w ./cert.der  -y cert -l
2. pkcs11-tool --module  /usr/lib64/pkcs11/libsofthsm2.so --slot 0   -O


Actual results:
- nothing- 

Expected results:
Certificate Object, type = X.509 cert
- plus additional data -

Comment 3 Roshni 2017-05-09 20:58:42 UTC
Jakub,

I am trying to install softhsm on a RHEL 7.4 Server (referring to https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+v2) and I see the following,

[root@ibm-x3650m4-01-vm-10 SoftHSMv2]# ./configure 
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
configure: sysconfdir set to /etc
configure: localstate set to /var
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking whether g++ supports C++11 features by default... no
checking whether g++ supports C++11 features with -std=c++11... yes
checking for dlopen... no
checking for dlopen in -ldl... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking pthread.h usability... yes
checking pthread.h presence... yes
checking for pthread.h... yes
checking for ECC support... yes
checking for GOST support... yes
checking for FIPS 140-2 mode... no
checking for crypto backend... OpenSSL
checking what are the OpenSSL includes... -I/usr/local/include
checking what are the OpenSSL libs... -L/usr/local/lib -lcrypto
checking openssl/ssl.h usability... no
checking openssl/ssl.h presence... no
checking for openssl/ssl.h... no
configure: error: Can't find OpenSSL headers

Could you tell me what I am missing?

Comment 4 Jakub Jelen 2017-05-10 06:49:25 UTC
You can install the already built package softhsm:

https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=500554

I am not sure in which channel it is, but there should be no need to install it from source.

Anyway, the problem you are facing looks like you did not install openssl-devel package. You will also need some other -devel dependencies as you can see from the spec file (BuildRequires):

http://pkgs.devel.redhat.com/cgit/rpms/softhsm/tree/softhsm.spec?h=rhel-7.4

Comment 5 Jakub Jelen 2017-05-10 14:32:55 UTC
How to set up softhsm:

SOPIN="12345678"
PIN="123456"
P11LIB="/usr/lib64/pkcs11/libsofthsm2.so"
echo "directories.tokendir = .tokens/" > .softhsm2.conf
mkdir ".tokens"
export SOFTHSM2_CONF=".softhsm2.conf"

# Init token
softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN"

# generate key & certificate
TYPE="rsa:1024"
ID="02"
LABEL="label"
pkcs11-tool --keypairgen --key-type="$TYPE" --login --pin=$PIN \
  --module="$P11LIB" --label="$LABEL" --id=$ID

# Generate certificate
certtool --generate-self-signed --outfile="$TYPE.cert" --template=cert.cfg \
  --provider="$P11LIB" --load-privkey "pkcs11:object=$LABEL;$TYPE_KEY=private" \
  --load-pubkey "pkcs11:object=$LABEL;$TYPE_KEY=public"
# convert to DER:
openssl x509 -inform PEM -outform DER -in "$TYPE.cert" -out "$TYPE.cert.der"

# write to the softhsm
pkcs11-tool --write-object "$TYPE.cert.der" --type=cert --id=$ID \
--label="$LABEL" --module="$P11LIB" --pin=$PIN

# list the objects
pkcs11-tool --module="$P11LIB" -O

# make sure the certificate is visible in the list (should not be with old version)

Comment 6 Jakub Jelen 2017-05-10 14:34:21 UTC
And I obviously missed the

  TYPE_KEY="type"

so either define this variable or use

  certtool --generate-self-signed --outfile="$TYPE.cert" --template=cert.cfg \
    --provider="$P11LIB" --load-privkey "pkcs11:object=$LABEL;$TYPE_KEY=private" \
    --load-pubkey "pkcs11:object=$LABEL;type=public"

Comment 7 Roshni 2017-05-10 15:30:38 UTC
[root@dhcp129-112 ~]# rpm -qi opensc
Name        : opensc
Version     : 0.16.0
Release     : 4.20170227git777e2a3.el7
Architecture: x86_64
Install Date: Wed 10 May 2017 11:03:34 AM EDT
Group       : System Environment/Libraries
Size        : 3256689
License     : LGPLv2+
Signature   : RSA/SHA256, Thu 13 Apr 2017 04:32:48 AM EDT, Key ID 199e2f91fd431d51
Source RPM  : opensc-0.16.0-4.20170227git777e2a3.el7.src.rpm
Build Date  : Thu 13 Apr 2017 04:04:15 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/OpenSC/OpenSC/wiki
Summary     : Smart card library and applications

Softhsm was installed from brew and the attached scripted was executed succesfully.

Comment 8 Roshni 2017-05-10 15:34:21 UTC
Created attachment 1277646 [details]
list certs on softhsm

Comment 9 errata-xmlrpc 2017-08-01 20:49:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1989