RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1272128 - Explicitly set CKA_PRIVATE to false when writing certificates (backport upstream patch 4df35b92)
Summary: Explicitly set CKA_PRIVATE to false when writing certificates (backport upstr...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On: 1272127
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-15 14:29 UTC by Sumit Bose
Modified: 2017-08-01 20:49 UTC (History)
11 users (show)

Fixed In Version: opensc-0.16.0-1.20170227git777e2a3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1272127
Environment:
Last Closed: 2017-08-01 20:49:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
list certs on softhsm (1.01 KB, application/x-shellscript)
2017-05-10 15:34 UTC, Roshni 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1989 0 normal SHIPPED_LIVE opensc bug fix and enhancement update 2017-08-01 18:32:58 UTC

Description Sumit Bose 2015-10-15 14:29:58 UTC 
+++ This bug was initially created as a clone of Bug #1272127 +++

Description of problem:
pkcs11-tool should explicitly set CKA_PRIVATE to "false" for certificates and public keys, since the PKCS#11 spec doesn't specify a default and some drivers use "private" as the default, making it impossible to add a public key/cert using pkcs11-tool.

The patch is available upstream at
https://github.com/OpenSC/OpenSC/commit/4df35b922c8eb7e0776a23260b65e570b33e4d42

Version-Release number of selected component (if applicable):


How reproducible:
Write a certificate to the softhsm2 PKCS#11 module and try to read it without login in

Steps to Reproduce:
1. pkcs11-tool --module  /usr/lib64/pkcs11/libsofthsm2.so --slot 0   -w ./cert.der  -y cert -l
2. pkcs11-tool --module  /usr/lib64/pkcs11/libsofthsm2.so --slot 0   -O


Actual results:
- nothing- 

Expected results:
Certificate Object, type = X.509 cert
- plus additional data -
Comment 3 Roshni 2017-05-09 20:58:42 UTC 
Jakub,

I am trying to install softhsm on a RHEL 7.4 Server (referring to https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+v2) and I see the following,

[root@ibm-x3650m4-01-vm-10 SoftHSMv2]# ./configure 
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
configure: sysconfdir set to /etc
configure: localstate set to /var
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking whether g++ supports C++11 features by default... no
checking whether g++ supports C++11 features with -std=c++11... yes
checking for dlopen... no
checking for dlopen in -ldl... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking pthread.h usability... yes
checking pthread.h presence... yes
checking for pthread.h... yes
checking for ECC support... yes
checking for GOST support... yes
checking for FIPS 140-2 mode... no
checking for crypto backend... OpenSSL
checking what are the OpenSSL includes... -I/usr/local/include
checking what are the OpenSSL libs... -L/usr/local/lib -lcrypto
checking openssl/ssl.h usability... no
checking openssl/ssl.h presence... no
checking for openssl/ssl.h... no
configure: error: Can't find OpenSSL headers

Could you tell me what I am missing?
Comment 4 Jakub Jelen 2017-05-10 06:49:25 UTC 
You can install the already built package softhsm:

https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=500554

I am not sure in which channel it is, but there should be no need to install it from source.

Anyway, the problem you are facing looks like you did not install openssl-devel package. You will also need some other -devel dependencies as you can see from the spec file (BuildRequires):

http://pkgs.devel.redhat.com/cgit/rpms/softhsm/tree/softhsm.spec?h=rhel-7.4
Comment 5 Jakub Jelen 2017-05-10 14:32:55 UTC 
How to set up softhsm:

SOPIN="12345678"
PIN="123456"
P11LIB="/usr/lib64/pkcs11/libsofthsm2.so"
echo "directories.tokendir = .tokens/" > .softhsm2.conf
mkdir ".tokens"
export SOFTHSM2_CONF=".softhsm2.conf"

# Init token
softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN"

# generate key & certificate
TYPE="rsa:1024"
ID="02"
LABEL="label"
pkcs11-tool --keypairgen --key-type="$TYPE" --login --pin=$PIN \
  --module="$P11LIB" --label="$LABEL" --id=$ID

# Generate certificate
certtool --generate-self-signed --outfile="$TYPE.cert" --template=cert.cfg \
  --provider="$P11LIB" --load-privkey "pkcs11:object=$LABEL;$TYPE_KEY=private" \
  --load-pubkey "pkcs11:object=$LABEL;$TYPE_KEY=public"
# convert to DER:
openssl x509 -inform PEM -outform DER -in "$TYPE.cert" -out "$TYPE.cert.der"

# write to the softhsm
pkcs11-tool --write-object "$TYPE.cert.der" --type=cert --id=$ID \
--label="$LABEL" --module="$P11LIB" --pin=$PIN

# list the objects
pkcs11-tool --module="$P11LIB" -O

# make sure the certificate is visible in the list (should not be with old version)
Comment 6 Jakub Jelen 2017-05-10 14:34:21 UTC 
And I obviously missed the

  TYPE_KEY="type"

so either define this variable or use

  certtool --generate-self-signed --outfile="$TYPE.cert" --template=cert.cfg \
    --provider="$P11LIB" --load-privkey "pkcs11:object=$LABEL;$TYPE_KEY=private" \
    --load-pubkey "pkcs11:object=$LABEL;type=public"
Comment 7 Roshni 2017-05-10 15:30:38 UTC 
[root@dhcp129-112 ~]# rpm -qi opensc
Name        : opensc
Version     : 0.16.0
Release     : 4.20170227git777e2a3.el7
Architecture: x86_64
Install Date: Wed 10 May 2017 11:03:34 AM EDT
Group       : System Environment/Libraries
Size        : 3256689
License     : LGPLv2+
Signature   : RSA/SHA256, Thu 13 Apr 2017 04:32:48 AM EDT, Key ID 199e2f91fd431d51
Source RPM  : opensc-0.16.0-4.20170227git777e2a3.el7.src.rpm
Build Date  : Thu 13 Apr 2017 04:04:15 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/OpenSC/OpenSC/wiki
Summary     : Smart card library and applications

Softhsm was installed from brew and the attached scripted was executed succesfully.
Comment 8 Roshni 2017-05-10 15:34:21 UTC 
Created attachment 1277646 [details]
list certs on softhsm
Comment 9 errata-xmlrpc 2017-08-01 20:49:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1989
Note You need to log in before you can comment on or make changes to this bug.