Bug 1375307 - Deleting softhsm PKCS#11 objects does not work with p11tool --(so-)login
Summary: Deleting softhsm PKCS#11 objects does not work with p11tool --(so-)login
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gnutls
Version: 7.3
Hardware: All
OS: Linux
medium
low
Target Milestone: rc
: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Stanislav Zidek
URL:
Whiteboard:
Depends On:
Blocks: 1561481
TreeView+ depends on / blocked
 
Reported: 2016-09-12 16:53 UTC by Stanislav Zidek
Modified: 2018-10-30 07:57 UTC (History)
2 users (show)

Fixed In Version: gnutls-3.3.29-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 07:56:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3050 0 None None None 2018-10-30 07:57:40 UTC

Description Stanislav Zidek 2016-09-12 16:53:06 UTC
Description of problem:
It only works without login.

Version-Release number of selected component (if applicable):
gnutls-3.3.24-1.el7

How reproducible:
always

Steps to Reproduce:
0. export GNUTLS_PIN=1234; export GNUTLS_SO_PIN=1234
1. softhsm2-util --init-token --free --label softhsm --pin $GNUTLS_PIN --so-pin $GNUTLS_SO_PIN
2. p11tool --so-login --batch --label '$CA_LABEL' --mark-trusted --mark-ca --load-certificate <<CAcert>> --write '<<token>>'
3. p11tool --login --batch --delete '<<CERT URL>>'

Actual results:
Error in pkcs11_delete:82: Error in provided PIN.

Expected results:
If it's possible to delete certificate without --login, it should be probably also possible with it. Or the error message should give some good reason why it does not work.

Comment 1 Nikos Mavrogiannopoulos 2017-06-02 08:37:30 UTC
There is something strange there. What is the use case handled? You write as a security officer, and you try to delete as a user. Is that the intention?

Comment 2 Stanislav Zidek 2017-06-02 12:02:15 UTC
Removing worked with neither --login nor --so-login. It only works without any of these arguments.

Comment 3 Nikos Mavrogiannopoulos 2017-06-02 12:59:14 UTC
That may be a quirk of softhsm2 and p11tool may not be the right place to address that. Do you see the same behavior if you use pkcs11-tool from opensc?

Comment 4 Stanislav Zidek 2017-06-08 15:13:23 UTC
I can delete fine with
pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so --delete-object --type cert --label 'Example CA' --pin 1234 -v --login

I think that might have been the reason why I filed this bug for 'gnutls' component.

Comment 5 Nikos Mavrogiannopoulos 2018-01-17 18:27:23 UTC
https://gitlab.com/gnutls/gnutls/merge_requests/583

Comment 13 errata-xmlrpc 2018-10-30 07:56:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3050


Note You need to log in before you can comment on or make changes to this bug.