Bug 1393751 - pkcs15-tool generate broken key pair
Summary: pkcs15-tool generate broken key pair
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: opensc
Version: 24
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-10 09:19 UTC by Denis Kostousov
Modified: 2016-11-29 10:47 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-29 10:47:35 UTC


Attachments (Terms of Use)

Description Denis Kostousov 2016-11-10 09:19:25 UTC
Description of problem:
openssl returns an error during CSR generation on rsa key stored in RutokenESP

Usually I run these commands for init new rutoken:
[kostousov-ds@kostousov-ds 10:12:30]pkcs11(0)% pkcs15-init --erase-card
Using reader with a card: Aktiv Rutoken ECP 00 00
[kostousov-ds@kostousov-ds 10:13:55]pkcs11(0)% pkcs15-init --create-pkcs15 --so-pin 1234567890 --so-puk ""
Using reader with a card: Aktiv Rutoken ECP 00 00
[kostousov-ds@kostousov-ds 10:14:11]pkcs11(0)% pkcs15-init --store-pin --label "User PIN" --auth-id 02 --pin 123456 --so-pin 1234567890 --puk ""
Using reader with a card: Aktiv Rutoken ECP 00 00
[kostousov-ds@kostousov-ds 10:14:34]pkcs11(0)% pkcs11-tool --keypairgen --key-type rsa:2048 --login --label "user" --id 6e65776b6579736574
Using slot 1 with a present token (0x1)
Logging in to "Rutoken ECP (User PIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; RSA 
  label:      user
  ID:         6e65776b6579736574
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      user
  ID:         6e65776b6579736574
  Usage:      encrypt, verify, wrap
[kostousov-ds@kostousov-ds 13:52:04]pkcs11(130)% openssl
OpenSSL> req -engine pkcs11 -new -key 'pkcs11:id=newkeyset' -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus"
engine "pkcs11" set.
PKCS#11 token PIN: 
OpenSSL>

But today last step returns an error:
[kostousov-ds@kostousov-ds 11:50:13]pkcs11(0)% openssl
OpenSSL> req -engine pkcs11 -new -key 'pkcs11:id=newkeyset' -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus"
engine "pkcs11" set.
PKCS#11 token PIN: 
139834512435064:error:80009005:Vendor defined:PKCS11_rsa_encrypt:General Error:p11_rsa.c:117:
139834512435064:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:
error in req
OpenSSL>

Some investigation shows that the errors occurs only with newly created keys. With one month old token request generation works fine.

Version-Release number of selected component (if applicable):
[kostousov-ds@kostousov-ds 14:10:22]pkcs11(0)% rpm -qa opensc engine\* openssl libp11 p11\*
p11-kit-0.23.2-2.fc24.x86_64
p11-kit-0.23.2-2.fc24.i686
engine_pkcs11-0.4.0-2.fc24.x86_64
openssl-1.0.2j-1.fc24.x86_64
opensc-0.15.0-6.fc24.x86_64
p11-kit-trust-0.23.2-2.fc24.x86_64
libp11-0.4.0-2.fc24.x86_64


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Jakub Jelen 2016-11-10 09:40:49 UTC
Can you verify in which last OpenSC version it worked for you?

Does it work for you with latest OpenSC from Fedora 25 (version 0.16.0):

  # dnf update opensc --releasever=25

Comment 2 Denis Kostousov 2016-11-10 10:26:57 UTC
There are nothing changed after upgrade to opensc-0.16.0-1.fc25.x86_64:

[kostousov-ds@kostousov-ds 15:24:45]pkcs11(0)% openssl
OpenSSL> req -engine pkcs11 -new -key 'pkcs11:id=newkeyset' -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus"
engine "pkcs11" set.
PKCS#11 token PIN: 
140398552491896:error:80009005:Vendor defined:PKCS11_rsa_encrypt:General Error:p11_rsa.c:117:
140398552491896:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:
error in req
OpenSSL> %
[kostousov-ds@kostousov-ds 15:25:10]pkcs11(0)% rpm -qa opensc  
opensc-0.16.0-1.fc25.x86_64

Comment 3 Denis Kostousov 2016-11-10 10:38:45 UTC
Then I updated libp11 and engine_pkcs11
[kostousov-ds@kostousov-ds 15:27:23]pkcs11(0)% rpm -qa \*p11\*
p11-kit-0.23.2-2.fc24.x86_64
p11-kit-0.23.2-2.fc24.i686
libp11-0.4.0-2.fc25.x86_64
p11-kit-trust-0.23.2-2.fc24.x86_64


But nothing changed

Comment 4 Denis Kostousov 2016-11-10 10:50:20 UTC
openssl was updated...
nothing changed

Comment 5 Jakub Jelen 2016-11-10 11:37:30 UTC
> Can you verify which was the last OpenSC version it worked for you by downgrading to previous versions from Koji [1] to bisect when the problem was introduced?

[1] http://koji.fedoraproject.org/koji/packageinfo?packageID=2698

Comment 6 Nikos Mavrogiannopoulos 2016-11-10 11:43:52 UTC
libp11 (i.e., engine_pkcs11) could also the culprit. Could you try using dnf downgrade to the involved packages to detect which one caused the problem?

Comment 7 Denis Kostousov 2016-11-10 13:05:56 UTC
I downgraded many packages to base version, but nothing changed. I can't undestand what break the generation

[kostousov-ds@kostousov-ds 18:05:09]~(0)% sudo dnf list libp11 opensc openssl{,-libs,-devel} p11-kit engine_pkcs11
Last metadata expiration check: 4:12:40 ago on Thu Nov 10 13:52:30 2016.
Installed Packages
engine_pkcs11.x86_64                          0.2.0-2.fc24                             @fedora
libp11.x86_64                                 0.3.0-2.fc24                             @fedora
opensc.x86_64                                 0.15.0-5.fc24                            @fedora
openssl.x86_64                                1:1.0.2h-1.fc24                          @fedora
openssl-devel.x86_64                          1:1.0.2h-1.fc24                          @fedora
openssl-libs.i686                             1:1.0.2h-1.fc24                          @fedora
openssl-libs.x86_64                           1:1.0.2h-1.fc24                          @fedora
p11-kit.i686                                  0.23.2-2.fc24                            @System
p11-kit.x86_64                                0.23.2-2.fc24                            @System

Error:
[kostousov-ds@kostousov-ds 17:58:14]pkcs11(130)% openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib64/openssl/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib64/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib64/openssl/engines/libpkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib64/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key slot_1-id_6e65776b6579736574 -keyform engine -out /var/tmp/req.csr -subj "/C=RU/O=Billing SystemsLtd/OU=Project Department/CN=ledentsov-ov-ra/emailAddress=user@bisys.ru"
engine "pkcs11" set.
PKCS#11 token PIN: 
140625847474040:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:193:
140625847474040:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:
error in req
OpenSSL>

Comment 8 Nikos Mavrogiannopoulos 2016-11-10 14:55:26 UTC
No idea here. If you use the gnutls tool?

$ p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all --login

[copy the URL of the object you'd like to use and then]

$ certtool --provider /usr/lib64/opensc-pkcs11.so --generate-request --load-privkey "pkcs11:xxx" --outfile cert.csr

by replacing pkcs11:xxx with the actual URL.

Comment 9 Denis Kostousov 2016-11-10 15:31:57 UTC
[kostousov-ds@irtysh 20:30:02]~(0)% p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all --login
Token 'Rutoken ECP (User PIN)' with URL 'pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29' requires user PIN
Enter PIN: 
Object 0:
        URL: pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29;id=%6e%65%77%6b%65%79%73%65%74;object=user;type=private
        Type: Private key
        Label: user
        Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; 
        ID: 6e:65:77:6b:65:79:73:65:74

Object 1:
        URL: pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29;id=%6e%65%77%6b%65%79%73%65%74;object=user;type=public
        Type: Public key
        Label: user
        Flags: CKA_WRAP/UNWRAP; CKA_SENSITIVE; 
        ID: 6e:65:77:6b:65:79:73:65:74

[kostousov-ds@irtysh 20:30:11]~(0)% certtool --provider /usr/lib64/opensc-pkcs11.so --generate-request --load-privkey "pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29;id=%6e%65%77%6b%65%79%73%65%74;object=user;type=private" --outfile cert.csr
Generating a PKCS #10 certificate request...
Token 'Rutoken ECP (User PIN)' with URL 'pkcs11:model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=0000000031296725;token=Rutoken%20ECP%20%28User%20PIN%29' requires user PIN
Enter PIN: 
Common name: Some User
Organizational unit name: 
Organization name: 
Locality name: 
State or province name: 
Country name (2 chars): 
Enter the subject's domain component (DC): 
UID: 
Enter a dnsName of the subject of the certificate: 
Enter a URI of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Enter the e-mail of the subject of the certificate: 
Enter a challenge password: 
Does the certificate belong to an authority? (y/N): 
Will the certificate be used for signing (DHE ciphersuites)? (Y/n): 
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): 
Is this a TLS web client certificate? (y/N): 
Is this a TLS web server certificate? (y/N): 
sign: PKCS #11 error.

Comment 10 Nikos Mavrogiannopoulos 2016-11-11 07:25:32 UTC
Now I realized that this is a rutoken. Does do normal ECDSA, or it only provides GOST? If it is the latter most likely you miss the openssl gost engine. I don't think there is a package for it in fedora (and gnutls doesn't yet support gost).

Comment 11 Denis Kostousov 2016-11-29 10:47:35 UTC
I forgot option "--finalize"


Note You need to log in before you can comment on or make changes to this bug.