Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1448555

Summary: label names for certificate are missing in pkcs11-tool output
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: openscAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: jjelen, jstodola, nmavrogi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: opensc-0.16.0-8.20170227git777e2a3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 18:28:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Roshni 2017-05-05 18:04:52 UTC 
Description of problem:
label names for certificate are missing in pkcs11-tool output

Version-Release number of selected component (if applicable):
opensc-0.16.0-4.20170227git777e2a3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install opensc
2.[root@dhcp129-77 ~]# pkcs11-tool -O --module=/usr/lib64/opensc-pkcs11.soUsing slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      Digital Signature
  ID:         11
Public Key Object; RSA 2048 bits
  label:      Digital Signature
  ID:         11
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      
  ID:         2d363034343935343531333335303638333134
Public Key Object; RSA 4096 bits
  label:      
  ID:         2d363034343935343531333335303638333134
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      
  ID:         2d34393634343439353433363734363530353634
Public Key Object; RSA 4096 bits
  label:      
  ID:         2d34393634343439353433363734363530353634
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      Encryption
  ID:         58
Public Key Object; RSA 2048 bits
  label:      Encryption
  ID:         58
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      
  ID:         2d38393730353830333738343337323736343737
Public Key Object; RSA 4096 bits
  label:      
  ID:         2d38393730353830333738343337323736343737
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      Non Repudiation
  ID:         33
Public Key Object; RSA 2048 bits
  label:      Non Repudiation
  ID:         33
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      
  ID:         2d31353437323132373237323537313430323734
Public Key Object; RSA 4096 bits
  label:      
  ID:         2d31353437323132373237323537313430323734
  Usage:      encrypt, verify
Data object 15748320
  label:          'ProfileId'
  application:    ''
  app_id:         <empty>
  flags:          <empty>
3.

Actual results:
Some certificates are missing labels

Expected results:
All certificate need labels

Additional info:
using coolkey

[root@dhcp129-77 ~]# pkcs11-tool -O --module=/usr/lib64/pkcs11/libcoolkeypk11.so
Using slot 0 with a present token (0x1)
Private Key Object; RSA 
  label:      Digital Signature
  ID:         11
  Usage:      sign, unwrap
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Private Key Object; RSA 
  label:      Non Repudiation
  ID:         33
  Usage:      sign
  Access:     always authenticate
Private Key Object; RSA 
  label:      Encryption
  ID:         58
  Usage:      decrypt, unwrap
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Certificate Object; type = X.509 cert
  label:      Digital Signature
  ID:         11
Certificate Object; type = X.509 cert
  label:      Non Repudiation
  ID:         33
Certificate Object; type = X.509 cert
  label:      Encryption
  ID:         58
Certificate Object; type = X.509 cert
  label:      VW-QS-CA-OTHR-0
  ID:         2d363034343935343531333335303638333134
Certificate Object; type = X.509 cert
  label:      VW-QS-CA-ENCS-0
  ID:         2d38393730353830333738343337323736343737
Certificate Object; type = X.509 cert
  label:      VW-QS-CA-SIGN-0
  ID:         2d31353437323132373237323537313430323734
Data object 40970
  label:          'Card PIN'
  application:    <empty>
  app_id:         <empty>
  flags:           private
Comment 2 Jakub Jelen 2017-05-09 06:34:05 UTC 
Adding the details from the original bug, where we started discussing this issue:

Coolkey is picking up the label not from PKCS#15 structures, but from the CN of the certificate itself.

Browsing through the code, it is implemented in src/coolkey/object.cpp:2525

    /* if we didn't get a label, set one based on the CN */

This can be useful feature worth implementing in OpenSC, but it does not look like something that would be a blocker for RHEL7.4. If you consider this a test blocker/regression, please add a appropriate keyword and I will have a look at this, otherwise I would be for postponing it for 7.5.
Comment 3 Jakub Jelen 2017-05-09 16:19:15 UTC 
Cross-reference the github pull request which should resolve the issue:
https://github.com/OpenSC/OpenSC/pull/1045
Comment 5 Jakub Jelen 2017-05-31 08:07:22 UTC 
This has been fixed upstream so there is nothing blocking us from accepting this change in RHEL.
Comment 7 Roshni 2017-12-13 21:27:07 UTC 
This is the difference I see between coolkey and opensc:

[root@dhcp129-107 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all
Object 0:
	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4790%20Unknown;serial=9050377271970069;token=pkiuser1%20%28pkiuser1%29;id=%00;type=public
	Type: Public key
	Label: 
	Flags: CKA_WRAP/UNWRAP; 
	ID: 00

Object 1:
	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4790%20Unknown;serial=9050377271970069;token=pkiuser1%20%28pkiuser1%29;id=%00;object=encryption%20key%20for%20pkiuser1;type=cert
	Type: X.509 Certificate
	Label: encryption key for pkiuser1
	ID: 00

[root@dhcp129-107 ~]# pkcs11-switch coolkey

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Module "CoolKey PKCS #11 Module" added to database.
Module "OpenSC PKCS #11 Module" deleted from database.
[root@dhcp129-107 ~]# p11tool --provider /usr/lib64/pkcs11/libcoolkeypk11.so --list-all
Object 0:
	URL: pkcs11:model=50377271970069a5;manufacturer=4790;serial=970069a5;token=pkiuser1;id=%00;object=encryption%20key%20for%20pkiuser1;type=cert
	Type: X.509 Certificate
	Label: encryption key for pkiuser1
	ID: 00

Object 1:
	URL: pkcs11:model=50377271970069a5;manufacturer=4790;serial=970069a5;token=pkiuser1;id=%00;object=encryption%20key%20for%20pkiuser1;type=public
	Type: Public key
	Label: encryption key for pkiuser1
	Flags: CKA_WRAP/UNWRAP; 
	ID: 00

Object 2:
	URL: pkcs11:model=50377271970069a5;manufacturer=4790;serial=970069a5;token=pkiuser1;id=%00;object=encryption%20key%20for%20pkiuser1;type=private
	Type: Private key
	Label: encryption key for pkiuser1
	Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; 
	ID: 00
Comment 8 Jakub Jelen 2017-12-14 08:51:01 UTC 
Sigh ... it looks like I mixed up the patches. This bug should get the patch from PR 1088 [1], which is clearly not in the tree. I will respin the package also with this change.

[1] https://github.com/OpenSC/OpenSC/pull/1088
Comment 9 Jakub Jelen 2018-01-03 12:59:52 UTC 
This is finally also in the last build.
Comment 10 Roshni 2018-01-08 17:50:05 UTC 
[root@dhcp129-107 ~]# rpm -qi opensc
Name        : opensc
Version     : 0.16.0
Release     : 8.20170227git777e2a3.el7
Architecture: x86_64
Install Date: Mon 08 Jan 2018 12:11:28 PM EST
Group       : System Environment/Libraries
Size        : 3260567
License     : LGPLv2+
Signature   : RSA/SHA256, Wed 03 Jan 2018 08:15:09 AM EST, Key ID 199e2f91fd431d51
Source RPM  : opensc-0.16.0-8.20170227git777e2a3.el7.src.rpm
Build Date  : Wed 03 Jan 2018 07:51:51 AM EST
Build Host  : x86-034.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/OpenSC/OpenSC/wiki
Summary     : Smart card library and applications

All the labels are listed as expected:

root@dhcp129-107 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all
Object 0:
	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4090%20GemAlto%20%28Infineon%29;serial=90614575c1240e03;token=kdcuser2%20%28kdcuser2%29;id=%01;object=signing%20key%20for%20kdcuser2;type=public
	Type: Public key
	Label: signing key for kdcuser2
	ID: 01

Object 1:
	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4090%20GemAlto%20%28Infineon%29;serial=90614575c1240e03;token=kdcuser2%20%28kdcuser2%29;id=%01;object=signing%20key%20for%20kdcuser2;type=cert
	Type: X.509 Certificate
	Label: signing key for kdcuser2
	ID: 01

Object 2:
	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4090%20GemAlto%20%28Infineon%29;serial=90614575c1240e03;token=kdcuser2%20%28kdcuser2%29;id=%02;object=encryption%20key%20for%20kdcuser2;type=public
	Type: Public key
	Label: encryption key for kdcuser2
	Flags: CKA_WRAP/UNWRAP; 
	ID: 02

Object 3:
	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4090%20GemAlto%20%28Infineon%29;serial=90614575c1240e03;token=kdcuser2%20%28kdcuser2%29;id=%02;object=encryption%20key%20for%20kdcuser2;type=cert
	Type: X.509 Certificate
	Label: encryption key for kdcuser2
	ID: 02
Comment 13 errata-xmlrpc 2018-04-10 18:28:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0987