RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:

pkcs11-tool fails to write an EC public key with libCryptoki2_64.so from SafeNet/Cloud HSM

Version-Release number of selected component (if applicable):
opensc-0.16.0-5.20170227git777e2a3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. create a EC public key in DER
2. write with pkcs11-tool --module /usr/lib/libCryptoki2_64.so --write ec_public_key.der
3.

Actual results:
SafeNet error 0x8000002f meaning EC_POINT is invalid


Expected results:
public key is created on token


Additional info:
1. pkcs11-tool sends the OCTET STRING *content bytes* as EC POINT
2. SafeNet expects the OCTET STRING DER including TAG and LENGTH
3. this is related to compilation flags: 2. requires EC_POINT_NO_ASN1_OCTET_STRING to be defined

The affected lines are
memcpy(point, buf, point_len);
		gost->public.len = header_len+point_len;
#ifndef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
		gost->public.len   -= header_len;
		gost->public.value += header_len;
#endif

Our packaging seems wrong. Since we don't define EC_POINT_NO_ASN1_OCTET_STRING we are writing the plain binary bytes but we should get the full DER TLV.

https://github.com/OpenSC/libp11/issues/79

s/we don't define EC_POINT_NO_ASN1_OCTET_STRING/we don't define EC_POINT_NO_ASN1_OCTET_STRING  in the spec file/

s/but we should get the full DER TLV/but the standard, and correct implementations like SafeNet HSM, expect the full DER TLV/

It looks like most of the tools that I test against accept already both conventions since it was common bug some years ago and therefore I did not detect the issue in pkcs11-tool itself (well ... it was quite a new feature in pkcs11-tool). This is issue also in upstream, so can you open an issue/PR on OpenSC project [1]? I don't think this is a reasonable default to use non-standard formatting and we should certainly fix that.

[1] https://github.com/OpenSC/OpenSC/

I finally, got through all the other things to find your PR upstream:

https://github.com/OpenSC/OpenSC/pull/1287/

Yes, this change clearly makes sense and I will consider it for the next release. Thank you for the bug report.

*** This bug has been marked as a duplicate of bug 1562572 ***