Bug 1565839 - The epel-stable version libp11-0.4.7-1.el7 forces pkcs11 engine sign to always prompt for Yubikey 4 PIN
Summary: The epel-stable version libp11-0.4.7-1.el7 forces pkcs11 engine sign to alway...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libp11
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Stef Walter
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-10 21:54 UTC by Dave Dykstra
Modified: 2021-02-15 07:38 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-02-15 07:38:20 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Dave Dykstra 2018-04-10 21:54:45 UTC
Description of problem:

Even though I pass a PIN to the pkcs11 engine with -passin, version 0.4.7-1 always prompts for a PIN.  This did not happen with version 0.4.6-1.  This is using a Yubikey 4 on an el7.4 system.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install libp11-0.4.7-1.el7 and engine_pkcs11-0.4.7-1.el7
2. plug in a Yubikey 4 into USB drive with a certificate in slot 9c, for example with these instruction and yubico-piv-tool:
   2a. openssl genrsa 2048 > private.pem
   2b. openssl req -x509 -days 1000 -new -key private.pem -out public.pem
   2c. openssl pkcs12 -export -in public.pem -inkey private.pem -out mycert.pfx
   2d. yubico-piv-tool -s9c -i mycert.pfx -K PKCS12 -a import-key -a import-cert
3. sha1sum /etc/motd >motd.sha1
4. openssl rsautl -engine pkcs11 -inkey pkcs11: -keyform engine -passin pass:123456 -sign -in motd.sha1 -out motd.sig

Actual results:

engine "pkcs11" set.
Enter PKCS#11 key PIN for SIGN key:

Expected results:

engine "pkcs11" set.

and a motd.sig without prompting for a PIN

Additional info:

I can't seem to find any way to stop it from prompting, but it works with 0.4.6-1.el7.

Comment 2 Dave Dykstra 2018-08-21 18:01:27 UTC
I see that 0.4.8 was released upstream 16 days ago https://github.com/OpenSC/libp11/releases/tag/libp11-0.4.8.  Will this be built soon?  Maybe the problem has been fixed, although I don't see it specifically mentioned in the list of changes.

Comment 3 Dave Dykstra 2019-07-08 18:53:27 UTC
The 0.4.8 version has been built, and in addition to the new problem with it reported in bug #1565836, the problem in this bug report still exists.

There have since been two more versions upstream, 0.4.9 and 0.4.10.

Comment 4 Dave Dykstra 2019-07-08 19:57:58 UTC
This has been replaced by bug #1728016.

Please close this bug, I am not given the option.

Comment 7 RHEL Program Management 2021-02-15 07:38:20 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.