Bug 1664802 - httpd fails to use RSA-PSS keys and certificates on PKCS#11 device
Summary: httpd fails to use RSA-PSS keys and certificates on PKCS#11 device
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssl-pkcs11
Version: 8.0
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: 8.0
Assignee: Anderson Sasaki
QA Contact: BaseOS QE Security Team
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1682502
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-09 17:02 UTC by Stanislav Zidek
Modified: 2019-06-27 10:02 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.Apache `httpd` fails to start if it uses an RSA private key stored in a PKCS#11 device and an RSA-PSS certificate The PKCS#11 standard does not differentiate between RSA and RSA-PSS key objects and uses the `CKK_RSA` type for both. However, OpenSSL uses different types for RSA and RSA-PSS keys. As a consequence, the `openssl-pkcs11` engine cannot determine which type should be provided to OpenSSL for PKCS#11 RSA key objects. Currently, the engine sets the key type as RSA keys for all PKCS#11 `CKK_RSA` objects. When OpenSSL compares the types of an RSA-PSS public key obtained from the certificate with the type contained in an RSA private key object provided by the engine, it concludes that the types are different. Therefore, the certificate and the private key do not match. The check performed in the `X509_check_private_key()` OpenSSL function returns an error in this scenario. The `httpd` web server calls this function in its startup process to check if the provided certificate and key match. Since this check always fails for a certificate containing an RSA-PSS public key and a RSA private key stored in the PKCS#11 module, `httpd` fails to start using this configuration. There is no workaround available for this issue.
Clone Of:
: 1664807 (view as bug list)
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Stanislav Zidek 2019-01-09 17:02:36 UTC
Description of problem:


Version-Release number of selected component (if applicable):
httpd-2.4.37-7.module+el8+2443+605475b7.x86_64
openssl-pkcs11-0.4.8-2.el8.x86_64
openssl-1.1.1-8.el8.x86_64
softhsm-2.4.0-1.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. cd into directory with /CoreOS/p11-kit/Integration/httpd-pkcs11-uri
2. change KEYTYPES array to test rsa-pss - "KEYTYPES=(rsa-pss)"
3. 1minutetip --buildroot rhel8

Actual results:

/var/log/httpd/error_log:
Found 1 private key:
   1 P  id=6b5ff7c0537fde29df51c95d3d022be4fdfd0ffd label=httpd
AH00016: Configuration Failed

/var/log/httpd/ssl_error_log:
[ssl:debug] [...] ssl_engine_pphrase.c(872): Init: Initialized engine pkcs11 for private key pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%6b%5f%f7%c0%53%7f%de%29%df%51%c9%5d%3d%02%2b%e4%fd%fd%0f%fd;object=httpd;type=private?pin-value=123456
[ssl:emerg] [...] AH02565: Certificate and private key host-8-250-204.host.centralci.eng.rdu2.redhat.com:443:0 from pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%52%36%d8%ea%58%ea%70%02%b2%27%f4%0f%2b%07%de%1b%72%d2%aa%b3;object=httpd;type=cert and pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%6b%5f%f7%c0%53%7f%de%29%df%51%c9%5d%3d%02%2b%e4%fd%fd%0f%fd;object=httpd;type=private?pin-value=123456 do not match


Expected results:
no problems

Comment 8 Anderson Sasaki 2019-03-13 17:28:07 UTC
This issue was set to high priority because it has no workaround and it has high impact on a small amount of users.


Note You need to log in before you can comment on or make changes to this bug.