Bug 1664802 - httpd fails to use RSA-PSS keys and certificates on PKCS#11 device
Summary: httpd fails to use RSA-PSS keys and certificates on PKCS#11 device
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssl-pkcs11
Version: 8.0
Hardware: All
OS: Linux
Target Milestone: rc
: 8.0
Assignee: Jakub Jelen
QA Contact: BaseOS QE Security Team
Marc Muehlfeld
Depends On: 1682502
TreeView+ depends on / blocked
Reported: 2019-01-09 17:02 UTC by Stanislav Zidek
Modified: 2021-02-01 07:31 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.Apache `httpd` fails to start if it uses an RSA private key stored in a PKCS#11 device and an RSA-PSS certificate The PKCS#11 standard does not differentiate between RSA and RSA-PSS key objects and uses the `CKK_RSA` type for both. However, OpenSSL uses different types for RSA and RSA-PSS keys. As a consequence, the `openssl-pkcs11` engine cannot determine which type should be provided to OpenSSL for PKCS#11 RSA key objects. Currently, the engine sets the key type as RSA keys for all PKCS#11 `CKK_RSA` objects. When OpenSSL compares the types of an RSA-PSS public key obtained from the certificate with the type contained in an RSA private key object provided by the engine, it concludes that the types are different. Therefore, the certificate and the private key do not match. The check performed in the `X509_check_private_key()` OpenSSL function returns an error in this scenario. The `httpd` web server calls this function in its startup process to check if the provided certificate and key match. Since this check always fails for a certificate containing an RSA-PSS public key and a RSA private key stored in the PKCS#11 module, `httpd` fails to start using this configuration. There is no workaround available for this issue.
Clone Of:
: 1664807 (view as bug list)
Last Closed: 2021-02-01 07:31:52 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Stanislav Zidek 2019-01-09 17:02:36 UTC
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. cd into directory with /CoreOS/p11-kit/Integration/httpd-pkcs11-uri
2. change KEYTYPES array to test rsa-pss - "KEYTYPES=(rsa-pss)"
3. 1minutetip --buildroot rhel8

Actual results:

Found 1 private key:
   1 P  id=6b5ff7c0537fde29df51c95d3d022be4fdfd0ffd label=httpd
AH00016: Configuration Failed

[ssl:debug] [...] ssl_engine_pphrase.c(872): Init: Initialized engine pkcs11 for private key pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%6b%5f%f7%c0%53%7f%de%29%df%51%c9%5d%3d%02%2b%e4%fd%fd%0f%fd;object=httpd;type=private?pin-value=123456
[ssl:emerg] [...] AH02565: Certificate and private key host-8-250-204.host.centralci.eng.rdu2.redhat.com:443:0 from pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%52%36%d8%ea%58%ea%70%02%b2%27%f4%0f%2b%07%de%1b%72%d2%aa%b3;object=httpd;type=cert and pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%6b%5f%f7%c0%53%7f%de%29%df%51%c9%5d%3d%02%2b%e4%fd%fd%0f%fd;object=httpd;type=private?pin-value=123456 do not match

Expected results:
no problems

Comment 8 Anderson Sasaki 2019-03-13 17:28:07 UTC
This issue was set to high priority because it has no workaround and it has high impact on a small amount of users.

Comment 17 RHEL Program Management 2021-02-01 07:31:52 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.