RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1664802 - httpd fails to use RSA-PSS keys and certificates on PKCS#11 device
Summary: httpd fails to use RSA-PSS keys and certificates on PKCS#11 device
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssl-pkcs11
Version: 8.0
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: 8.0
Assignee: Jakub Jelen
QA Contact: BaseOS QE Security Team
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1682502
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-09 17:02 UTC by Stanislav Zidek
Modified: 2021-02-01 07:31 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.Apache `httpd` fails to start if it uses an RSA private key stored in a PKCS#11 device and an RSA-PSS certificate The PKCS#11 standard does not differentiate between RSA and RSA-PSS key objects and uses the `CKK_RSA` type for both. However, OpenSSL uses different types for RSA and RSA-PSS keys. As a consequence, the `openssl-pkcs11` engine cannot determine which type should be provided to OpenSSL for PKCS#11 RSA key objects. Currently, the engine sets the key type as RSA keys for all PKCS#11 `CKK_RSA` objects. When OpenSSL compares the types of an RSA-PSS public key obtained from the certificate with the type contained in an RSA private key object provided by the engine, it concludes that the types are different. Therefore, the certificate and the private key do not match. The check performed in the `X509_check_private_key()` OpenSSL function returns an error in this scenario. The `httpd` web server calls this function in its startup process to check if the provided certificate and key match. Since this check always fails for a certificate containing an RSA-PSS public key and a RSA private key stored in the PKCS#11 module, `httpd` fails to start using this configuration. There is no workaround available for this issue.
Clone Of:
: 1664807 (view as bug list)
Environment:
Last Closed: 2021-02-01 07:31:52 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Stanislav Zidek 2019-01-09 17:02:36 UTC
Description of problem:


Version-Release number of selected component (if applicable):
httpd-2.4.37-7.module+el8+2443+605475b7.x86_64
openssl-pkcs11-0.4.8-2.el8.x86_64
openssl-1.1.1-8.el8.x86_64
softhsm-2.4.0-1.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. cd into directory with /CoreOS/p11-kit/Integration/httpd-pkcs11-uri
2. change KEYTYPES array to test rsa-pss - "KEYTYPES=(rsa-pss)"
3. 1minutetip --buildroot rhel8

Actual results:

/var/log/httpd/error_log:
Found 1 private key:
   1 P  id=6b5ff7c0537fde29df51c95d3d022be4fdfd0ffd label=httpd
AH00016: Configuration Failed

/var/log/httpd/ssl_error_log:
[ssl:debug] [...] ssl_engine_pphrase.c(872): Init: Initialized engine pkcs11 for private key pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%6b%5f%f7%c0%53%7f%de%29%df%51%c9%5d%3d%02%2b%e4%fd%fd%0f%fd;object=httpd;type=private?pin-value=123456
[ssl:emerg] [...] AH02565: Certificate and private key host-8-250-204.host.centralci.eng.rdu2.redhat.com:443:0 from pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%52%36%d8%ea%58%ea%70%02%b2%27%f4%0f%2b%07%de%1b%72%d2%aa%b3;object=httpd;type=cert and pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ec28ddec41a113d2;token=softhsm;id=%6b%5f%f7%c0%53%7f%de%29%df%51%c9%5d%3d%02%2b%e4%fd%fd%0f%fd;object=httpd;type=private?pin-value=123456 do not match


Expected results:
no problems

Comment 8 Anderson Sasaki 2019-03-13 17:28:07 UTC
This issue was set to high priority because it has no workaround and it has high impact on a small amount of users.

Comment 17 RHEL Program Management 2021-02-01 07:31:52 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.


Note You need to log in before you can comment on or make changes to this bug.