1670026 – pin-source is not handled in pkcs11 URI

Bug 1670026 - pin-source is not handled in pkcs11 URI

Summary: pin-source is not handled in pkcs11 URI

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssl-pkcs11
Sub Component:
Version:	29
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Anderson Sasaki
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-28 13:00 UTC by Petr Menšík
Modified:	2019-10-26 17:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:	openssl-pkcs11-0.4.10-3.fc30 openssl-pkcs11-0.4.10-3.fc29 openssl-pkcs11-0.4.10-3.fc31
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-19 17:41:34 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	OpenSC libp11 issues 273	0	None	closed	pin-source is not handled in PKCS#11 URI	2020-11-03 20:52:11 UTC

Description Petr Menšík 2019-01-28 13:00:31 UTC

Description of problem:
I have generated a SoftHSM2 backed key called ecc on token DNS.
However, I cannot access the token unless I provide pin-value. I want to use pin-source.

One problem is it does not properly parse PKCS#11 URI. Moreover, it does crash when it fails.

Version-Release number of selected component (if applicable):
rpm -q openssl-pkcs11 softhsm openssl
openssl-pkcs11-0.4.8-2.fc29.x86_64
openssl-pkcs11-0.4.8-2.fc29.i686
softhsm-2.5.0-2.fc29.x86_64
openssl-1.1.1a-1.fc29.x86_64


How reproducible:
always

Steps to Reproduce:
1. p11tool --list-all 'pkcs11:token=DNS;object=ecc?pin-source=/etc/named/pkcs11-pin'

2. openssl dgst -hex -engine pkcs11 -keyform engine -sign 'pkcs11:token=DNS;object=ecc?pin-source=/etc/named/pkcs11-pin' /etc/redhat-release
3. 

Actual results:
# p11tool
Object 0:
	URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=0e7082540070b451;token=DNS;object=ecc;type=public
	Type: Public key (EC/ECDSA-SECP384R1)
	Label: ecc
	Flags: CKA_WRAP/UNWRAP; 
	ID: 

# openssl dgst -hex -engine pkcs11 -keyform engine -sign 'pkcs11:token=DNS;object=ecc?pin-source=/etc/named/pkcs11-pin' /etc/redhat-release
engine "pkcs11" set.
The key ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The key ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
PKCS11_get_private_key returned NULL
cannot load key file from engine
140412282758976:error:80065064:pkcs11 engine:ctx_load_key:invalid id:eng_back.c:636:
140412282758976:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:
unable to load key file
Neoprávněný přístup do paměti (SIGSEGV) (core dumped [obraz paměti uložen])


Expected results:
# Same output as command
# openssl dgst -hex -engine pkcs11 -keyform engine -sign "pkcs11:token=DNS;object=ecc?pin-value=$(cat /etc/named/pkcs11-pin)" /etc/redhat-release
engine "pkcs11" set.
EC-SHA256(/etc/redhat-release)= 3065023079d08cc0918a977d7e9172fc7840616295a47ee5a5639f2acd784c6db725b5d81a40fae548e1875a9c503a683532d284023100bbddaec466be3eff9bde7504195429e1f0275b8b96d47001e04b3f7fbd3b33b0b3266cd3004f5041ebdc83354a3167ef

Additional info:
It seems this is related to long closed issue [1]. It was not fixed as well as it should. Another issue is SoftHSM does not accept pin-value, so they are now mutually incompatible.

I would like eventually remove support of native PKCS#11 from named-pkcs11 special build and handle all tokens from OpenSSL. But this issue prevents reusing of keys created by dnssec-keyfromlabel. This tool stores used pkcs11 URI into private key. In order to use such keys, OpenSSL has to accept the same parameters. PIN from file might be security issue, but it would be stored in each private key in the other case.

Moreover it crashes.

1. https://github.com/OpenSC/engine_pkcs11/issues/28

Comment 1 Anderson Sasaki 2019-02-07 14:04:59 UTC

I can reproduce both issues (missing 'pin-source' parser and crash at the end).
I opened an issue upstream to track this [0].

[0] https://github.com/OpenSC/libp11/issues/273

Comment 2 Nikos Mavrogiannopoulos 2019-08-05 10:14:21 UTC

David, do you remember why pin-source was not handled originally in the code?

Comment 5 Anderson Sasaki 2019-10-04 17:05:22 UTC

Upstream fix:
https://github.com/OpenSC/libp11/pull/309

Comment 6 Fedora Update System 2019-10-11 14:10:17 UTC

FEDORA-2019-8beaeedf08 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8beaeedf08

Comment 7 Fedora Update System 2019-10-11 14:10:59 UTC

FEDORA-2019-6b0df61357 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6b0df61357

Comment 8 Fedora Update System 2019-10-11 14:11:53 UTC

FEDORA-2019-747809e4c5 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-747809e4c5

Comment 9 Fedora Update System 2019-10-11 16:54:05 UTC

openssl-pkcs11-0.4.10-3.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-747809e4c5

Comment 10 Fedora Update System 2019-10-12 01:14:53 UTC

openssl-pkcs11-0.4.10-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6b0df61357

Comment 11 Fedora Update System 2019-10-12 02:02:38 UTC

openssl-pkcs11-0.4.10-3.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8beaeedf08

Comment 12 Fedora Update System 2019-10-19 17:41:34 UTC

openssl-pkcs11-0.4.10-3.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2019-10-19 17:45:04 UTC

openssl-pkcs11-0.4.10-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2019-10-26 17:25:06 UTC

openssl-pkcs11-0.4.10-3.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.