Bug 1705505 - openssl fails with PKCS#11 URIs without module specification
Summary: openssl fails with PKCS#11 URIs without module specification
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssl-pkcs11
Version: 8.0
Hardware: All
OS: Linux
Target Milestone: rc
: 8.2
Assignee: Anderson Sasaki
QA Contact: Alexander Sosedkin
Jan Fiala
Depends On:
Blocks: 1760751
TreeView+ depends on / blocked
Reported: 2019-05-02 12:24 UTC by Stanislav Zidek
Modified: 2020-04-28 16:58 UTC (History)
4 users (show)

Fixed In Version: openssl-pkcs11-0.4.10-1.el8
Doc Type: Bug Fix
Doc Text:
.`openssl-pkcs11` no longer locks devices by attempting to log in to multiple devices Previously, the `openssl-pkcs11` engine attempted to log in to the first result of a search using the provided PKCS #11 URI and used the provided PIN even if the first result was not the intended device and the PIN matched another device. These failed authentication attempts locked the device. `openssl-pkcs11` now attempts to log in to a device only if the provided PKCS #11 URI matches only a single device. The engine now intentionally fails in case the PKCS #11 search finds more than one device. For this reason, you must provide a PKCS #11 URI that matches only a single device when using `openssl-pkcs11` to log in to the device.
Clone Of:
: 1760751 (view as bug list)
Last Closed: 2020-04-28 16:58:10 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github OpenSC libp11 issues 302 0 'None' closed Search for objects stops in the first matching slot 2021-01-14 17:22:56 UTC
Red Hat Product Errata RHBA-2020:1871 0 None None None 2020-04-28 16:58:16 UTC

Description Stanislav Zidek 2019-05-02 12:24:39 UTC
Description of problem:
If we provide openssl PKCS#11 URI such as "pkcs11:id=%01", it is not able use the referenced object.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. set up softhsm token with private key; echo "secret" >in.txt
2. openssl pkeyutl -engine pkcs11 -keyform engine -inkey 'pkcs11:token=softhsm;id=%9b%c9%62%90%a2%46%c1%37%1b%83%4c%10%65%fa%7e%6e%ac%a9%59%ad;type=private?pin-value=123456' -encrypt -out output.bin -in in.txt
3. openssl pkeyutl -engine pkcs11 -keyform engine -inkey 'pkcs11:id=%9b%c9%62%90%a2%46%c1%37%1b%83%4c%10%65%fa%7e%6e%ac%a9%59%ad;type=private?pin-value=123456' -encrypt -out output.bin -in in.txt

Actual results:
3: fails
engine "pkcs11" set.
Found uninitialized token
Unable to check if already logged in
Login failed
Login to token failed, returning NULL...
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140399542032192:error:820780E1:PKCS#11 module:pkcs11_open_session:PKCS#11 token not recognized:p11_slot.c:156:
140399542032192:error:820780E1:PKCS#11 module:pkcs11_open_session:PKCS#11 token not recognized:p11_slot.c:156:
140399542032192:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78:
unable to load Private Key
pkeyutl: Error initializing context
Segmentation fault (core dumped)

Expected results:
both 2. and 3. pass

Comment 3 Anderson Sasaki 2019-10-02 08:39:06 UTC
Upstream fix:

Comment 16 errata-xmlrpc 2020-04-28 16:58:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.