Description of problem: This[1] patch adds code that gets the attribute CKA_LABEL form the PKCS#11 module, which is fine. But it shouldn't *require* it. A missing label is not an error. I'm not a PKCS#11 expert, but the presence of the code: if (label_attrib->ulValueLen > 0 ) { tells me that other parts of the patch treat this attribute as optional. The offending parts of the patch are: ``` @@ -729,18 +863,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, * XXX assumes CKA_ID is always first. */ if (key_attr[1].ulValueLen == 0 || - key_attr[2].ulValueLen == 0) { + key_attr[2].ulValueLen == 0 || + key_attr[3].ulValueLen == 0) { error("invalid attribute length"); return (NULL); } ``` ``` @@ -850,18 +987,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, * XXX assumes CKA_ID is always first. */ if (key_attr[1].ulValueLen == 0 || - key_attr[2].ulValueLen == 0) { + key_attr[2].ulValueLen == 0 || + key_attr[3].ulValueLen == 0) { error("invalid attribute length"); return (NULL); } ``` key_attr[1].ulValueLen (CKA_LABEL) should *NOT* be checked for zero-length. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Install https://github.com/ThomasHabets/simple-tpm-pk11 2. Set up a key per its README 3. ssh -v -v -v -oPKCS11Provider=/usr/local/lib/libsimple-tpm-pk11.so shell.example.com Actual results: Get errors: "invalid attribute length" and "failed to fetch key" because Fedora OpenSSH requires CKA_LABEL. Expected results: It to "just work" for login, like with vanilla OpenSSH. Additional info: This broke simple-tpm-pk11: https://github.com/ThomasHabets/simple-tpm-pk11/issues/48 [1] https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-8.0p1-pkcs11-uri.patch
Thank you very much for the bug report. You are right, this was mistake. I will fix it with the next update of openssh.
Thanks. Right, I should add that in order to reproduce this with simple-tpm-pk11 you need to undo the workaround: https://github.com/ThomasHabets/simple-tpm-pk11/commit/949700211ab6f1c28a863c7a94dbd73eb99b0f41
openssh-8.0p1-3.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ba5e7fffc5
openssh-8.0p1-3.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ba5e7fffc5
openssh-8.0p1-3.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Hello. I got same error on Centos 8-stream and Fedora 37, if token has only Private key and Certificate, without Public key: debug1: identity file 'pkcs11:?module-path=/usr/lib64/libeToken.so' from pkcs#11 debug1: pkcs11_add_provider_by_uri: called, provider_uri = pkcs11:?module-path=/usr/lib64/libeToken.so debug1: provider /usr/lib64/libeToken.so: manufacturerID <SafeNet, Inc.> cryptokiVersion 2.20 libraryDescription <SafeNet eToken PKCS#11> libraryVersion 10.8 debug1: provider pkcs11:?module-path=/usr/lib64/libeToken.so slot 0: label <Abcd Efgh> manufacturerID <SafeNet, Inc.> model <eToken> serial <0111a11b> flags 0x60d invalid attribute length failed to fetch key I made a small patch (for centos 8-stream openssh-8.0): @@ -1082,8 +1082,7 @@ * ensure that none of the others are zero length. * XXX assumes CKA_ID is always first. */ - if (cert_attr[1].ulValueLen == 0 || - cert_attr[2].ulValueLen == 0 || + if (cert_attr[2].ulValueLen == 0 || cert_attr[3].ulValueLen == 0) { error("invalid attribute length"); return (NULL); Now, it works as expected.
(In reply to Max P from comment #6) > Hello. I got same error on Centos 8-stream and Fedora 37, if token has only > Private key and Certificate, without Public key: > > debug1: identity file 'pkcs11:?module-path=/usr/lib64/libeToken.so' from > pkcs#11 > debug1: pkcs11_add_provider_by_uri: called, provider_uri = > pkcs11:?module-path=/usr/lib64/libeToken.so > debug1: provider /usr/lib64/libeToken.so: manufacturerID <SafeNet, Inc.> > cryptokiVersion 2.20 libraryDescription <SafeNet eToken PKCS#11> > libraryVersion 10.8 > debug1: provider pkcs11:?module-path=/usr/lib64/libeToken.so slot 0: label > <Abcd Efgh> manufacturerID <SafeNet, Inc.> model <eToken> serial <0111a11b> > flags 0x60d > invalid attribute length > failed to fetch key > > I made a small patch (for centos 8-stream openssh-8.0): > > @@ -1082,8 +1082,7 @@ > * ensure that none of the others are zero length. > * XXX assumes CKA_ID is always first. > */ > - if (cert_attr[1].ulValueLen == 0 || > - cert_attr[2].ulValueLen == 0 || > + if (cert_attr[2].ulValueLen == 0 || > cert_attr[3].ulValueLen == 0) { > error("invalid attribute length"); > return (NULL); > > Now, it works as expected. Please, open an bug for RHEL8 so this can be handled in RHEL8 too. Using clone button above should do that.