RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1857272 - negative option for token.mechanism not working correctly
Summary: negative option for token.mechanism not working correctly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: softhsm
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Alexander Bokovoy
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-15 15:24 UTC by Kaleem
Modified: 2021-05-18 15:48 UTC (History)
5 users (show)

Fixed In Version: softhsm-2.6.0-4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:48:21 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Kaleem 2020-07-15 15:24:54 UTC 
Description of problem:

when one value is specified with - option its not picked and ALL mechanism are shown

[root@master tokens]# grep -r slots.mechanisms /etc/softhsm2.conf
# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = - CKM_RSA_PKCS
[root@master tokens]# pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > custom.txt
Using slot 0 with a present token (0x73e7cba2)
[root@master tokens]# diff all.txt custom.txt 
[root@master tokens]#

when two values specified with - option only later one is picked

[root@master tokens]# grep -r slots.mechanisms /etc/softhsm2.conf
# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = - CKM_RSA_PKCS,CKM_RSA_X_509
[root@master tokens]# pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > custom.txt
Using slot 0 with a present token (0x73e7cba2)
[root@master tokens]# diff all.txt custom.txt 
51d50
<   RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify
[root@master tokens]#

Version-Release number of selected component (if applicable):
[root@master tokens]# rpm -q softhsm
softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64
[root@master tokens]# 

How reproducible:
Always

Steps to Reproduce:
1. Specify token mechanism with negative option in /etc/softhsm2.conf
   e.g slots.mechanisms = -CKM_RSA_X_509,CKM_RSA_PKCS

2. Check for mechanism list supported. 


Actual results:
Only the later one in the list mechanism is not shown but first one is shown in the list displayed

Expected results:
None of the mechanism listed with '-' should displayed.
Comment 1 Jakub Jelen 2020-07-15 16:16:36 UTC 
The fix for this issue is submitted in the following PR on upstream project:

https://github.com/opendnssec/SoftHSMv2/pull/561
Comment 5 Thomas Woerner 2020-08-03 09:28:24 UTC 
Moving back in ASSIGNED state as the PR has not been merged upstream, yet.
Comment 8 Michal Polovka 2021-02-17 12:42:02 UTC 
Manually pre-verified using softhsm-2.6.0-5.module+el8.4.0+9973+3d202164.x86_64 from test compose http://artifacts.osci.redhat.com/comp/rhel-8.4.0-mbs/9973-1386-idm using RHEL8.4

Fixed version:
1. # install softhsm-2.6.0-5.module+el8.4.0+9973+3d202164.x86_64.rpm
2. # install opensc
3. softhsm2-util --init-token --slot 0 --label "My token"
4. grep -r slots.mechanisms /etc/softhsm2.conf
# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = ALL
5. pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > all.txt
6. sed -i 's/ALL/- CKM_RSA_PKCS,CKM_RSA_X_509/' /etc/softhsm2.conf
7. grep -r slots.mechanisms /etc/softhsm2.conf
# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = - CKM_RSA_PKCS,CKM_RSA_X_509
8. pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > custom.txt
9. diff all.txt custom.txt
47d46
 <   RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, wrap, unwrap
51d49
 <   RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify


Non-fixed version softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64
9. diff all.txt custom.txt51d50
<   RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify

Therefore marking as pre-verified: tested.
Comment 11 Michal Polovka 2021-02-19 10:32:12 UTC 
Verified manually using nightly compose of RHEL8.4 with softhsm-2.6.0-5.module+el8.4.0+9973+3d202164.x86_64

1. install softhsm and opensc
2. softhsm2-util --init-token --slot 0 --label "My token"
3. grep -r slots.mechanisms /etc/softhsm2.conf
# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = ALL
4. pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > all.txt
5. sed -i 's/ALL/-CKM_RSA_PKCS,CKM_RSA_X_509/' /etc/softhsm2.conf
6. grep -r slots.mechanisms /etc/softhsm2.conf# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = -CKM_RSA_PKCS,CKM_RSA_X_509
7. pkcs11-tool -M --module /usr/lib64/libsofthsm2.so > custom.txt
8. diff all.txt custom.txt 
47d46
<   RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, wrap, unwrap
51d49
<   RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify

Therefore marking as verified.
Comment 13 errata-xmlrpc 2021-05-18 15:48:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846
Note You need to log in before you can comment on or make changes to this bug.