Bug 1877973 - smart card pkcs11 token field with additional padding
Summary: smart card pkcs11 token field with additional padding
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: opensc
Version: 8.3
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: rc
: 8.0
Assignee: Jakub Jelen
QA Contact: PKI QE
Khushbu Borole
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-10 22:54 UTC by Scott Poore
Modified: 2021-05-18 14:47 UTC (History)
4 users (show)

Fixed In Version: opensc-0.20.0-3.el8
Doc Type: Bug Fix
Doc Text:
.Improved padding for `pkcs11` Previously, the `pkcs11` token label had extra padding for some smart cards. As a consequence, the wrong padding could cause issues matching cards based on the label attribute. With this update, the padding is fixed for all the cards and defined PKCS #11 URIs and matching against them in application should work as expected.
Clone Of:
Environment:
Last Closed: 2021-05-18 14:46:59 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github OpenSC OpenSC issues 1922 0 None closed Problem with label formatting in C_GetTokenInfo / opensc 0.20.0 2021-02-08 14:05:43 UTC

Description Scott Poore 2020-09-10 22:54:18 UTC
Description of problem:

In opensc-0.20.0, I am seeing additional padding in the PKCS #11 token label for some smart cards.

Using the following command I got information on a few different cards I have:

[root@rhel8-8 ~]# PKCS11SPY=/usr/lib64/pkcs11/opensc-pkcs11.so  p11tool --provider /usr/lib64/pkcs11-spy.so --list-all-certs 2>&1 | grep -A5 C_GetTokenInfo

####################################
Aventra MyEID:
####################################
4: C_GetTokenInfo
...
      label:                  '                  MyEID (sctest)'
      manufacturerID:         'Aventra Ltd.                    '

####################################
SCP03 card enrolled from RHCS earlier:
####################################

4: C_GetTokenInfo
...
      label:                  '             kdcuser2 (kdcuser2)'
      manufacturerID:         '534e SafeNet                    '

####################################
CAC/PIV card from US DoD:
####################################
4: C_GetTokenInfo
...
      label:                  'FLUORINE.JANE.F.2001441054      '
      manufacturerID:         'piv_II                          '

####################################
Another CAC from US DoD:
####################################
4: C_GetTokenInfo
..
      label:                  'CONTRACTOR.DUALCAC.1402516816   '
      manufacturerID:         'piv_II                          '

Version-Release number of selected component (if applicable):
opensc-0.20.0-2.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
1.  dnf install opensc
2.  systemctl start pcscd
3.  p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all-certs
4.  PKCS11SPY=/usr/lib64/pkcs11/opensc-pkcs11.so  p11tool --provider /usr/lib64/pkcs11-spy.so --list-all-certs 2>&1 | grep -A5 C_GetTokenInfo


Actual results:

4.  extra %00 padding seen in p11tool output
5.  spaces to left not right of the label.

Expected results:

4.  no extra padding
5.  spaces to the right not left of the label

Additional info:

Comment 2 Jakub Jelen 2020-09-11 07:55:40 UTC
This is fixed by the following upstream pull request:

https://github.com/OpenSC/OpenSC/issues/1922

This does not affect all cards, but just the ones that have specific PIN name and token label.

I added known-issue doc text to get it to release notes, as it is probably late to fix it in rhel8.3.

Comment 16 errata-xmlrpc 2021-05-18 14:46:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: opensc security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1600


Note You need to log in before you can comment on or make changes to this bug.