Bug 2027452 - Softhsm permissions error: unusable from httpd
Summary: Softhsm permissions error: unusable from httpd
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: softhsm
Version: epel8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-29 17:33 UTC by Graham Leggett
Modified: 2021-11-29 17:44 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1625548 1 unspecified CLOSED Make softhsm default directory usable for other applications 2023-03-27 04:57:05 UTC

Description Graham Leggett 2021-11-29 17:33:01 UTC 
Description of problem:

When attempting to use Apache httpd's PKCS11 support against a softhsm token, all SSL connections fail with the following logged:

Nov 29 19:20:45 gatekeeper httpd[224798]: File.cpp(94): Could not open the file (Permission denied): /var/lib/softhsm/tokens//2f6dd39f-ddc9-d647-4dbd-a11886be9cd2/3ba76108-42de-094f-6c02-e626ec4e5f20.object

The error is accurate - there are no meaningful permissions set on the softhsm directory:

[root@gatekeeper ~]# ls -al /var/lib/softhsm/
total 4
drwxr-x---.  3 ods  ods    20 May  6  2021 .
drwxr-xr-x. 42 root root 4096 Nov 20 08:24 ..
drwxrwx--T.  3 ods  ods    50 May  6  2021 tokens

[root@gatekeeper ~]# ls -al /var/lib/softhsm/tokens/
total 4
drwxrwx--T. 3 ods  ods    50 May  6  2021 .
drwxr-x---. 3 ods  ods    20 May  6  2021 ..
drwx------. 2 root root 4096 Nov 29 18:21 2f6dd39f-ddc9-d647-4dbd-a11886be9cd2

Softhsm should have a group of it's own, and by default daemons that support PKCS11 should automatically be a member of the group.

The directory should have the setgid bit set, so that tokens created by one user aren't invisible to others.

Version-Release number of selected component (if applicable):

2.6.1

How reproducible:

Always

Steps to Reproduce:
1. Install a key into softhsm as root.
2. Attempt to access this key using httpd and SSLCertificateKey pkcs11:[url-of-key]
3.

Actual results:

Client failure as follows:

curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Server log entry as follows:

Could not open the file (Permission denied): 

Expected results:

Successful connection.

Additional info:
Comment 1 Alexander Bokovoy 2021-11-29 17:44:33 UTC 
SoftHSM in EPEL8 cannot deviate in its packaging from RHEL. The only reason why it exists in EPEL8 is to allow building against it without enabling RHEL IdM module idm:DL1 stream (which is not enabled by default, thus cannot be used for building EPEL packages directly).

In RHEL SoftHSM is provided exclusively to be used with RHEL IdM to provide DNSSEC setup and RHEL IdM does configure SoftHSM to use own environment.

If you want to use SoftHSM for something else, you can configure it for your own environment using environmental variables and configuration files. It is practically impossible to make defaults to fit for all use cases.

Please see README.md in the package documentation for the details and how to set your own environment.
Note You need to log in before you can comment on or make changes to this bug.