+++ This bug was initially created as a clone of Bug #2030981 +++ Description of problem: The pkinit hardcodes the path to the opensc-pkcs11.so module, which is not aligned to the rest of the RHEL's consistent pkcs11 support, which we introduced in RHEL8 krb5-1.19.1/src/plugins/preauth/pkinit/pkinit.h:#define PKCS11_MODNAME "opensc-pkcs11.so" The pkinit should use p11-kit-proxy.so, which is installed by default on RHEL and which automatically loads any installed pkcs11 module on the system to simplify configuration and usage. Version-Release number of selected component (if applicable): current rhel8 and rhel9 How reproducible: always Steps to Reproduce: 0. Install and configure softhsm or any other pkcs11 module other than opensc to provide certificate for pkinit 1. kinit -X kinit -X X509_user_identity=PKCS11: ipauser1 Actual results: The pkinit is unable to find the certificate Expected results: The pkinit finds the certificate (without specifying the pkcs11 module with PKCS11:module_name=/usr/lib64/libsofthsm2.so or PKCS11:module_name=/usr/lib64/p11-kit-proxy.so Additional info: Similar behavior is described by the PKCS#11 URIs: https://datatracker.ietf.org/doc/html/rfc7512 and is implemented by most of the software using smart cards in the operating system including openssh, wget, curl, librewan, ngingx, httpd, ... https://www.redhat.com/en/blog/consistent-pkcs-11-support-red-hat-enterprise-linux-8 --- Additional comment from Alexander Bokovoy on 2022-04-04 05:56:47 UTC --- Julien, this looks like a sensible downstream change for a define. I think we should do it both in Fedora and RHEL.
I've prepared a test setup with opencryptoki on Fedora Rawhide, but I am unable to complete pre-authentication. With the current krb5 release, the following error is raised after I enter the PIN code: kinit: Pre-authentication failed: Preauthentication failed while getting initial credentials But it works on Fedora 36. I used the following configuration for testing the PKCS#11 opencryptoki module: https://gitlab.com/-/snippets/2286806
I confirm that defining PKCS11_MODNAME as "p11-kit-proxy.so" and using the above configuration, it is possible to complete PKINIT pre-authentication on Fedora 36 without configuring the module library explicitly: pkinit_identities = PKCS11::certlabel=alice.cert While on current version, it requires to be explicitly set: pkinit_identities = PKCS11:/usr/lib64/pkcs11/libopencryptoki.so:certlabel=alice.cert
@jjelen are you aware of any known issue with opencryptoki on Fedora Rawhide? Could it be related to the upgrade from OpenSSL 1.1 to 3.0?
Sounds like opencryptoki is broken now, most probably because of OpenSSL changes. I would suggest you to try the SoftHSM, which looks like working for me just fine in both Fedora 26 and rawhide.
We did some tests and it works with SoftHSM indeed, but it requires the CA certificate to be configured as a file in krb5.conf with "pkinit_anchors". The issue is when both the CA and the user (and private key) certificates are imported into the module, per-authentication fails: kinit -X X509_user_identity='PKCS11::certlabel=alice.cert' -X X509_anchors='PKCS11::certlabel=ca.cert' alice ... [7818] 1649688775.627891: Preauth module pkinit (147) (info) returned: 0/Success [7818] 1649688775.627892: PKINIT client received freshness token from KDC [7818] 1649688775.627893: Preauth module pkinit (150) (info) returned: 0/Success swvtoken PIN: [7818] 1649688778.984875: PKINIT client has no configured identity; giving up [7818] 1649688778.984876: Preauth module pkinit (16) (real) returned: 95/Operation not supported ...
The CA certificate is usually not located in the token (pkcs11 module) so I think this would be a low-priority issue if you would like to solve it. The CA certificate/bundle is usually a file as reading it from the external hardware does not add any security but just makes things even slower than needed.
Okay, if this is not a requirement I suppose we can proceed. I opened a PR for Rawhide: https://src.fedoraproject.org/rpms/krb5/pull-request/12
I will open a PR upstream to configure the default PKCS#11 module as a build parameter instead.
Upstream pull request: https://github.com/krb5/krb5/pull/1246
Upstream PR merged: https://github.com/krb5/krb5/commit/855c715e90f4f115e77136f42b4570c03d325cae
The patch[1] is ready to be submitted, but I will wait for the currently open rawhide PR[2] to be merged to do so. [1] https://src.fedoraproject.org/fork/jrische/rpms/krb5/c/893f1af99311296bb07c182f9ea6195140b3c2d9?branch=rawhide [2] https://src.fedoraproject.org/rpms/krb5/pull-request/13
FEDORA-2022-4ab4a17207 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-4ab4a17207
FEDORA-2022-4ab4a17207 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-f277d02a73 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-f277d02a73
FEDORA-2022-f277d02a73 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-f277d02a73` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-f277d02a73 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-f277d02a73 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.