On Thu, Apr 13, 2023 at 09:25:54AM +0200, Robin van der Gracht wrote: > Hi Michael, > > On 12-04-2023 08:28, Michael Olbrich wrote: > > On Thu, Apr 06, 2023 at 04:50:14PM +0200, Robin van der Gracht wrote: > > > Signed-off-by: Robin van der Gracht <ro...@protonic.nl> > > > > With this update pkcs11-tool (from host-opensc) does not work correctly any > > more. I'm getting "error: OpenSSL error during RSA private key parsing" and > > then a segfault. For example with the host-ptx-code-signing-dev package. > > I'm not sure what's wrong here. > > I'm not seeing this error with our setup but we're on 2023.02.0 with openssl > 1.1.1t.
So probably an issue with OpenSSL 3.x > I did notice a fix for RSA key imports in the opensc repository shortly > after version 0.23.0 was released. I've created a ptxdist patch that > includes that patch. It's attached to this email. > > Can you verify if this fixes the error? > > Kind regards, > Robin > From 7c85dd2c365031bc793cac7ba29ac67e5105e144 Mon Sep 17 00:00:00 2001 > From: Robin van der Gracht <ro...@protonic.nl> > Date: Thu, 13 Apr 2023 09:18:00 +0200 > Subject: [PATCH] opensc: Add patch that fixes RSA private key imports > > Signed-off-by: Robin van der Gracht <ro...@protonic.nl> > --- > ...1-pkcs11-tool-Fix-private-key-import.patch | 32 +++++++++++++++++++ > patches/OpenSC-0.23.0/series | 1 + > 2 files changed, 33 insertions(+) > create mode 100644 > patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch > create mode 100644 patches/OpenSC-0.23.0/series > > diff --git > a/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch > b/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch > new file mode 100644 > index 000000000..a58fc69a4 > --- /dev/null > +++ b/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch > @@ -0,0 +1,32 @@ > +From 9294183e07ff4944e3f5e590f343f5727636767e Mon Sep 17 00:00:00 2001 > +From: Jakub Jelen <jje...@redhat.com> > +Date: Thu, 1 Dec 2022 20:08:53 +0100 > +Subject: [PATCH] pkcs11-tool: Fix private key import > + > +--- > + src/tools/pkcs11-tool.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c > +index aae205fe..cfee8526 100644 > +--- a/src/tools/pkcs11-tool.c > ++++ b/src/tools/pkcs11-tool.c > +@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct > rsakey_info *rsa) > + RSA_get0_factors(r, &r_p, &r_q); > + RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp); > + #else > +- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, > &r_d) != 1 || > ++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != > 1 || > + EVP_PKEY_get_bn_param(pkey, > OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 || > + EVP_PKEY_get_bn_param(pkey, > OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || > + EVP_PKEY_get_bn_param(pkey, > OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || > + EVP_PKEY_get_bn_param(pkey, > OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || > +- EVP_PKEY_get_bn_param(pkey, > OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) { > + util_fatal("OpenSSL error during RSA private key > parsing"); > ++ EVP_PKEY_get_bn_param(pkey, > OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { This is broken. Probably a bad conflict resolution. The next upstream commit fixes this. So far it looks promising. I'll do some more testing and clean it up. Regards, Michael > + } > + #endif > + RSA_GET_BN(rsa, private_exponent, r_d); > +-- > +2.37.2 > + > diff --git a/patches/OpenSC-0.23.0/series b/patches/OpenSC-0.23.0/series > new file mode 100644 > index 000000000..ebefe3cd1 > --- /dev/null > +++ b/patches/OpenSC-0.23.0/series > @@ -0,0 +1 @@ > +0001-pkcs11-tool-Fix-private-key-import.patch > -- > 2.37.2 > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |