On Thu, Apr 13, 2023 at 09:25:54AM +0200, Robin van der Gracht wrote:
> Hi Michael,
>
> On 12-04-2023 08:28, Michael Olbrich wrote:
> > On Thu, Apr 06, 2023 at 04:50:14PM +0200, Robin van der Gracht wrote:
> > > Signed-off-by: Robin van der Gracht <ro...@protonic.nl>
> >
> > With this update pkcs11-tool (from host-opensc) does not work correctly any
> > more. I'm getting "error: OpenSSL error during RSA private key parsing" and
> > then a segfault. For example with the host-ptx-code-signing-dev package.
> > I'm not sure what's wrong here.
>
> I'm not seeing this error with our setup but we're on 2023.02.0 with openssl
> 1.1.1t.
So probably an issue with OpenSSL 3.x
> I did notice a fix for RSA key imports in the opensc repository shortly
> after version 0.23.0 was released. I've created a ptxdist patch that
> includes that patch. It's attached to this email.
>
> Can you verify if this fixes the error?
>
> Kind regards,
> Robin
> From 7c85dd2c365031bc793cac7ba29ac67e5105e144 Mon Sep 17 00:00:00 2001
> From: Robin van der Gracht <ro...@protonic.nl>
> Date: Thu, 13 Apr 2023 09:18:00 +0200
> Subject: [PATCH] opensc: Add patch that fixes RSA private key imports
>
> Signed-off-by: Robin van der Gracht <ro...@protonic.nl>
> ---
> ...1-pkcs11-tool-Fix-private-key-import.patch | 32 +++++++++++++++++++
> patches/OpenSC-0.23.0/series | 1 +
> 2 files changed, 33 insertions(+)
> create mode 100644
> patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch
> create mode 100644 patches/OpenSC-0.23.0/series
>
> diff --git
> a/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch
> b/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch
> new file mode 100644
> index 000000000..a58fc69a4
> --- /dev/null
> +++ b/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch
> @@ -0,0 +1,32 @@
> +From 9294183e07ff4944e3f5e590f343f5727636767e Mon Sep 17 00:00:00 2001
> +From: Jakub Jelen <jje...@redhat.com>
> +Date: Thu, 1 Dec 2022 20:08:53 +0100
> +Subject: [PATCH] pkcs11-tool: Fix private key import
> +
> +---
> + src/tools/pkcs11-tool.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
> +index aae205fe..cfee8526 100644
> +--- a/src/tools/pkcs11-tool.c
> ++++ b/src/tools/pkcs11-tool.c
> +@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct
> rsakey_info *rsa)
> + RSA_get0_factors(r, &r_p, &r_q);
> + RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
> + #else
> +- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1,
> &r_d) != 1 ||
> ++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) !=
> 1 ||
> + EVP_PKEY_get_bn_param(pkey,
> OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
> + EVP_PKEY_get_bn_param(pkey,
> OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
> + EVP_PKEY_get_bn_param(pkey,
> OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
> + EVP_PKEY_get_bn_param(pkey,
> OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
> +- EVP_PKEY_get_bn_param(pkey,
> OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
> + util_fatal("OpenSSL error during RSA private key
> parsing");
> ++ EVP_PKEY_get_bn_param(pkey,
> OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
This is broken. Probably a bad conflict resolution. The next upstream
commit fixes this. So far it looks promising. I'll do some more testing and
clean it up.
Regards,
Michael
> + }
> + #endif
> + RSA_GET_BN(rsa, private_exponent, r_d);
> +--
> +2.37.2
> +
> diff --git a/patches/OpenSC-0.23.0/series b/patches/OpenSC-0.23.0/series
> new file mode 100644
> index 000000000..ebefe3cd1
> --- /dev/null
> +++ b/patches/OpenSC-0.23.0/series
> @@ -0,0 +1 @@
> +0001-pkcs11-tool-Fix-private-key-import.patch
> --
> 2.37.2
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
