** Description changed: [Impact] p11tool which is part of gnutls-bin, has a bug currently when trying to query pkcs11 object that share the same URI. When objects share the same URI, p11-tool will return the same information for all these objects which include the encryption algorithm used as well as the expiration date for certificates. The bug has been reported upstream: https://gitlab.com/gnutls/gnutls/-/work_items/1467 And I have opened an MR to fix the issue: https://gitlab.com/gnutls/gnutls/-/merge_requests/2074 The fix consists of 5 commits but only 3 are required for Ubuntu since one fixes an unrelated dangling pointer and another one will be applies directly inside the debian folder avoiding needing a quilt patch. [Test Plan] The test plan is based off the upstream issue but adapted for Ubuntu. 1. Install gnutls-bin, softhsm2 and opensc. The last two are required to create pkcs11 objects. - $ sudo apt install gnutls-bin softhsm2 opensc + $ sudo apt install gnutls-bin softhsm2 opensc In the same directory, follow the next steps. This is needed since we are defining the current directory as the token directory in step 1. 2. $ echo 'directories.tokendir = .' > softhsm2.conf 3. $ export SOFTHSM2_CONF=softhsm2.conf 4. $ softhsm2-util --init-token --slot 0 --so-pin 1234 --pin 123456 --label Token1 5. Next up create two tokens with the same label for them to have the same URI. Each token will have a different encryption algorithm, rsa1024 and Elliptic Curve prime256v1 : $ $ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --keypairgen --token-label Token1 --label OpenDNSSEC1 --pin 123456 -v --key-type rsa:1024 $ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --keypairgen --token-label Token1 --label OpenDNSSEC1 --pin 123456 -v --key-type EC:prime256v1 6. Finally list the tokens with p11tool: $ p11tool --list-all pkcs11:model=SoftHSM%20v2 Currently in Ubuntu, the following output will be seen: Object 0: - URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=655f3fc5283853cc;token=Token1;object=OpenDNSSEC1;type=public - Type: Public key (RSA-1024) - Label: OpenDNSSEC1 - Flags: CKA_WRAP/UNWRAP; - ID: + URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=655f3fc5283853cc;token=Token1;object=OpenDNSSEC1;type=public + Type: Public key (RSA-1024) + Label: OpenDNSSEC1 + Flags: CKA_WRAP/UNWRAP; + ID: Object 1: - URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=655f3fc5283853cc;token=Token1;object=OpenDNSSEC1;type=public - Type: Public key (RSA-1024) - Label: OpenDNSSEC1 - Flags: CKA_WRAP/UNWRAP; - ID: + URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=655f3fc5283853cc;token=Token1;object=OpenDNSSEC1;type=public + Type: Public key (RSA-1024) + Label: OpenDNSSEC1 + Flags: CKA_WRAP/UNWRAP; + ID: Which shows that both entries have a key type of RSA-1024, which we know is wrong since one of the objects we created is EC:prime256v1. The correct output should be: - Object 0: - URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=655f3fc5283853cc;token=Token1;object=OpenDNSSEC1;type=public - Type: Public key (RSA-1024) - Label: OpenDNSSEC1 - Flags: CKA_WRAP/UNWRAP; - ID: + URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=655f3fc5283853cc;token=Token1;object=OpenDNSSEC1;type=public + Type: Public key (RSA-1024) + Label: OpenDNSSEC1 + Flags: CKA_WRAP/UNWRAP; + ID: Object 1: - URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=655f3fc5283853cc;token=Token1;object=OpenDNSSEC1;type=public - Type: Public key (EC/ECDSA-SECP256R1) - Label: OpenDNSSEC1 - Flags: CKA_WRAP/UNWRAP; - ID: - + URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=655f3fc5283853cc;token=Token1;object=OpenDNSSEC1;type=public + Type: Public key (EC/ECDSA-SECP256R1) + Label: OpenDNSSEC1 + Flags: CKA_WRAP/UNWRAP; + ID: [ Where problems could occur ] * Since the patch affects how information about pkcs11 objects are retrieved using low lever pkcs11 calls, there is a possibility that this code path fails resulting in no PKCS11 objects being listed. - * Since the patches also change how p11tool fetches data from searching objects using the URI to iterating over pkcs11 objects, there is a chance that p11tool fails to list all objects. + * Since p11tool is using a different function to fetch pkcs11 objects, there is a chance that some objects would be missing when querying the pkcs11 module with p11tool. + * The order of pkcs11 objects being printed might be different since the code changes p11tool to iterate over the pkcs11 objects instead of querying them through a URL
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2150202 Title: p11tool returns duplicate entries when pkcs URIs are the same for multiple pkcs11 objects To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/2150202/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
