Ubuntu
libp11 package

Wrong certificate returned if multiple certs have same label but different ID

Bug #1964141 reported by Graham Leggett
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libp11
Fix Released
Unknown
libp11 (Ubuntu)
Fix Released
Medium
Andreas Hasenack
Ubuntu ubuntu-22.08
Jammy
Confirmed
Low
Unassigned
Kinetic
Fix Released
Medium
Andreas Hasenack
Ubuntu ubuntu-22.08

Bug Description

Right now, when an attempt is made to store two certificates on a smartcard, where the ID of the certs are the same but the labels are not, or the labels are the same but IDs not, the wrong certificate is selected not matching the key. This typically happens when a certificate is renewed, and the smartcard (possibly a software smartcard) contains both the old cert and the new cert. In this case the IDs may be the same.

Fixed upstream here:

https://github.com/OpenSC/libp11/pull/433

When ID and label are specified, both need to match, not either.

To fix this id-match OR label-match was replaced with id-match AND
label-match.

A tiebreak was added when multiple matching certificates could be
returned. The certificate with the latest expiry wins, and if we
still have a tie we deterministically choose a certificate using
X509_cmp().

If we do not specify a certificate, we return the first certificate
(or first certificate with an ID) as before.

Debug logging updated to show the expiry date used in the decision.

Tags: needs-sync

Related branches

~ahasenack/ubuntu/+source/libp11:kinetic-libp11-0412-update
Utkarsh Gupta (community): Approve
Canonical Server Reporter: Pending requested
Diff: 12642 lines (+4902/-2918)
68 files modified
INSTALL.md (+5/-5)
Makefile.in (+23/-10)
NEWS (+20/-1)
README.md (+9/-5)
aclocal.m4 (+39/-29)
compile (+3/-3)
config.guess (+7/-3)
config.sub (+3/-3)
configure (+961/-197)
configure.ac (+9/-5)
debian/changelog (+12/-0)
debian/tests/control (+7/-0)
debian/tests/engine (+72/-0)
debian/tests/engine-smoke (+37/-0)
depcomp (+1/-1)
doc/Makefile.in (+17/-4)
examples/Makefile.in (+17/-6)
examples/auth.c (+4/-4)
examples/decrypt.c (+5/-5)
install-sh (+92/-69)
ltmain.sh (+325/-443)
m4/ax_pthread.m4 (+522/-0)
m4/libtool.m4 (+77/-77)
m4/ltoptions.m4 (+1/-1)
m4/ltsugar.m4 (+1/-1)
m4/ltversion.m4 (+6/-6)
m4/lt~obsolete.m4 (+1/-1)
make.rules.mak (+1/-1)
missing (+1/-1)
src/Makefile.am (+1/-1)
src/Makefile.in (+18/-7)
src/config.h.in (+10/-3)
src/eng_back.c (+365/-449)
src/eng_err.h (+1/-0)
src/eng_front.c (+4/-0)
src/engine.h (+1/-0)
src/libp11-int.h (+152/-174)
src/libp11.exports (+1/-0)
src/libp11.h (+20/-13)
src/libp11.rc (+4/-4)
src/p11_atfork.c (+58/-128)
src/p11_attr.c (+58/-61)
src/p11_cert.c (+106/-172)
src/p11_ckr.c (+3/-2)
src/p11_ec.c (+137/-101)
src/p11_front.c (+167/-72)
src/p11_key.c (+342/-308)
src/p11_load.c (+7/-10)
src/p11_misc.c (+18/-25)
src/p11_pkey.c (+141/-128)
src/p11_pthread.h (+94/-0)
src/p11_rsa.c (+86/-84)
src/p11_slot.c (+246/-258)
src/pkcs11.h (+20/-0)
src/pkcs11.rc (+4/-4)
test-driver (+6/-4)
tests/Makefile.am (+6/-3)
tests/Makefile.in (+53/-13)
tests/ec-cert-store.softhsm (+47/-0)
tests/ec-check-privkey.softhsm (+2/-2)
tests/evp-sign.c (+1/-1)
tests/fork-change-slot.c (+0/-4)
tests/fork-test.c (+0/-4)
tests/list-tokens.c (+0/-1)
tests/rsa-check-privkey.softhsm (+47/-0)
tests/rsa-no-pubkey.sh (+123/-0)
tests/rsa-oaep.c (+1/-1)
tests/store-cert.c (+274/-0)
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Thanks for taking the time to report this bug here, Graham.

As you already pointed out, the proper fix should go into the upstream project first.

https://github.com/OpenSC/libp11/pull/433 seems to be reviewed and approved. Once it is merged, we should be able to backport the patch as needed.

Changed in libp11 (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in libp11:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in libp11:
status: New → Fix Released
Bryce Harrington (bryce)
tags: added: server-todo
Revision history for this message
Bryce Harrington (bryce) wrote :

PR 433 appears to have landed in March, but there has not been a new release yet. Tagging this server-todo for someone to examine for applicability to backport for SRU, and to consider backporting for kinetic if a new release isn't likely to be forthcoming this cycle.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Due to the size and complexity I'm not sure about a Jammy SRU.
But clearly it would be grat to ensure picking it up for Kinetic if upstream releases something in time. Thanks Bryce for flagging this.

Changed in libp11 (Ubuntu Jammy):
status: New → Triaged
status: Triaged → Confirmed
importance: Undecided → Low
tags: added: needs-sync
removed: server-todo
Changed in libp11 (Ubuntu Kinetic):
milestone: none → ubuntu-22.08
Revision history for this message
Bryce Harrington (bryce) wrote :

Upstream released 0.4.12 a few days ago. It's not packaged by Debian yet but I confirmed it includes this fix.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'll take a look at this.

Changed in libp11 (Ubuntu Kinetic):
assignee: nobody → Andreas Hasenack (ahasenack)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (4.9 KiB)

Hello,

I'm trying to reproduce this in jammy, but so far things are working. I tried with p11tool, pkcs11-tool, and openssl configured with a pkcs11 engine.

I don't doubt the issue exists, I'm definitely just missing something in this very complicated stack.

My testing has been around loading certificates and keys into a smart card byt forcing specific labels and IDs. In particular, my last test was forcing an empty label, and different ids, and then specifying the object I want via a pkcs11 url of the form "pkcs11:id=%XX".

The bug report at https://github.com/OpenSC/libp11/issues/435 specifically mentioned the case of different IDs, but same (empty) label, so that's what I tried. That bug report doesn't show the exact commands that were being tried, nor how to produce that debug output.

What I have loaded:
$ p11tool --login --list-all
Token 'label1' with URL 'pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1' requires user PIN
Enter PIN:
Object 0:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%99;type=cert
 Type: X.509 Certificate (RSA-2048)
 Expires: Sat Sep 3 16:30:50 2022
 Label:
 Flags: CKA_PRIVATE;
 ID: 99

Object 1:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=cert
 Type: X.509 Certificate (RSA-2048)
 Expires: Sat Sep 3 16:33:27 2022
 Label:
 Flags: CKA_PRIVATE;
 ID: 11

Object 2:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=public
 Type: Public key (RSA-2048)
 Label:
 Flags: CKA_WRAP/UNWRAP;
 ID: 11

Object 3:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%99;type=public
 Type: Public key (RSA-2048)
 Label:
 Flags: CKA_WRAP/UNWRAP;
 ID: 99

Object 4:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%99;type=private
 Type: Private key (RSA-2048)
 Label:
 Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
 ID: 99

Object 5:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=private
 Type: Private key (RSA-2048)
 Label:
 Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
 ID: 11

Object 6:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;object=User%20Pin
 Type: Unknown
 Label: User Pin
 Flags: CKA_SENSITIVE;
 ID:

Object 7:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;object=SO%20Pin
 Type: Unknown
 Label: SO Pin
 Flags: CKA_SENSITIVE;
 ID:

Object 8:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1
 Type: Unknown
 Label:
 ID:

Filtering by id seems to work fine:
$ p11tool --login --list-all "pkcs11:id=%11"
Token 'label1' with URL 'pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1' requires user PIN
Enter PIN:
Ob...

Read more...

Revision history for this message
Andreas Hasenack (ahasenack) wrote (last edit ):

I guess I could try next the complementary combination: different label, same id. But how do I specify a label in the pkcs11 url? Just "label=<foo>" didn't seem to work.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hm, the 0.4.12 release tarball is missing the detached signature:

https://github.com/OpenSC/libp11/issues/454

$ uscan
uscan: Newest version of libp11 on remote site is 0.4.12, local version is 0.4.11
uscan: => Newer package available from:
        => https://github.com/OpenSC/libp11/releases/download/libp11-0.4.12/libp11-0.4.12.tar.gz
uscan warn: In directory ., downloading
  https://github.com/OpenSC/libp11/releases/download/libp11-0.4.12/libp11-0.4.12.tar.gz.asc failed: 404 Not Found
uscan die: FAIL Checking OpenPGP signature (no signature file downloaded).

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I was also bitten by this: https://github.com/OpenSC/libp11/issues/455

So probably 0.4.12 will need that patch (I was on 0.4.11, but on openssl 3).

Revision history for this message
Graham Leggett (minfrin) wrote :

When I hit the bug, I didn’t change my config until I’d found the problem and fixed it. Didn’t want symptoms to vanish on me.

I was developing redwax-tool at the time, which was returning discovered pkcs11 URLs with empty labels (quirk of p11kit, but still valid). The correct PKCS11 URL was passed to httpd, which then picked up the other cert (with different key and different id, but same empty label because bug), resulting in error “key does not match certificate”.

Reproducing could be hard as your system may accidentally choose the correct cert, masking the problem.

Possible approach could be to add many keys, each key having one cert. all certs should have different id corresponding to each unique key, but give them no label (no label and blank label are the same in PKCS11, as the label is a space padded constant width string).

Then try refer to each cert in turn, specifying id and same label. In theory as soon as wrong cert is matched with the given key, you’ll get the system telling you cert and key don’t belong together.

Andreas Hasenack (ahasenack)
Changed in libp11 (Ubuntu Kinetic):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libp11 - 0.4.12-0ubuntu1

---------------
libp11 (0.4.12-0ubuntu1) kinetic; urgency=medium

  * New upstream release: 0.4.12 (LP: #1982011)
    - Fixes wrong certificate returned if multiple certs have same label but
      different ID (LP: #1964141)
  * d/t/{control,engine-smoke}: add simple pcks11 openssl engine smoke
    test
  * d/t/{control,engine}: a more thorough pkcs11 engine test, using a
    software-based smart card implementation (softhsm2)

 -- Andreas Hasenack <email address hidden> Thu, 18 Aug 2022 19:44:51 +0000

Changed in libp11 (Ubuntu Kinetic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.