Ubuntu
libp11 package

  1. Bug #1964141
  2. Comment #6

Comment 6 for bug 1964141

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hello,

I'm trying to reproduce this in jammy, but so far things are working. I tried with p11tool, pkcs11-tool, and openssl configured with a pkcs11 engine.

I don't doubt the issue exists, I'm definitely just missing something in this very complicated stack.

My testing has been around loading certificates and keys into a smart card byt forcing specific labels and IDs. In particular, my last test was forcing an empty label, and different ids, and then specifying the object I want via a pkcs11 url of the form "pkcs11:id=%XX".

The bug report at https://github.com/OpenSC/libp11/issues/435 specifically mentioned the case of different IDs, but same (empty) label, so that's what I tried. That bug report doesn't show the exact commands that were being tried, nor how to produce that debug output.

What I have loaded:
$ p11tool --login --list-all
Token 'label1' with URL 'pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1' requires user PIN
Enter PIN:
Object 0:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%99;type=cert
 Type: X.509 Certificate (RSA-2048)
 Expires: Sat Sep 3 16:30:50 2022
 Label:
 Flags: CKA_PRIVATE;
 ID: 99

Object 1:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=cert
 Type: X.509 Certificate (RSA-2048)
 Expires: Sat Sep 3 16:33:27 2022
 Label:
 Flags: CKA_PRIVATE;
 ID: 11

Object 2:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=public
 Type: Public key (RSA-2048)
 Label:
 Flags: CKA_WRAP/UNWRAP;
 ID: 11

Object 3:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%99;type=public
 Type: Public key (RSA-2048)
 Label:
 Flags: CKA_WRAP/UNWRAP;
 ID: 99

Object 4:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%99;type=private
 Type: Private key (RSA-2048)
 Label:
 Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
 ID: 99

Object 5:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=private
 Type: Private key (RSA-2048)
 Label:
 Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
 ID: 11

Object 6:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;object=User%20Pin
 Type: Unknown
 Label: User Pin
 Flags: CKA_SENSITIVE;
 ID:

Object 7:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;object=SO%20Pin
 Type: Unknown
 Label: SO Pin
 Flags: CKA_SENSITIVE;
 ID:

Object 8:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1
 Type: Unknown
 Label:
 ID:

Filtering by id seems to work fine:
$ p11tool --login --list-all "pkcs11:id=%11"
Token 'label1' with URL 'pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1' requires user PIN
Enter PIN:
Object 0:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=cert
 Type: X.509 Certificate (RSA-2048)
 Expires: Sat Sep 3 16:33:27 2022
 Label:
 Flags: CKA_PRIVATE;
 ID: 11

Object 1:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=public
 Type: Public key (RSA-2048)
 Label:
 Flags: CKA_WRAP/UNWRAP;
 ID: 11

Object 2:
 URL: pkcs11:model=19C43A06010D0000;manufacturer=A.E.T.%20Europe%20B.V.;serial=0191001F00670608;token=label1;id=%11;type=private
 Type: Private key (RSA-2048)
 Label:
 Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
 ID: 11

Likewise for ID 99. I then tried encrypting something using a specific key id, and decrypting it using the same key id (in which case it would have to pick the right private key), and it always worked, regardless if I used key 11 or 99.

$ openssl rsautl -encrypt -inkey "pkcs11:id=%99" -engine pkcs11 -pubin -in secret.txt -out secret.enc -keyform engine
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
Engine "pkcs11" set.

$ openssl rsautl -engine pkcs11 -keyform engine -decrypt -inkey "pkcs11:id=%99" -in secret.enc
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
Engine "pkcs11" set.
Enter PKCS#11 token PIN for label1:
secret

And if I specify the id of the non-matching private key, decryption doesn't work:
$ openssl rsautl -engine pkcs11 -keyform engine -decrypt -inkey "pkcs11:id=%11" -in secret.enc
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
Engine "pkcs11" set.
Enter PKCS#11 token PIN for label1:

So, could you please give some steps on how to reproduce the problem, or at least the type of command that was picking up the wrong key or certificate?