Ubuntu
libp11 package

Bug #1987938
Comment #11

Comment 11 for bug 1987938

Revision history for this message

Gil Weis (gilweis) wrote on 2022-09-19: Re: [Bug 1987938] Re: When a PIN is explicitly provided, use it regardless of secure login flag

#11

Hi Sergio,
Thanks for the fix. I tested it and it's working and it's solved the
problem.

On Thu, Sep 15, 2022 at 5:46 PM Sergio Durigan Junior <
<email address hidden>> wrote:

> Hi Gil,
>
> That's because this is a backport of the patch that fixes the issue.
> That's how we fix things in Ubuntu packages that are part of a released
> series: we backport the necessary patches on top of the version that's
> currently packaged.
>
> Updating the software to 0.4.12 is a much harder process because we are
> not supposed to introduce new features into Ubuntu series that were
> already released.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1987938
>
> Title:
> When a PIN is explicitly provided, use it regardless of secure login
> flag
>
> Status in libp11 package in Ubuntu:
> Fix Released
> Status in libp11 source package in Jammy:
> In Progress
> Status in libp11 source package in Kinetic:
> Fix Released
>
> Bug description:
> [Impact]
> If someone uses this library to connect to a hardware security module
> (HSM) that has PIN entry device (PED) support - aka "secure login" for this
> library - the library is forced to login with "secure login" even when the
> client sends a PIN code and needs to perform simple operation like
> sign/decrypt. This is a bug and version 0.4.12 fix this bug.
>
> All users of this library connecting to HSMs that support PED (most of
> the big HSMs) can't use versions of the library prior to 0.4.12 (when
> the fix was first introduced).
>
> [Background]
> A hardware security module (HSM) is a physical computing device that
> safeguards and manages digital keys, performs encryption and decryption
> functions for digital signatures, ensures strong authentication and
> provides other cryptographic functions.
>
> Due to the critical role they play in securing applications and
> infrastructure, HSMs and/or the cryptographic modules are typically
> certified to internationally recognized standards such as Common Criteria
> or FIPS 140 to provide users with independent assurance that the design and
> implementation of the product and cryptographic algorithms are sound.
> Most of the big companies, banks, governments, and certificate
> authorities use HSM to keep digital keys, performs encryption and
> decryption functions.
>
> Since HSM has an important security role, for their management usually
> special hardware is required on the client side to identify with the
> HSM (i.e. a PIN entry device, or PED). Using PED requires human
> involvement on the client side. Services the need HSM can't use
> actual PED units to do identification so they pass the PIN code so
> they can use the HSM but just not perform actual administrative
> operations.
>
> libp11 is popular library that enables use of the pkc11 protocol.
> Most of the HSM's support pkcs11 protocol.
>
> Most users for such cases use LTS operating systems.
>
>
> [Test Case]
> Steps to reproduce the problem:
>
> All the operations with this library to HSMs that support PED with PIN
> code reproduce the problem. For example:
>
> openssl conf file:
> [openssl_init]
> engines=engine_section
>
> [engine_section]
> pkcs11 = pkcs11_section
>
> [pkcs11_section]
> engine_id = pkcs11
> dynamic_path = /usr/lib/ssl/engines/libpkcs11.so
> MODULE_PATH = hsm_module.so
> init = 0
>
> command:
> $ openssl
> OpenSSL> req -engine pkcs11 -new -key
> "pkcs11:object=test-key;type=private;pin-value=XXXX" \
> -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas
> Jellinghaus"
> OpenSSL> x509 -engine pkcs11 -signkey
> "pkcs11:object=test-key;type=private;pin-value=XXXX" \
> -keyform engine -in req.pem -out cert.pem
>
> [Original Report]
> This bug prevent from using this library with HSM with provided PIN.
> Version 0.4.12 fix this bug.
> Please update Ubuntu 22.04 to include libp11 0.4.12 because without this
> fix it's impossible to use this library with HSM (Hardware Security Module)
> and Ubuntu 22.04 (Jammy).
>
> (https://bugs.launchpad.net/ubuntu/+source/libp11/+bug/1982011)
>
> Thanks
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/libp11/+bug/1987938/+subscriptions
>
>

Hi Sergio,
Thanks for the fix. I tested it and it's working and it's solved the
problem.

On Thu, Sep 15, 2022 at 5:46 PM Sergio Durigan Junior <
1987938@bugs.launchpad.net> wrote:

> Hi Gil,
>
> That's because this is a backport of the patch that fixes the issue.
> That's how we fix things in Ubuntu packages that are part of a released
> series: we backport the necessary patches on top of the version that's
> currently packaged.
>
> Updating the software to 0.4.12 is a much harder process because we are
> not supposed to introduce new features into Ubuntu series that were
> already released.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1987938
>
> Title:
>   When a PIN is explicitly provided, use it regardless of secure login
>   flag
>
> Status in libp11 package in Ubuntu:
>   Fix Released
> Status in libp11 source package in Jammy:
>   In Progress
> Status in libp11 source package in Kinetic:
>   Fix Released
>
> Bug description:
>   [Impact]
>   If someone uses this library to connect to a hardware security module
> (HSM) that has PIN entry device (PED) support - aka "secure login" for this
> library - the library is forced to login with "secure login" even when the
> client sends a PIN code and needs to perform simple operation like
> sign/decrypt. This is a bug and version 0.4.12 fix this bug.
>
>   All users of this library connecting to HSMs that support PED (most of
>   the big HSMs) can't use versions of the library prior to 0.4.12 (when
>   the fix was first introduced).
>
>   [Background]
>   A hardware security module (HSM) is a physical computing device that
> safeguards and manages digital keys, performs encryption and decryption
> functions for digital signatures, ensures strong authentication and
> provides other cryptographic functions.
>
>   Due to the critical role they play in securing applications and
> infrastructure, HSMs and/or the cryptographic modules are typically
> certified to internationally recognized standards such as Common Criteria
> or FIPS 140 to provide users with independent assurance that the design and
> implementation of the product and cryptographic algorithms are sound.
>   Most of the big companies, banks, governments, and certificate
> authorities use HSM to keep digital keys, performs encryption and
> decryption functions.
>
>   Since HSM has an important security role, for their management usually
>   special hardware is required on the client side to identify with the
>   HSM (i.e. a PIN entry device, or PED).  Using PED requires human
>   involvement on the client side.  Services the need HSM can't use
>   actual PED units to do identification so they pass the PIN code so
>   they can use the HSM but just not perform actual administrative
>   operations.
>
>   libp11 is popular library that enables use of the pkc11 protocol.
>   Most of the HSM's support pkcs11 protocol.
>
>   Most users for such cases use LTS operating systems.
>
>
>   [Test Case]
>   Steps to reproduce the problem:
>
>   All the operations with this library to HSMs that support PED with PIN
>   code reproduce the problem.  For example:
>
>   openssl conf file:
>   [openssl_init]
>   engines=engine_section
>
>   [engine_section]
>   pkcs11 = pkcs11_section
>
>   [pkcs11_section]
>   engine_id = pkcs11
>   dynamic_path = /usr/lib/ssl/engines/libpkcs11.so
>   MODULE_PATH = hsm_module.so
>   init = 0
>
>   command:
>   $ openssl
>   OpenSSL> req -engine pkcs11 -new -key
> "pkcs11:object=test-key;type=private;pin-value=XXXX" \
>            -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas
> Jellinghaus"
>   OpenSSL> x509 -engine pkcs11 -signkey
> "pkcs11:object=test-key;type=private;pin-value=XXXX" \
>            -keyform engine -in req.pem -out cert.pem
>
>   [Original Report]
>   This bug prevent from using this library with HSM with provided PIN.
>   Version 0.4.12 fix this bug.
>   Please update Ubuntu 22.04 to include libp11 0.4.12 because without this
> fix it's impossible to use this library with HSM (Hardware Security Module)
> and Ubuntu 22.04 (Jammy).
>
>   (https://bugs.launchpad.net/ubuntu/+source/libp11/+bug/1982011)
>
>   Thanks
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/libp11/+bug/1987938/+subscriptions
>
>

Ubuntulibp11 package

Comment 11 for bug 1987938

Ubuntu
libp11 package