Ubuntu
libp11 package

Bug #1987938
Comment #17

Comment 17 for bug 1987938

Revision history for this message

Gil Weis (gilweis) wrote on 2022-09-23: Re: [Bug 1987938] Re: When a PIN is explicitly provided, use it regardless of secure login flag

#17

Thanks Robie,
I updated the SRU description.
I hope that now it's clear that this is a bug and not a change in behaviour.
Currently the client with libp11 failed to login for operations that the
HSM required a PIN and not a PED. This is definitely a bug!

I added to SRU:

[Bug description]
- HSM that has PIN entry device (PED) support ("secure login" for libp11)
- Some operations with HSM required PED (like HSM Administration, Creating
keys, delete keys, creatin slots and some operations with HSM required PIN
(like sign with existing keys, decrypt with existing keys)

what's happens:
1. libp11 asks the HSM which authentications capabilities its hardware
supports.
2. The HSM response all the capabilities (from high to low).
3. Currently (this is the bug) libp11 choose the highest and expect the
client to use *only* the highest to login even the HSM expect lower for the
required operation.
4. The highest authentications capability (PED/Secure Login) required only
for administration that human involvement on the client side and not for
"normal" operations such sign/decrypt.
5. The bug prevent using libp11 for "normal" operations with HSM that
support PED.
5. The bug fix: The client try to login with the PIN for the required
operation and if it succeed, continue to run.

In any case, the responsibility to allow login always lies with the HSM and
he is the only one who decides whether to allow login with a PIN for the
requested operation.

[Where problems could occur]
Any HSM client that use libp11 library to connect HSM that support PED for
non PED operations will fail because this bug.

["expected behaviour" and "actual behaviour"]
Starting position:
- HSM that has PIN entry device (PED) support ("secure login" for libp11)
- Client that want to connect HSM for non PED operations (without human
involvement on the client side, like services/micro services)

"expected behaviour":
Client try to login to HSM with PIN code (for operation that required PIN
code and not PED) -> Success

"actual behaviour":
Client try to login to HSM with PIN code (for operation that required PIN
code and not PED) -> Failed

On Wed, Sep 21, 2022 at 7:30 PM Robie Basak <email address hidden>
wrote:

> Please could you complete a regression analysis? See "Where things could
> go wrong" at https://wiki.ubuntu.com/StableReleaseUpdates#Procedure.
>
> Also, while upstream are in the best position to choose appropriate
> behaviour for a new release, this seems to be a deliberate change in
> behaviour in a stable release to allow the PIN to be entered from
> userspace rather than requiring it from the HSM (if I understand what
> you're fixing correctly?). Is this something that some security
> professionals would see as a regression, rather than something they
> want? For example, perhaps they want this behaviour to prevent users
> from routinely leaking their PINs to userspace? If so, then for them
> would this SRU be the wrong thing to do?
>
> The test case is unclear to me: please could you add explicit "expected
> behaviour" and "actual behaviour" sections?
>
> ** Changed in: libp11 (Ubuntu Jammy)
> Status: In Progress => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1987938
>
> Title:
> When a PIN is explicitly provided, use it regardless of secure login
> flag
>
> Status in libp11 package in Ubuntu:
> Fix Released
> Status in libp11 source package in Jammy:
> Incomplete
> Status in libp11 source package in Kinetic:
> Fix Released
>
> Bug description:
> [Impact]
> If someone uses this library to connect to a hardware security module
> (HSM) that has PIN entry device (PED) support - aka "secure login" for this
> library - the library is forced to login with "secure login" even when the
> client sends a PIN code and needs to perform simple operation like
> sign/decrypt. This is a bug and version 0.4.12 fix this bug.
>
> All users of this library connecting to HSMs that support PED (most of
> the big HSMs) can't use versions of the library prior to 0.4.12 (when
> the fix was first introduced).
>
> [Background]
> A hardware security module (HSM) is a physical computing device that
> safeguards and manages digital keys, performs encryption and decryption
> functions for digital signatures, ensures strong authentication and
> provides other cryptographic functions.
>
> Due to the critical role they play in securing applications and
> infrastructure, HSMs and/or the cryptographic modules are typically
> certified to internationally recognized standards such as Common Criteria
> or FIPS 140 to provide users with independent assurance that the design and
> implementation of the product and cryptographic algorithms are sound.
> Most of the big companies, banks, governments, and certificate
> authorities use HSM to keep digital keys, performs encryption and
> decryption functions.
>
> Since HSM has an important security role, for their management usually
> special hardware is required on the client side to identify with the
> HSM (i.e. a PIN entry device, or PED). Using PED requires human
> involvement on the client side. Services the need HSM can't use
> actual PED units to do identification so they pass the PIN code so
> they can use the HSM but just not perform actual administrative
> operations.
>
> libp11 is popular library that enables use of the pkc11 protocol.
> Most of the HSM's support pkcs11 protocol.
>
> Most users for such cases use LTS operating systems.
>
>
> [Test Case]
> Steps to reproduce the problem:
>
> All the operations with this library to HSMs that support PED with PIN
> code reproduce the problem. For example:
>
> openssl conf file:
> [openssl_init]
> engines=engine_section
>
> [engine_section]
> pkcs11 = pkcs11_section
>
> [pkcs11_section]
> engine_id = pkcs11
> dynamic_path = /usr/lib/ssl/engines/libpkcs11.so
> MODULE_PATH = hsm_module.so
> init = 0
>
> command:
> $ openssl
> OpenSSL> req -engine pkcs11 -new -key
> "pkcs11:object=test-key;type=private;pin-value=XXXX" \
> -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas
> Jellinghaus"
> OpenSSL> x509 -engine pkcs11 -signkey
> "pkcs11:object=test-key;type=private;pin-value=XXXX" \
> -keyform engine -in req.pem -out cert.pem
>
> [Original Report]
> This bug prevent from using this library with HSM with provided PIN.
> Version 0.4.12 fix this bug.
> Please update Ubuntu 22.04 to include libp11 0.4.12 because without this
> fix it's impossible to use this library with HSM (Hardware Security Module)
> and Ubuntu 22.04 (Jammy).
>
> (https://bugs.launchpad.net/ubuntu/+source/libp11/+bug/1982011)
>
> Thanks
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/libp11/+bug/1987938/+subscriptions
>
>

I added to SRU:

In any case, the responsibility to allow login always lies with the HSM and
he is the only one who decides whether to allow login with a PIN for the
requested operation.

[Where problems could occur]
Any HSM client that use libp11 library to connect HSM that support PED for
non PED operations will fail because this bug.

"expected behaviour":
Client try to login to HSM with PIN code (for operation that required PIN
code and not PED) -> Success

"actual behaviour":
Client try to login to HSM with PIN code (for operation that required PIN
code and not PED) -> Failed

On Wed, Sep 21, 2022 at 7:30 PM Robie Basak <1987938@bugs.launchpad.net>
wrote:

> Please could you complete a regression analysis? See "Where things could
> go wrong" at https://wiki.ubuntu.com/StableReleaseUpdates#Procedure.
>
> Also, while upstream are in the best position to choose appropriate
> behaviour for a new release, this seems to be a deliberate change in
> behaviour in a stable release to allow the PIN to be entered from
> userspace rather than requiring it from the HSM (if I understand what
> you're fixing correctly?). Is this something that some security
> professionals would see as a regression, rather than something they
> want? For example, perhaps they want this behaviour to prevent users
> from routinely leaking their PINs to userspace? If so, then for them
> would this SRU be the wrong thing to do?
>
> The test case is unclear to me: please could you add explicit "expected
> behaviour" and "actual behaviour" sections?
>
> ** Changed in: libp11 (Ubuntu Jammy)
>        Status: In Progress => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1987938
>
> Title:
>   When a PIN is explicitly provided, use it regardless of secure login
>   flag
>
> Status in libp11 package in Ubuntu:
>   Fix Released
> Status in libp11 source package in Jammy:
>   Incomplete
> Status in libp11 source package in Kinetic:
>   Fix Released
>
> Bug description:
>   [Impact]
>   If someone uses this library to connect to a hardware security module
> (HSM) that has PIN entry device (PED) support - aka "secure login" for this
> library - the library is forced to login with "secure login" even when the
> client sends a PIN code and needs to perform simple operation like
> sign/decrypt. This is a bug and version 0.4.12 fix this bug.
>
>   All users of this library connecting to HSMs that support PED (most of
>   the big HSMs) can't use versions of the library prior to 0.4.12 (when
>   the fix was first introduced).
>
>   [Background]
>   A hardware security module (HSM) is a physical computing device that
> safeguards and manages digital keys, performs encryption and decryption
> functions for digital signatures, ensures strong authentication and
> provides other cryptographic functions.
>
>   Due to the critical role they play in securing applications and
> infrastructure, HSMs and/or the cryptographic modules are typically
> certified to internationally recognized standards such as Common Criteria
> or FIPS 140 to provide users with independent assurance that the design and
> implementation of the product and cryptographic algorithms are sound.
>   Most of the big companies, banks, governments, and certificate
> authorities use HSM to keep digital keys, performs encryption and
> decryption functions.
>
>   Since HSM has an important security role, for their management usually
>   special hardware is required on the client side to identify with the
>   HSM (i.e. a PIN entry device, or PED).  Using PED requires human
>   involvement on the client side.  Services the need HSM can't use
>   actual PED units to do identification so they pass the PIN code so
>   they can use the HSM but just not perform actual administrative
>   operations.
>
>   libp11 is popular library that enables use of the pkc11 protocol.
>   Most of the HSM's support pkcs11 protocol.
>
>   Most users for such cases use LTS operating systems.
>
>
>   [Test Case]
>   Steps to reproduce the problem:
>
>   All the operations with this library to HSMs that support PED with PIN
>   code reproduce the problem.  For example:
>
>   openssl conf file:
>   [openssl_init]
>   engines=engine_section
>
>   [engine_section]
>   pkcs11 = pkcs11_section
>
>   [pkcs11_section]
>   engine_id = pkcs11
>   dynamic_path = /usr/lib/ssl/engines/libpkcs11.so
>   MODULE_PATH = hsm_module.so
>   init = 0
>
>   command:
>   $ openssl
>   OpenSSL> req -engine pkcs11 -new -key
> "pkcs11:object=test-key;type=private;pin-value=XXXX" \
>            -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas
> Jellinghaus"
>   OpenSSL> x509 -engine pkcs11 -signkey
> "pkcs11:object=test-key;type=private;pin-value=XXXX" \
>            -keyform engine -in req.pem -out cert.pem
>
>   [Original Report]
>   This bug prevent from using this library with HSM with provided PIN.
>   Version 0.4.12 fix this bug.
>   Please update Ubuntu 22.04 to include libp11 0.4.12 because without this
> fix it's impossible to use this library with HSM (Hardware Security Module)
> and Ubuntu 22.04 (Jammy).
>
>   (https://bugs.launchpad.net/ubuntu/+source/libp11/+bug/1982011)
>
>   Thanks
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/libp11/+bug/1987938/+subscriptions
>
>

Ubuntulibp11 package

Comment 17 for bug 1987938

Ubuntu
libp11 package