Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No Login on Private Key Usage #496

Open
falko-strenzke opened this issue Apr 19, 2023 · 1 comment
Open

No Login on Private Key Usage #496

falko-strenzke opened this issue Apr 19, 2023 · 1 comment

Comments

@falko-strenzke
Copy link

We observed the following behaviour in version 0.4.12 when invoking openssl dgst -engine pkcs11 -keyform engine -sign [...]

  • When searching for private keys, this is done first attempted by libp11 without performing C_Login()
  • If the sought private key is found in this way, signature generation is also attempted without performing C_Login()
  • If C_SignInit() fails with CKR_USER_NOT_LOGGED_IN, the command fails

We found specifying "FORCE_LOGIN" in the engine section as a workaround.

However, according to our understanding, in the described case libp11 would preferably perform C_Login() after the failed call to C_SignInit() and try to call this function again.

Is this something you would put on the roadmap? Would you prefer us to propse an MR (currently not sure if we can provide that but I would check that)?
@frankmorgner
Copy link
Member

I don't use the PKCS#11 engine myself, but looking at the source code, it seems that libp11 actually does the right thing:

libp11/src/eng_back.c

Lines 199 to 243 in 6c96847

/*
* Log-into the token if necessary.
*
* @slot is PKCS11 slot to log in
* @tok is PKCS11 token to log in (??? could be derived as @slot->token)
* @ui_method is OpenSSL user interface which is used to ask for a password
* @callback_data are application data to the user interface
* @return 1 on success, 0 on error.
*/
static int ctx_login(ENGINE_CTX *ctx, PKCS11_SLOT *slot, PKCS11_TOKEN *tok,
UI_METHOD *ui_method, void *callback_data)
{
if (!(ctx->force_login || tok->loginRequired) || slot_logged_in(ctx, slot))
return 1;
/* If the token has a secure login (i.e., an external keypad),
* then use a NULL PIN. Otherwise, obtain a new PIN if needed. */
if (tok->secureLogin && !ctx->forced_pin) {
/* Free the PIN if it has already been
* assigned (i.e, cached by ctx_get_pin) */
ctx_destroy_pin(ctx);
} else if (!ctx->pin) {
ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
ctx->pin_length = MAX_PIN_LENGTH;
if (ctx->pin == NULL) {
ctx_log(ctx, 0, "Could not allocate memory for PIN\n");
return 0;
}
memset(ctx->pin, 0, MAX_PIN_LENGTH+1);
if (!ctx_get_pin(ctx, tok->label, ui_method, callback_data)) {
ctx_destroy_pin(ctx);
ctx_log(ctx, 0, "No PIN code was entered\n");
return 0;
}
}
/* Now login in with the (possibly NULL) PIN */
if (PKCS11_login(slot, 0, ctx->pin)) {
/* Login failed, so free the PIN if present */
ctx_destroy_pin(ctx);
ctx_log(ctx, 0, "Login failed\n");
return 0;
}
return 1;
}

I suggest you debug that part above and especially check the reason why no login is performed on line 211. I would assume that libp11 doesn't recognize the need to login, because your slot doesn't propagate this property correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frankmorgner @falko-strenzke