Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: Use p11_kit_modules_load() directly #117

Closed
dwmw2 opened this issue Oct 3, 2016 · 13 comments
Closed

RFE: Use p11_kit_modules_load() directly #117

dwmw2 opened this issue Oct 3, 2016 · 13 comments
Labels
wontfix

Comments

@dwmw2
Copy link
Contributor

dwmw2 commented Oct 3, 2016

There are a couple of discussions of this in places where they're a bit off-topic. See Yubico/yubico-piv-tool#94 (comment) and Homebrew/homebrew-core#5434 (comment)

The "easy" way to integrate a PKCS#11-capable application and make it use the modules configured by p11-kit is to use p11-kit-proxy.so. That just loads all the configured modules internally, then proxies for them, making their slots appear as its own slots.

However, there are a couple of problems with this. One is that it requires the use of libffi to build trampolines for the module entry points, which can be problematic

The other is that p11-kit-proxy.so doesn't seem to build on OSX for other reasons, as noted by @martinpaljak in https://lists.freedesktop.org/archives/p11-glue/2014-December/000550.html

It might be better for the ENGINE just to use p11_kit_modules_load() directly in the default case, instead of the cheaper trick of using p11-kit-proxy.so as its default module, which it does at the moment.

Using libp11-kit directly has the added bonus that we could ditch our own incomplete RFC7512 parsing. And it's only for the ENGINE, not for libp11. And obviously where the user does explicitly specify a single module that would still override the default behaviour, just as it does now.

Thoughts?
@dwmw2 dwmw2 mentioned this issue Oct 3, 2016
Closed
@mouse07410
Copy link
Contributor

Using PKCS11_MODULE_PATH=... worked. So the problem is definitely with p11-kit, which refuses to parse/load modules properly. Here's what it gives:

$ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
pkcs11: /Library/OpenSC/lib/opensc-pkcs11.dylib
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.16
ykcs11: /usr/local/lib/libykcs11.dylib
    library-description: PKCS#11 PIV Library (SP-800-73)
    library-manufacturer: Yubico (www.yubico.com)
    library-version: 1.42
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
p11-kit: couldn't load module info: The specified slot ID is not valid
$

@mouse07410
Copy link
Contributor

Also:

$ PKCS11_MODULE_PATH=/opt/local/lib/p11-kit-proxy.dylib openssl pkeyutl -engine pkcs11 -keyform engine -sign -in t256.dat -out t256.dat.sig -inkey 'pkcs11:model=YubiKey%20NEO;id=%02;object-type=private'
engine "pkcs11" set.
PKCS#11 token PIN: 
$ openssl pkeyutl -engine pkcs11 -keyform engine -sign -in t256.dat -out t256.dat.sig -inkey 'pkcs11:model=YubiKey%20NEO;id=%02;object-type=private'
engine "pkcs11" set.
Specified object not found
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140735271227472:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124:
unable to load Private Key
Error initializing context
$

@dwmw2
Copy link
Contributor Author

dwmw2 commented Oct 3, 2016

Did you definitely fix Yubico/yubico-piv-tool#91 before trying this? That would explain a long list of 'The specified slot ID is not valid' errors, and would also explain not finding a private key — because in Yubico/yubico-piv-tool#94 (comment) you showed that due to that same YKCS11 bug, the "real" slot number was showing up three times along with all those bogus ones. So it looks like there are three tokens matching your URI with model=YubiKey%20NEO, and thus the engine doesn't know which of them to log into, to find a CKA_PRIVATE object. And thus it gives up without ever prompting you for the PIn.

@lbschenkel
Copy link

FYI: p11-kit-proxy.so was not being built on OS X due to a Makefile bug that has been reported at https://bugs.freedesktop.org/show_bug.cgi?id=98022 and fixed today. But you don't really need the proxy because it's just a symlink to libp11-kit.dylib (the same file is both the library and a PKCS#11 module), so you can either create the symlink yourself or use the path to the dylib directly in any configuration files.

@mouse07410
Copy link
Contributor

mouse07410 commented Oct 3, 2016
edited

Did you definitely fix Yubico/yubico-piv-tool#91 before trying this?

I did not - but while fixing it improved the long list of wrong slots, it did not help with the main problem:

$ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
pkcs11: /Library/OpenSC/lib/opensc-pkcs11.dylib
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.16
    token: PIV Card Holder pin (PIV_II)
        manufacturer: piv_II
        model: PKCS#15 emulated
        serial-number: a0fxxxxxxxxxxxxx
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized
ykcs11: /usr/local/lib/libykcs11.dylib
    library-description: PKCS#11 PIV Library (SP-800-73)
    library-manufacturer: Yubico (www.yubico.com)
    library-version: 1.42
    token: YubiKey PIV
        manufacturer: Yubico
        model: YubiKey NEO
        serial-number: 1234
        firmware-version: 1.4
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized
$ openssl pkeyutl -engine pkcs11 -keyform engine -sign -in t256.dat -out t256.dat.sig -inkey 'pkcs11:model=YubiKey%20NEO;id=%02;object-type=private'
engine "pkcs11" set.
Specified object not found
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140735271227472:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124:
unable to load Private Key
Error initializing context
$ PKCS11_MODULE_PATH=/opt/local/lib/p11-kit-proxy.dylib openssl pkeyutl -engine pkcs11 -keyform engine -sign -in t256.dat -out t256.dat.sig -inkey 'pkcs11:model=YubiKey%20NEO;id=%02;object-type=private'
engine "pkcs11" set.
PKCS#11 token PIN: 
$

@mouse07410
Copy link
Contributor

mouse07410 commented Oct 3, 2016
edited

Hmm... I recompiled libp11 with

It was created by libp11 configure 0.4.3_git, which was
generated by GNU Autoconf 2.69.  Invocation command line was

  $ ./configure --prefix=/opt/local --with-pkcs11-module=/opt/local/lib/p11-kit-proxy.dylib --with-enginesdir=/opt/local/lib/engines CC=clang CFLAGS="-maes -mpclmul -mrdrnd -msse2 -mssse3 -msse4.2 -mtune=native -Os -Ofast" LDFLAGS=-L/opt/local/lib CPPFLAGS=-I/opt/local/include PKG_CONFIG_PATH="/opt/local/lib/pkgconfig:/opt/local/share/pkgconfig:/usr/local/lib/pkgconfig:/usr/lib/pkgconfig" OPENSSL_CFLAGS=-I/opt/local/include OPENSSL_LIBS="-L/opt/local/lib -lssl -lcrypto" --no-create --no-recursion

and it (including your ykcs11 fix) appeared to fix the problem:

$ openssl pkeyutl -engine pkcs11 -keyform engine -sign -in t256.dat -out t256.dat.sig -inkey 'pkcs11:model=YubiKey%20NEO;id=%02;object-type=private'
engine "pkcs11" set.
PKCS#11 token PIN: 
$

The problem appeared to be in --with-pkcs11-module=....

@dwmw2
Copy link
Contributor Author

dwmw2 commented Oct 3, 2016

OK, it should have picked that up automatically from the pkg-config for p11-kit, by running pkg-config --variable=proxy_module p11-kit-1.

Btw, stop using object-type=. It should be type=. I think it was changed in a later draft before it became RFC7512.

@mouse07410
Copy link
Contributor

mouse07410 commented Oct 5, 2016
edited

OK, changing to type=.

Also:

$ pkg-config --variable=proxy_module p11-kit-1
/opt/local/lib/p11-kit-proxy.so
$

But after the latest upgrade of the p11-kit port, things stopped working for me. The only configuration that still does work is setting env var PKCS11_MODULE_PATH=/Library/OpenSC/lib/opensc-pkcs11.dylib, and explicitly specifying manufacturer=piv_II; in the pkcs11 URI. Any other combination fails to load private key.
Current github version of yubico-piv-tool, both current and old(er) versions of libp11, current Macports p11-kit.

$ PKCS11_MODULE_PATH=/opt/local/lib/p11-kit-proxy.dylib openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:model=YubiKey%20NEO;id=%02;type=private" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out t256.dat.sig t256.dat
debug: ykcs11.c:171 (C_GetFunctionList): In
debug: ykcs11.c:179 (C_GetFunctionList): Out
debug: ykcs11.c:86 (C_Initialize): In
trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID'.
debug: ykcs11.c:104 (C_Initialize): Found 1 slot(s) of which 0 tokenless/unsupported
debug: ykcs11.c:109 (C_Initialize): Out
debug: ykcs11.c:194 (C_GetSlotList): In
. . . . .
debug: ykcs11.c:1284 (C_GetAttributeValue): Out
debug: ykcs11.c:1252 (C_GetAttributeValue): In
debug: objects.c:591 (get_proa): For private key object 64, get 
debug: objects.c:687 (get_proa): MODULUS
debug: ykcs11.c:1284 (C_GetAttributeValue): Out
debug: ykcs11.c:1252 (C_GetAttributeValue): In
debug: objects.c:591 (get_proa): For private key object 64, get 
debug: objects.c:754 (get_proa): PUBLIC EXPONENT
debug: ykcs11.c:1284 (C_GetAttributeValue): Out
debug: ykcs11.c:1252 (C_GetAttributeValue): In
debug: objects.c:591 (get_proa): For private key object 64, get 
debug: objects.c:754 (get_proa): PUBLIC EXPONENT
debug: ykcs11.c:1284 (C_GetAttributeValue): Out
debug: ykcs11.c:1252 (C_GetAttributeValue): In
debug: objects.c:591 (get_proa): For private key object 64, get 
debug: objects.c:789 (get_proa): ALWAYS AUTHENTICATE
debug: ykcs11.c:1284 (C_GetAttributeValue): Out
debug: ykcs11.c:1698 (C_SignInit): In
debug: ykcs11.c:1723 (C_SignInit): Trying to sign some data with mechanism 3 and key 64
debug: objects.c:591 (get_proa): For private key object 64, get 
debug: objects.c:623 (get_proa): KEY TYPE
debug: ykcs11.c:1738 (C_SignInit): Key type is 0

debug: objects.c:591 (get_proa): For private key object 64, get 
debug: objects.c:737 (get_proa): MODULUS BITS
debug: ykcs11.c:1793 (C_SignInit): Key length is 2048 bit
debug: ykcs11.c:1801 (C_SignInit): Algorithm is 7
debug: ykcs11.c:1818 (C_SignInit): Out
debug: ykcs11.c:1833 (C_Sign): In
debug: ykcs11.c:1875 (C_Sign): Sending 270 bytes to sign
0f ad e1 0c 82 83 91 3f 86 a7 dd 1a 7e 82 5c 56 4a 74 4d a2 19 44 0d be 4c e9 49 d3 55 6e 84 46 28 9a 41 c5 c1 f9 f0 a2 ee 41 8d ac 4e f7 c6 4b d1 8d 5e 3a 9f 2c bd 35 a0 2c bc ea fb 5d 04 d7 50 22 96 17 c7 e1 64 cb 02 e9 67 af 6e 48 2e d5 8c 8a 74 2e e3 f6 72 ad b0 59 1e c1 47 94 6f 13 92 5a 9d 7f b3 82 3e f7 65 b7 e2 5b b6 09 e6 04 cf 85 ab 3b c4 42 9c a2 f8 25 35 c7 25 a0 18 bd 3c 6b fb 72 3a 4e 05 f5 97 61 f7 c1 99 72 79 41 c2 ae f3 4f 02 50 c2 5d bc 47 eb fa bf f3 08 b9 b8 c4 88 d0 7f 68 7c 14 b4 ac 29 87 86 c8 00 16 63 91 8f 31 c8 22 d0 9c 57 32 36 9f fb 5e d8 7e 37 9c b2 86 09 c6 48 28 5f 96 d4 e1 5f 78 85 af 53 e6 19 0a d8 cf 27 0a d2 c9 41 91 0e f5 84 08 6d 15 86 a5 aa 0a 7d de 97 b0 e9 47 bc 78 18 d3 4c b0 9f 9d 00 d6 88 f6 24 fd a6 54 57 d5 a2 f6 ca d3 94 29 1c 6b 58 f2 30 43 fb 27 fe bc 
debug: ykcs11.c:1891 (C_Sign): Data must be shorter than key length (2048 bits)
debug: ykcs11.c:1962 (C_Sign): Out
Error Signing Data
140735271227472:error:80009006:Vendor defined:PKCS11_rsa_encrypt:Function failed:p11_rsa.c:117:
$

Note the above trying to send 270 bytes to sign instead of 256. Reported this bug: Yubico/yubico-piv-tool#98, which includes the complete debugging output.

@mtrojnar
Copy link
Member

mtrojnar commented Oct 8, 2016

Do I understand correctly that it is a YKCS11 issue?

@dengert
Copy link
Member

dengert commented Oct 8, 2016

is this the same as your OpenSSL isue form January? openssl/openssl#543

@mouse07410
Copy link
Contributor

The inability to correctly compute an RSA signature (that I complained about here) was a YKCS11 issue Yubico/yubico-piv-tool#98 that has been reported and resolved there.

is this the same as your OpenSSL isue form January? openssl/openssl#543

No, some symptoms were similar, but the cause was a bug in YKCS11 (see above).

But the main issue here that @dwmw2 reported (and that I almost hijacked :) is about loading PKCS311 modules directly rather than via p11-kit-proxy.so.

To this I can add that the OS X build issue was reported to p11-kit (both Macports and upstream), and it's been fixed there - so now p11-kit builds and runs on Mac OS X, and correctly symlinks p11-kit-proxy.so. However, I cannot say I'm happy with how it runs (depending on the moon phase and the outside temperature, it may or may not select the right PKCS#11 module correctly - and I've been unable to properly debug this problem).

So it would be nice if libp11 had a nice and reliable way to load PKCS#11 modules directly rather than relying on p11-kit. I'm a bit afraid to insist on this however, because if this feature turns out to be not as reliable (or, say, comparable to p11-kit in reliability), it would be a disaster for me and my use cases.

@mtrojnar
Copy link
Member

mtrojnar commented Oct 9, 2016

instead of the cheaper trick of using p11-kit-proxy.so as its default module

I prefer cheaper tricks (and less dependencies) as long as they do the job.

@dwmw2 is a bit biased here due to his previous work in companies that build really huge and complex systems. Smaller integrators really do appreciate simplicity.

@mouse07410
Copy link
Contributor

:-)

I can live with the current way of loading modules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dengert @dwmw2 @lbschenkel @mouse07410 @mtrojnar