-
-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Max PKCS#11 id URI length of 100 characters? #24223
Comments
The PKCS#11 engine is produced with OpenSC's libp11 project, so they're the folks that you should turn to primarly. However, I have looked at their code, and nothing in their code seems to imply a length limit. However, the URI is subject to URI encoding (i.e bytes can be specified with |
Thanks for the quick reply and for taking a look! The specific id format is a totally valid guess, but this can also be reproduced with a basic id of 101x "a"s, which triggers the URI error. The same id with 100x "a"s doesn't 🤷 I've just filed the same issue in libp11 (OpenSC/libp11#531), so up to you if you want to keep this open too. |
Closing as it is not an OpenSSL issue. |
@t8m How exactly did you determine that it's not an OpenSSL issue? Is it because you read and understood the analysis written by @levitte above, or because you just assumed that if the same issue is opened in two projects then the bug must be in the other project? If there is another reason for your decision please don't hesitate to share it with us. I'm not saying your decision is wrong; I'm just curious about how you came up with it. |
@mtrojnar There is no such limit applied to URI length in OpenSSL so this must be a problem with the engine or the underlying PKCS11 implementation. |
Off-topic: pkcs11-tool has limit of 100 CK_BYTE for object id => 200 characters in hexadecimal notation. It seems to me libp11 engine uses 255 characters for object id. Dunno why fail for 100 . |
Hello,
Apologies if this has been asked already, I did a quick search online but couldn't find any references to "100 characters" or other PKCS#11 URI length limits, though I might have missed a doc somewhere.
Our PKCS#11 library (https://github.com/GoogleCloudPlatform/kms-integrations) uses relatively long key IDs, and I just ran into a surprising failure while trying to generate a self-signed certificate:
"some_id_longer_than_100_characters" has been redacted but you get the idea. IDs shorter than 100 characters work just fine.
My questions:
If this is not the right place for issues related to the PKCS#11 engine let me know and I'll open a new one in the right repo. Thank you!
The text was updated successfully, but these errors were encountered: