Max PKCS#11 id URI length of 100 characters?

[tdbhacks]

Hello,

Apologies if this has been asked already, I did a quick search online but couldn't find any references to "100 characters" or other PKCS#11 URI length limits, though I might have missed a doc somewhere.

Our PKCS#11 library (https://github.com/GoogleCloudPlatform/kms-integrations) uses relatively long key IDs, and I just ran into a surprising failure while trying to generate a self-signed certificate:

$ openssl req -new -x509 -days 3650 -subj '/CN=test/' -sha256 -engine pkcs11 -keyform engine -key pkcs11:id=some_id_longer_than_100_characters > my-test.crt

Engine "pkcs11" set.
The private key ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The private key ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The private key was not found at: pkcs11:id=some_id_longer_than_100_characters
PKCS11_get_private_key returned NULL
Could not read private key from org.openssl.engine:pkcs11:pkcs11:id=some_id_longer_than_100_characters
40D7D791067F0000:error:40000064:pkcs11 engine:ERR_ENG_error:invalid id:eng_back.c:400:
40D7D791067F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:79:
Aborted

"some_id_longer_than_100_characters" has been redacted but you get the idea. IDs shorter than 100 characters work just fine.

My questions:

• is this intended?
• is the limit documented anywhere?

If this is not the right place for issues related to the PKCS#11 engine let me know and I'll open a new one in the right repo. Thank you!

[levitte]

The PKCS#11 engine is produced with OpenSC's libp11 project, so they're the folks that you should turn to primarly.

However, I have looked at their code, and nothing in their code seems to imply a length limit. However, the URI is subject to URI encoding (i.e bytes can be specified with %xx where x are hex digits)... so, could it be that your 100 character id includes a percent sign somewhere that isn't followed by two hex digits? That would be a plausible cause for your issue.

[tdbhacks]

Thanks for the quick reply and for taking a look! The specific id format is a totally valid guess, but this can also be reproduced with a basic id of 101x "a"s, which triggers the URI error. The same id with 100x "a"s doesn't 🤷

I've just filed the same issue in libp11 (OpenSC/libp11#531), so up to you if you want to keep this open too.

[t8m]

Closing as it is not an OpenSSL issue.

[mtrojnar]

Closing as it is not an OpenSSL issue.

@t8m How exactly did you determine that it's not an OpenSSL issue? Is it because you read and understood the analysis written by @levitte above, or because you just assumed that if the same issue is opened in two projects then the bug must be in the other project? If there is another reason for your decision please don't hesitate to share it with us.

I'm not saying your decision is wrong; I'm just curious about how you came up with it.

[t8m]

@mtrojnar There is no such limit applied to URI length in OpenSSL so this must be a problem with the engine or the underlying PKCS11 implementation.

[petrovr]

Off-topic: pkcs11-tool has limit of 100 CK_BYTE for object id => 200 characters in hexadecimal notation.

It seems to me libp11 engine uses 255 characters for object id. Dunno why fail for 100 .