Different output from "list-objects" depending on client platform

[LMattsson]

I am running p11-kit as a server on Fedora 39. For the client side, I got one client on Linux and one on Windows. Both server and clients are running p11-kit v. 0.25.3.

Note that both clients are running in a bit of a non-standard environment, and that when running directly on my regular system I do not have this problem.

When running p11-kit list-modules on the client side, I can see my added module on both client platforms. However, when running p11-kit list-objects <token>, I get different results depending on the client platform.

On the Linux client, things look to be in order:

$ p11-kit list-modules    
module: p11-kit-client
    path: /usr/lib64/pkcs11/p11-kit-client.so
    uri: pkcs11:library-description=PKCS%2311%20Kit%20Proxy%20Module;library-manufacturer=PKCS%2311%20Kit
    library-description: PKCS#11 Kit Proxy Module
    library-manufacturer: PKCS#11 Kit
    library-version: 1.1
    token: 
        uri: pkcs11:model=Cloud%20KMS%20Token;manufacturer=Google;serial=0000000000000000;token=
        manufacturer: Google
        model: Cloud KMS Token
        serial-number: 0000000000000000
        flags:
              rng
              user-pin-initialized
              token-initialized
              so-pin-locked

$ p11-kit list-objects <token>
Object: #0
    uri: pkcs11:model=Cloud%20KMS%20Token;manufacturer=Google;serial=0000000000000000;token=;id=%00%00%00%18%00%00%00%03%61%41%75%00%00%00%13%00%00%00%00%01%00%00%00%08%00%00%00%00%00%00%00%02%00%00%03%00%00%00%00%05%00%00%00%00%00%80%00%00%00%00%87%00%00%00%01%00%01%00%00%00%08%00%00%00%00%00%00%00%00%00%00%06%01%00%00%00%00%03%01%00%00%00%0B%FF%FF%FF%FF%00%00%00%10%00%00%00%01%02%01%00%00%00%78%FF%FF%FF%FF%00%00%01%10%01%00%00%00%00%FF%FF%FF%FF%00%00;object=%08%90v%FB%A3%7F%00%00P%403;type=public
    class: public-key
    key-type: rsa
    label:�v��
    id: 00:00:00:18:00:00:00:03:61:41:75:00:00:00:13:00:00:00:00:01:00:00:00:08:00:00:00:00:00:00:00:02:00:00:03:00:00:00:00:05:00:00:00:00:00:80:00:00:00:00:87:00:00:00:01:00:01:00:00:00:08:00:00:00:00:00:00:00:00:00:00:06:01:00:00:00:00:03:01:00:00:00:0b:ff:ff:ff:ff:00:00:00:10:00:00:00:01:02:01:00:00:00:78:ff:ff:ff:ff:00:00:01:10:01:00:00:00:00:ff:ff:ff:ff:00:00
    flags:
          local
          token

On the Windows client, data for the token is missing:

$ p11-kit list-modules
module: p11-kit-client
    path: /usr/lib64/pkcs11/p11-kit-client.so
    uri: pkcs11:library-description=PKCS%2311%20Kit%20Proxy%20Module;library-manufacturer=PKCS%2311%20Kit
    library-description: PKCS#11 Kit Proxy Module
    library-manufacturer: PKCS#11 Kit
    library-version: 1.1
    token: 
        uri: pkcs11:model=Cloud%20KMS%20Token;manufacturer=Google;serial=0000000000000000;token=
        manufacturer: Google
        model: Cloud KMS Token
        serial-number: 0000000000000000
        flags:
              rng
              user-pin-initialized
              token-initialized
              so-pin-locked

$ p11-kit list-objects <token>
Object: #0
    class: 0xFFC52FD0 (unknown)
    hw-feature-type: 0xFFC52FD4 (unknown)
    mechanism-type: 0xFFC52FE8 (unknown)
    certificate-type: 0xFFC52FE0 (unknown)
    certificate-category: 0xFFC52FE4 (unknown)
    key-type: dh
    profile-id: 0xFFC52FDC (unknown)
    label: 
    application: 
    id: 
    start-date: .�.
    end-date: �`��.;.�
    flags:
          token
          private
          modifiable
          copyable
          destroyable

To your knowledge, does p11-kit have any specific requirements for the combination of server and client platforms, e.g. not allowing mixing of 32- and 64-bit systems?

[ueno]

While in theory the protocol should work with both 32-bit and 64-bit systems, it might need to assume the same data model, in which GNU/Linux (LP64) and Windows (LLP64) have some differences. That's one of the reasons why we don't enable building p11-kit-client.dll on Windows by default.

[abarisani]

I've experienced the following command differs whether executed on a 32-bit client or 64-bit client against the same token (with forwarded socket).

On a 32-bit the data object IDs are truncated and do not match the corresponding 64-bit value.

For example one of these objects (converted to hex) is 4159ea64efdded8d while the pkcs11-tool client looks for efdded8d (4024298893).

This makes all clients unusable on a 32-bit platform.

$ pkcs11-tool --module /usr/lib/arm-linux-gnueabihf/pkcs11/p11-kit-client.so --list-objects
Using slot 0 with a present token (0x1)
warning: PKCS11 function C_GetAttributeValue(CLASS) failed: rv = CKR_OBJECT_HANDLE_INVALID (0x82)

Data object 4024298893
  label:          <empty>
  application:    <empty>
  app_id:         <empty>
  flags:          <empty>
warning: PKCS11 function C_GetAttributeValue(CLASS) failed: rv = CKR_OBJECT_HANDLE_INVALID (0x82)

Data object 763047029
  label:          <empty>
  application:    <empty>
  app_id:         <empty>
  flags:          <empty>
warning: PKCS11 function C_GetAttributeValue(CLASS) failed: rv = CKR_OBJECT_HANDLE_INVALID (0x82)

Data object 4086046842
  label:          <empty>
  application:    <empty>
  app_id:         <empty>
  flags:          <empty>

[LMattsson]

@abarisani Out of curiosity, is the issue you see a recent problem or have you seen it for a longer time?

[abarisani]

@abarisani Out of curiosity, is the issue you see a recent problem or have you seen it for a longer time?

I am experiencing this as we speak while integrating p11-kit on a 32-bit installation using https://github.com/google/go-p11-kit as RPC server.

I think the 32-bit client is requesting a ulValueLen of 4 while the RPC server responds with 8, then the p11-kit client library is hitting CKR_BUFFER_TOO_SMALL and the object class is not being parsed correctly.