From 00adb2832e92f00aa07a943ae086094c5fbb3b80 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 1 Dec 2022 20:08:53 +0100 Subject: [PATCH 1/4] pkcs11-tool: Fix private key import (cherry picked from commit 9294183e07ff4944e3f5e590f343f5727636767e) --- src/tools/pkcs11-tool.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c index aae205fe2..cfee8526d 100644 --- a/src/tools/pkcs11-tool.c +++ b/src/tools/pkcs11-tool.c @@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) RSA_get0_factors(r, &r_p, &r_q); RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp); #else - if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 || + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 || EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 || EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) { util_fatal("OpenSSL error during RSA private key parsing"); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { } #endif RSA_GET_BN(rsa, private_exponent, r_d); From 992909bed125af3762820b36f1788e4c88a2c0bd Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 1 Dec 2022 20:11:41 +0100 Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors (cherry picked from commit cff91cf6167743bdd59285150c4ef19802ed2644) --- src/tools/pkcs11-tool.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c index cfee8526d..f2e6b1dd9 100644 --- a/src/tools/pkcs11-tool.c +++ b/src/tools/pkcs11-tool.c @@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp; r = EVP_PKEY_get1_RSA(pkey); if (!r) { - if (private) - util_fatal("OpenSSL error during RSA private key parsing"); - else - util_fatal("OpenSSL error during RSA public key parsing"); + util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public", + ERR_error_string(ERR_peek_last_error(), NULL)); } RSA_get0_key(r, &r_n, &r_e, NULL); @@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL; if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 || EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) { - if (private) - util_fatal("OpenSSL error during RSA private key parsing"); - else - util_fatal("OpenSSL error during RSA public key parsing"); + util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public", + ERR_error_string(ERR_peek_last_error(), NULL)); } #endif RSA_GET_BN(rsa, modulus, r_n); @@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || - util_fatal("OpenSSL error during RSA private key parsing"); EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { + util_fatal("OpenSSL error during RSA private key parsing: %s", + ERR_error_string(ERR_peek_last_error(), NULL)); } #endif RSA_GET_BN(rsa, private_exponent, r_d); From 422c286ccc5825de5d668152d9b5c6a75a1d44d8 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 1 Dec 2022 20:38:31 +0100 Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import (cherry picked from commit a8b95a8dc1ff3bb69ed66fa17f8f02c35792c760) --- tests/Makefile.am | 10 ++++--- tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+), 4 deletions(-) create mode 100755 tests/test-pkcs11-tool-import.sh diff --git a/tests/Makefile.am b/tests/Makefile.am index d378e2ee0..9d8a24c32 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \ test-pkcs11-tool-test-threads.sh \ test-pkcs11-tool-sign-verify.sh \ test-pkcs11-tool-allowed-mechanisms.sh \ - test-pkcs11-tool-sym-crypt-test.sh\ - test-pkcs11-tool-unwrap-wrap-test.sh + test-pkcs11-tool-sym-crypt-test.sh \ + test-pkcs11-tool-unwrap-wrap-test.sh \ + test-pkcs11-tool-import.sh .NOTPARALLEL: TESTS = \ @@ -25,8 +26,9 @@ TESTS = \ test-pkcs11-tool-test.sh \ test-pkcs11-tool-test-threads.sh \ test-pkcs11-tool-allowed-mechanisms.sh \ - test-pkcs11-tool-sym-crypt-test.sh\ - test-pkcs11-tool-unwrap-wrap-test.sh + test-pkcs11-tool-sym-crypt-test.sh \ + test-pkcs11-tool-unwrap-wrap-test.sh \ + test-pkcs11-tool-import.sh XFAIL_TESTS = \ test-pkcs11-tool-test-threads.sh \ test-pkcs11-tool-test.sh diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh new file mode 100755 index 000000000..76ff8e51b --- /dev/null +++ b/tests/test-pkcs11-tool-import.sh @@ -0,0 +1,48 @@ +#!/bin/bash +SOURCE_PATH=${SOURCE_PATH:-..} + +source $SOURCE_PATH/tests/common.sh + +echo "=======================================================" +echo "Setup SoftHSM" +echo "=======================================================" +if [[ ! -f $P11LIB ]]; then + echo "WARNING: The SoftHSM is not installed. Can not run this test" + exit 77; +fi +card_setup + +ID="0100" +OPTS="" +for KEYTYPE in "RSA" "EC"; do + echo "=======================================================" + echo "Generate and import $KEYTYPE keys" + echo "=======================================================" + if [ "$KEYTYPE" == "RSA" ]; then + ID="0100" + elif [ "$KEYTYPE" == "EC" ]; then + ID="0200" + OPTS="-pkeyopt ec_paramgen_curve:P-521" + fi + openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS + assert $? "Failed to generate private $KEYTYPE key" + $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \ + --label "$KEYTYPE" -p "$PIN" --module "$P11LIB" + assert $? "Failed to write private $KEYTYPE key" + + openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER + assert $? "Failed to convert private $KEYTYPE key to public" + $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \ + -p $PIN --module $P11LIB + assert $? "Failed to write public $KEYTYPE key" + # certificate import already tested in all other tests + + rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der" +done + +echo "=======================================================" +echo "Cleanup" +echo "=======================================================" +card_cleanup + +exit $ERRORS From 74037f6792dfc1ad2b670bcffd8214a22d348d01 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 2 Dec 2022 18:07:43 +0100 Subject: [PATCH 4/4] Simplify the new test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com> (cherry picked from commit 7b2b50591622a0fd1e388440ca5f56f354da6fa3) --- tests/test-pkcs11-tool-import.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh index 76ff8e51b..c90b3b492 100755 --- a/tests/test-pkcs11-tool-import.sh +++ b/tests/test-pkcs11-tool-import.sh @@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then fi card_setup -ID="0100" -OPTS="" for KEYTYPE in "RSA" "EC"; do echo "=======================================================" echo "Generate and import $KEYTYPE keys" echo "=======================================================" - if [ "$KEYTYPE" == "RSA" ]; then - ID="0100" - elif [ "$KEYTYPE" == "EC" ]; then + ID="0100" + OPTS="" + if [ "$KEYTYPE" == "EC" ]; then ID="0200" OPTS="-pkeyopt ec_paramgen_curve:P-521" fi