libp11 icon indicating copy to clipboard operation
libp11 copied to clipboard
verified publisher icon OpenSC

No Login on Private Key Usage

Open falko-strenzke opened this issue 2 years ago • 1 comments

We observed the following behaviour in version 0.4.12 when invoking openssl dgst -engine pkcs11 -keyform engine -sign [...]

  • When searching for private keys, this is done first attempted by libp11 without performing C_Login()
  • If the sought private key is found in this way, signature generation is also attempted without performing C_Login()
  • If C_SignInit() fails with CKR_USER_NOT_LOGGED_IN, the command fails

We found specifying "FORCE_LOGIN" in the engine section as a workaround.

However, according to our understanding, in the described case libp11 would preferably perform C_Login() after the failed call to C_SignInit() and try to call this function again.

Is this something you would put on the roadmap? Would you prefer us to propse an MR (currently not sure if we can provide that but I would check that)?

falko-strenzke avatar Apr 19 '23 07:04 falko-strenzke

I don't use the PKCS#11 engine myself, but looking at the source code, it seems that libp11 actually does the right thing: https://github.com/OpenSC/libp11/blob/6c96847f1f52a5ccc76e8f8d14820cc4d6af1ecb/src/eng_back.c#L199-L243

I suggest you debug that part above and especially check the reason why no login is performed on line 211. I would assume that libp11 doesn't recognize the need to login, because your slot doesn't propagate this property correctly.

frankmorgner avatar Aug 29 '23 14:08 frankmorgner

Please always confirm that the bug is still present in the master branch when reporting a bug against a release. This helps us understand whether you only want us to produce a next release, or you actually expect us to spend time investigating your particular issue.

mtrojnar avatar Nov 25 '24 11:11 mtrojnar