Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certificate load require PIN #508

Open
embetrix opened this issue Jan 21, 2025 · 3 comments
Open

certificate load require PIN #508

embetrix opened this issue Jan 21, 2025 · 3 comments
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed

Comments

@embetrix
Copy link
Contributor

embetrix commented Jan 21, 2025
edited
Loading

Describe the bug
the certificate loading using pkcs11-provider shouldn't require PIN

To Reproduce
using the following function:

X509 *provider_load_cert(const char *pkcs11_uri) {
    OSSL_PROVIDER *pkcs11_provider = NULL;
    OSSL_PROVIDER *default_provider = NULL;
    OSSL_STORE_CTX *store = NULL;
    OSSL_STORE_INFO *store_info = NULL;
    X509 *cert = NULL;

    /* Load the default provider */
    default_provider = OSSL_PROVIDER_load(NULL, "default");
    if (!default_provider) {
        fprintf(stderr, "Failed to load default provider\n");
        goto cleanup;
    }

    /* Load the PKCS#11 provider */
    pkcs11_provider = OSSL_PROVIDER_load(NULL, "pkcs11");
    if (!pkcs11_provider) {
        fprintf(stderr, "Failed to load PKCS#11 provider\n");
        goto cleanup;
    }

    store = OSSL_STORE_open(pkcs11_uri, NULL, NULL, NULL, NULL);
    if (!store) {
        fprintf(stderr, "Failed to open OSSL_STORE (check URI or provider setup)\n");
        goto cleanup;
    }

    while ((store_info = OSSL_STORE_load(store)) != NULL) {
        int info_type = OSSL_STORE_INFO_get_type(store_info);
        if (info_type == OSSL_STORE_INFO_CERT) {
            /* Extract the certificate */
            cert = OSSL_STORE_INFO_get1_CERT(store_info);
            if (cert) {
                break;
            }
        }
        OSSL_STORE_INFO_free(store_info);
        store_info = NULL;
    }

    if (!cert) {
        fprintf(stderr, "Failed to load certificate\n");
    }

cleanup:
    if (store) {
        OSSL_STORE_close(store);
    }
    if (pkcs11_provider) {
        OSSL_PROVIDER_unload(pkcs11_provider);
    }
    if (default_provider) {
        OSSL_PROVIDER_unload(default_provider);
    }

    return cert;
}

call it using

provider_load_cert("pkcs11:object=testECCCert;type=cert?pin-value=12345"); //work

provider_load_cert("pkcs11:object=testECCCert;type=cert"); // ask for PIN

Expected behavior
Should not ask for PIN, in same way as for type=public
@simo5
Copy link
Member

simo5 commented Jan 21, 2025

You are not giving OpenSSL and therefore the provider any hint on what you are searching.
Does it work if you call OSSL_STORE_expect(store, OSSL_STORE_INFO_CERT) before you call OSSL_STORE_load ?

@embetrix
Copy link
Contributor Author

@simo5 : yes that works ! thanks :-) To note that I didn't need it for public key

@simo5
Copy link
Member

simo5 commented Jan 21, 2025
edited
Loading

The bug is here:

pkcs11-provider/src/store.c

Line 100 in 2ef2402

if (p11prov_uri_get_class(ctx->parsed_uri) == CKO_PUBLIC_KEY

We need to add another check on p11prov_uri_get_class() that checks if you pass type=cert explicitly so that we can work around the lack of information from applications using openssl.

The hint is obviously welcome but we can do better.

@simo5 simo5 added bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed labels Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simo5 @embetrix