[MacPorts] #52623: p11-kit @0.23.2_1: fails to properly complete operation and disconnect on Sierra
MacPorts
noreply at macports.org
Sun Oct 16 17:45:36 CEST 2016
#52623: p11-kit @0.23.2_1: fails to properly complete operation and disconnect on
Sierra
----------------------+----------------------
Reporter: uri@… | Owner: devans@…
Type: defect | Status: new
Priority: Normal | Milestone:
Component: ports | Version: 2.3.4
Resolution: | Keywords:
Port: p11-kit |
----------------------+----------------------
Comment (by uri@…):
The only two modules I (explicitly) enabled are OpenSC PKCS#11 and Yubico
YKCS11 (subset of PKCS#11 with extensions for YubiKey devices):
{{{
$ ll ~/.config/pkcs11/modules/
total 16
drwxr-xr-x 4 uri staff 136 Oct 3 10:19 ./
drwxr-xr-x 3 uri staff 102 Oct 2 12:42 ../
-rw-r--r-- 1 uri staff 48 Oct 2 12:44 pkcs11.module
-rw-r--r-- 1 uri staff 39 Oct 2 12:44 ykcs11.module
$
}}}
Here's what happens if I remove ykcs11.module:
{{{
$ export PKCS11_MODULE_PATH=/opt/local/lib/p11-kit-proxy.dylib
$ mv ~/.config/pkcs11/modules/ykcs11.module /tmp/
$ openssl dgst -engine pkcs11 -keyform engine -sign
"pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -sha384
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out t256.dat.sig
t256.dat
engine "pkcs11" set.
PKCS#11 token PIN:
^C
$
}}}
With PKCS11SPY:
{{{
PKCS11_MODULE_PATH=/Library/OpenSC/lib/pkcs11-spy.dylib openssl dgst
-engine pkcs11 -keyform engine -sign
"pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -sha384
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out t256.dat.sig
t256.dat
*************** OpenSC PKCS#11 spy *****************
Loaded: "/opt/local/lib/p11-kit-proxy.dylib"
0: C_GetFunctionList
2016-10-16 11:43:40.125
Returned: 0 CKR_OK
1: C_Initialize
2016-10-16 11:43:40.126
[in] pInitArgs = 0x7fff5a42b5f0
flags: 2
CKF_OS_LOCKING_OK
Returned: 0 CKR_OK
2: C_GetInfo
2016-10-16 11:43:40.866
[out] pInfo:
cryptokiVersion: 2.20
manufacturerID: 'PKCS#11 Kit '
flags: 0
libraryDescription: 'PKCS#11 Kit Proxy Module '
libraryVersion: 1.1
Returned: 0 CKR_OK
3: C_GetSlotList
2016-10-16 11:43:40.866
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 6
[out] *pulCount = 0x6
Returned: 0 CKR_OK
4: C_GetSlotList
2016-10-16 11:43:40.866
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 16
Slot 17
Slot 18
Slot 19
Slot 20
Slot 21
[out] *pulCount = 0x6
Returned: 0 CKR_OK
5: C_GetSlotInfo
2016-10-16 11:43:40.866
[in] slotID = 0x10
[out] pInfo:
slotDescription: '/opt/local/share/curl/curl-ca-bu'
'ndle.crt '
manufacturerID: 'PKCS#11 Kit '
hardwareVersion: 0.23
firmwareVersion: 0.0
flags: 1
CKF_TOKEN_PRESENT
Returned: 0 CKR_OK
6: C_GetTokenInfo
2016-10-16 11:43:40.866
[in] slotID = 0x10
[out] pInfo:
label: 'Default Trust '
manufacturerID: 'PKCS#11 Kit '
model: 'p11-kit-trust '
serialNumber: '1 '
ulMaxSessionCount: 0
ulSessionCount: -1
ulMaxRwSessionCount: 0
ulRwSessionCount: -1
ulMaxPinLen: 0
ulMinPinLen: 0
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.23
firmwareVersion: 0.0
time: ' '
flags: 402
CKF_WRITE_PROTECTED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
7: C_GetSlotInfo
2016-10-16 11:43:40.866
[in] slotID = 0x11
[out] pInfo:
slotDescription: '/opt/local/etc/openssl '
' '
manufacturerID: 'PKCS#11 Kit '
hardwareVersion: 0.23
firmwareVersion: 0.0
flags: 1
CKF_TOKEN_PRESENT
Returned: 0 CKR_OK
8: C_GetTokenInfo
2016-10-16 11:43:40.866
[in] slotID = 0x11
[out] pInfo:
label: 'System Trust '
manufacturerID: 'PKCS#11 Kit '
model: 'p11-kit-trust '
serialNumber: '1 '
ulMaxSessionCount: 0
ulSessionCount: -1
ulMaxRwSessionCount: 0
ulRwSessionCount: -1
ulMaxPinLen: 0
ulMinPinLen: 0
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.23
firmwareVersion: 0.0
time: ' '
flags: 402
CKF_WRITE_PROTECTED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
9: C_GetSlotInfo
2016-10-16 11:43:40.867
[in] slotID = 0x12
[out] pInfo:
slotDescription: 'Yubico Yubikey NEO OTP+U2F+CCID '
' '
manufacturerID: 'Yubico '
hardwareVersion: 3.70
firmwareVersion: 0.0
flags: 7
CKF_TOKEN_PRESENT
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK
10: C_GetTokenInfo
2016-10-16 11:43:40.868
[in] slotID = 0x12
[out] pInfo:
label: 'PIV Card Holder pin (PIV_II) '
manufacturerID: 'piv_II '
model: 'PKCS#15 emulated'
serialNumber: 'a0fxxxxxxxxxxxxx'
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 8
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.0
firmwareVersion: 0.0
time: ' '
flags: 40d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
11: C_GetSlotInfo
2016-10-16 11:43:40.891
[in] slotID = 0x13
[out] pInfo:
slotDescription: 'SoftHSM slot ID 0x21bc4979 '
' '
manufacturerID: 'SoftHSM project '
hardwareVersion: 2.1
firmwareVersion: 2.1
flags: 1
CKF_TOKEN_PRESENT
Returned: 0 CKR_OK
12: C_GetTokenInfo
2016-10-16 11:43:40.891
[in] slotID = 0x13
[out] pInfo:
label: 'Botan PKCS#11 tests '
manufacturerID: 'SoftHSM project '
model: 'SoftHSM v2 '
serialNumber: 'b15xxxxxxxxxxxxx'
ulMaxSessionCount: 0
ulSessionCount: -1
ulMaxRwSessionCount: 0
ulRwSessionCount: -1
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 2.1
firmwareVersion: 2.1
time: '2016101615434000'
flags: 42d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
13: C_GetSlotInfo
2016-10-16 11:43:40.891
[in] slotID = 0x14
[out] pInfo:
slotDescription: 'SoftHSM slot ID 0x2879828e '
' '
manufacturerID: 'SoftHSM project '
hardwareVersion: 2.1
firmwareVersion: 2.1
flags: 1
CKF_TOKEN_PRESENT
Returned: 0 CKR_OK
14: C_GetTokenInfo
2016-10-16 11:43:40.891
[in] slotID = 0x14
[out] pInfo:
label: 'test '
manufacturerID: 'SoftHSM project '
model: 'SoftHSM v2 '
serialNumber: '02bxxxxxxxxxxxxx'
ulMaxSessionCount: 0
ulSessionCount: -1
ulMaxRwSessionCount: 0
ulRwSessionCount: -1
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 2.1
firmwareVersion: 2.1
time: '2016101615434000'
flags: 42d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
15: C_GetSlotInfo
2016-10-16 11:43:40.892
[in] slotID = 0x15
[out] pInfo:
slotDescription: 'SoftHSM slot ID 0x2 '
' '
manufacturerID: 'SoftHSM project '
hardwareVersion: 2.1
firmwareVersion: 2.1
flags: 1
CKF_TOKEN_PRESENT
Returned: 0 CKR_OK
16: C_GetTokenInfo
2016-10-16 11:43:40.892
[in] slotID = 0x15
[out] pInfo:
label: ' '
manufacturerID: 'SoftHSM project '
model: 'SoftHSM v2 '
serialNumber: ' '
ulMaxSessionCount: 0
ulSessionCount: -1
ulMaxRwSessionCount: 0
ulRwSessionCount: -1
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 2.1
firmwareVersion: 2.1
time: '2016101615434000'
flags: c00025
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_SO_PIN_LOCKED
CKF_SO_PIN_TO_BE_CHANGED
Returned: 0 CKR_OK
engine "pkcs11" set.
17: C_OpenSession
2016-10-16 11:43:40.892
[in] slotID = 0x12
[in] flags = 0x4
pApplication=0x0
Notify=0x0
[out] *phSession = 0x11
Returned: 0 CKR_OK
18: C_FindObjectsInit
2016-10-16 11:43:40.892
[in] hSession = 0x11
[in] pTemplate[1]:
CKA_CLASS CKO_CERTIFICATE
Returned: 0 CKR_OK
19: C_FindObjects
2016-10-16 11:43:40.892
[in] hSession = 0x11
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x7fd27ad28c80 matches
Returned: 0 CKR_OK
20: C_GetAttributeValue
2016-10-16 11:43:40.892
[in] hSession = 0x11
[in] hObject = 0x7fd27ad28c80
[in] pTemplate[1]:
CKA_CERTIFICATE_TYPE 00007fff5a42b498 / 8
[out] pTemplate[1]:
CKA_CERTIFICATE_TYPE CKC_X_509
Returned: 0 CKR_OK
21: C_GetAttributeValue
2016-10-16 11:43:40.892
[in] hSession = 0x11
[in] hObject = 0x7fd27ad28c80
[in] pTemplate[1]:
CKA_LABEL 0000000000000000 / 0
[out] pTemplate[1]:
CKA_LABEL 0000000000000000 / 34
Returned: 0 CKR_OK
22: C_GetAttributeValue
2016-10-16 11:43:40.892
[in] hSession = 0x11
[in] hObject = 0x7fd27ad28c80
[in] pTemplate[1]:
CKA_LABEL 00007fd27af144f0 / 34
[out] pTemplate[1]:
CKA_LABEL 00007fd27af144f0 / 34
43657274 69666963 61746520 666F7220 50495620 41757468 656E7469
63617469
C e r t i f i c a t e . f o r . P I V . A u t h e n t i c a t
i6F6E
o n
Returned: 0 CKR_OK
23: C_GetAttributeValue
2016-10-16 11:43:40.892
[in] hSession = 0x11
[in] hObject = 0x7fd27ad28c80
[in] pTemplate[1]:
. . . . .
95: C_SignInit
2016-10-16 11:43:43.504
[in] hSession = 0x11
pMechanism->type=CKM_RSA_X_509
[in] hKey = 0x7fd27af138f0
Returned: 0 CKR_OK
96: C_Sign
2016-10-16 11:43:43.504
[in] hSession = 0x11
[in] pData[ulDataLen] 00007fd27af14c10 / 256
00000000 5A 6B BB 1E 19 2F 6F D9 52 B7 40 E9 9D DA 21 EA
Zk.../o.R. at ...!.
00000010 2C 6C 59 CD B6 69 B6 4A 5C 85 4F DE CD C1 72 0E
,lY..i.J\.O...r.
. . . . .
000000F0 AC DB FE 80 DE 31 13 F1 9F 85 D1 BD 1E B8 9E BC
.....1..........
[out] pSignature[*pulSignatureLen] 00007fd27b801000 / 256
00000000 0E FA 39 F3 DD 9C B9 EB D1 F9 2F E6 28 4E E3 56
..9......./.(N.V
00000010 53 DC 7F 90 3E 72 23 48 91 D2 E8 E8 E4 1C 59 D0
S..>r#H......Y.
. . . . .
000000F0 59 1A 90 C8 D1 E0 B0 87 3C 5F 73 99 A2 73 F3 CB
Y.......<_s..s..
Returned: 0 CKR_OK
97: C_CloseAllSessions
2016-10-16 11:43:44.174
[in] slotID = 0x10
Returned: 0 CKR_OK
98: C_CloseAllSessions
2016-10-16 11:43:44.174
[in] slotID = 0x11
Returned: 0 CKR_OK
99: C_CloseAllSessions
2016-10-16 11:43:44.174
[in] slotID = 0x12
Returned: 0 CKR_OK
100: C_CloseAllSessions
2016-10-16 11:43:44.175
[in] slotID = 0x13
Returned: 0 CKR_OK
101: C_CloseAllSessions
2016-10-16 11:43:44.175
[in] slotID = 0x14
Returned: 0 CKR_OK
102: C_CloseAllSessions
2016-10-16 11:43:44.175
[in] slotID = 0x15
Returned: 0 CKR_OK
103: C_Finalize
2016-10-16 11:43:44.175
^C
$
}}}
I see SoftHSMv2 module(s), which I did NOT enable, at least explicitly.
Nor do I have any idea what that "/opt/local/etc/openssl" is doing there.
I'd appreciate some guidance how to perform the test you need.
--
Ticket URL: <https://trac.macports.org/ticket/52623#comment:5>
MacPorts <https://www.macports.org/>
Ports system for the Mac operating system
More information about the macports-tickets
mailing list