Closed dwmw2 closed 8 years ago
dwmw2
commented
8 years ago To run the tests:
git clone git://git.infradead.org/users/dwmw2/openconnect
cd openconnect
./autogen.sh && ./configure --without-gnutls --without-openssl-version-check --disable-shared
make checkTo observe the specific test that fails, run
cd tests
HOME=. SOFTHSM2_CONF=softhsm2.conf gdb --args ../openconnect -c 'pkcs11:token=openconnect-test;id=%03;pin-value=1234' auth.startssl.comSeems to happen with libp11 built from git master, too.
mtrojnar
commented
8 years ago PKCS11_release_all_slots() really does release all slots, including all the object allocated in those slots. I guess the function could use a better documentation.
dengert
commented
8 years ago From trace above looks like b == NULL at line ec_lib.c:1001
For some reason look like the group could not be determined and is NULL. Based on comments below this could be a problem with trying to get the parameters from the pub key in certificate. And it may not be needed, if the PKCS#11 or card can determine it.
A pkcs11-spy trace might also help.
What is the SPKI in the certificate you are testing. Does it have namedCurve?
Look at comments in ./p11_ec.c :pkcs11_get_ec
100 /* For OpenSSL req we need at least the
101 * EC_KEY_get0_group(ec_key)) to return the group.
102 * Continue even if it fails, as the sign operation does not need
103 * it if the PKCS#11 module or the hardware can figure this out
104 */
129 if (found_point == NULL) { /* Workaround for broken PKCS#11 modules */
136 /* A public keys requires both the params and the point to be present */
dwmw2
commented
8 years ago Starting program: /usr/bin/openssl s_client -engine pkcs11 -keyform engine -key pkcs11:token=openconnect-test\;id=%03\;pin-value=1234 -connect localhost:4443 -cert ../../tests/certs/ec-cert.pem
...
C_Initialize
IN: pInitArgs = NULL
C_Initialize = CKR_OK
C_GetSlotList
IN: tokenPresent = CK_FALSE
IN: pulCount = 0x7FFFFFFFCF30 = 2
OUT: pSlotList = (2) NO-VALUES
C_GetSlotList = CKR_OK
C_GetSlotList
IN: tokenPresent = CK_FALSE
IN: pulCount = 0x7FFFFFFFCF30 = 2
OUT: pSlotList = (2) [ SL0, SL1 ]
C_GetSlotList = CKR_OK
engine "pkcs11" set.
C_GetSlotInfo
IN: slotID = SL0
OUT: pInfo = {
slotDescription: "SoftHSM slot 0"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
IN: slotID = SL0
OUT: pInfo = {
label: "openconnect-test"
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: "d4c4174ce337f765"
flags: 1069 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL1
OUT: pInfo = {
slotDescription: "SoftHSM slot 1"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
IN: slotID = SL1
OUT: pInfo = {
label: ""
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: ""
flags: 12582949 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_SO_PIN_LOCKED | CKF_SO_PIN_TO_BE_CHANGED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_OpenSession
IN: slotID = SL0
IN: flags = 4 = CKF_SERIAL_SESSION
IN: pApplication = NULL
IN: Notify = NULL
OUT: phSession = 0x00829538 = S1
C_OpenSession = CKR_OK
C_FindObjectsInit
IN: hSession = S1
IN: pTemplate = (1) [ CKA_CLASS ]
C_FindObjectsInit = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H2 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_CERTIFICATE_TYPE ]
OUT: pTemplate = (1) [ { CKA_CERTIFICATE_TYPE = CKC_X_509 } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_LABEL ]
OUT: pTemplate = (1) [ { CKA_LABEL = (3) "DSA" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_VALUE ]
OUT: pTemplate = (1) [ { CKA_VALUE = (1284) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_VALUE ]
OUT: pTemplate = (1) [ { CKA_VALUE = (1284) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x02" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x02" } ]
C_GetAttributeValue = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H3 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H3
IN: pTemplate = (1) [ CKA_CERTIFICATE_TYPE ]
OUT: pTemplate = (1) [ { CKA_CERTIFICATE_TYPE = CKC_X_509 } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H3
IN: pTemplate = (1) [ CKA_LABEL ]
OUT: pTemplate = (1) [ { CKA_LABEL = (2) "EC" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H3
IN: pTemplate = (1) [ CKA_VALUE ]
OUT: pTemplate = (1) [ { CKA_VALUE = (531) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H3
IN: pTemplate = (1) [ CKA_VALUE ]
OUT: pTemplate = (1) [ { CKA_VALUE = (531) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H3
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x03" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H3
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x03" } ]
C_GetAttributeValue = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H4 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_CERTIFICATE_TYPE ]
OUT: pTemplate = (1) [ { CKA_CERTIFICATE_TYPE = CKC_X_509 } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_LABEL ]
OUT: pTemplate = (1) [ { CKA_LABEL = (3) "RSA" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_VALUE ]
OUT: pTemplate = (1) [ { CKA_VALUE = (912) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_VALUE ]
OUT: pTemplate = (1) [ { CKA_VALUE = (912) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x01" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x01" } ]
C_GetAttributeValue = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (0) [ ]
C_FindObjects = CKR_OK
C_FindObjectsFinal
IN: hSession = S1
C_FindObjectsFinal = CKR_OK
C_Login
IN: hSession = S1
IN: userType = CKU_USER
IN: pPin = (4) "1234"
C_Login = CKR_OK
C_FindObjectsInit
IN: hSession = S1
IN: pTemplate = (1) [ CKA_CLASS ]
C_FindObjectsInit = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H5 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_KEY_TYPE ]
OUT: pTemplate = (1) [ { CKA_KEY_TYPE = CKK_EC } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_LABEL ]
OUT: pTemplate = (1) [ { CKA_LABEL = (2) "EC" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x03" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x03" } ]
C_GetAttributeValue = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H6 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_KEY_TYPE ]
OUT: pTemplate = (1) [ { CKA_KEY_TYPE = CKK_RSA } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_LABEL ]
OUT: pTemplate = (1) [ { CKA_LABEL = (3) "RSA" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x01" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x01" } ]
C_GetAttributeValue = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H7 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H7
IN: pTemplate = (1) [ CKA_KEY_TYPE ]
OUT: pTemplate = (1) [ { CKA_KEY_TYPE = CKK_DSA } ]
C_GetAttributeValue = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (0) [ ]
C_FindObjects = CKR_OK
C_FindObjectsFinal
IN: hSession = S1
C_FindObjectsFinal = CKR_OK
C_FindObjectsInit
IN: hSession = S1
IN: pTemplate = (1) [ CKA_CLASS ]
C_FindObjectsInit = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (0) [ ]
C_FindObjects = CKR_OK
C_FindObjectsFinal
IN: hSession = S1
C_FindObjectsFinal = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_SENSITIVE ]
OUT: pTemplate = (1) [ { CKA_SENSITIVE = (1) "\x01" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_EXTRACTABLE ]
OUT: pTemplate = (1) [ { CKA_EXTRACTABLE = (1) "\x00" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_ECDSA_PARAMS ]
OUT: pTemplate = (1) [ { CKA_ECDSA_PARAMS = (10) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_ECDSA_PARAMS ]
OUT: pTemplate = (1) [ { CKA_ECDSA_PARAMS = (10) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_SENSITIVE ]
OUT: pTemplate = (1) [ { CKA_SENSITIVE = (1) "\x01" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_EXTRACTABLE ]
OUT: pTemplate = (1) [ { CKA_EXTRACTABLE = (1) "\x00" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_ECDSA_PARAMS ]
OUT: pTemplate = (1) [ { CKA_ECDSA_PARAMS = (10) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_ECDSA_PARAMS ]
OUT: pTemplate = (1) [ { CKA_ECDSA_PARAMS = (10) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6e7f888 in EC_POINT_cmp (group=0x82e640, a=0x969f70, b=0x0, ctx=0x0)
at ec_lib.c:1001
1001 if ((group->meth != a->meth) || (a->meth != b->meth)) {
Missing separate debuginfos, use: dnf debuginfo-install engine_pkcs11-0.2.0-2.fc24.x86_64 gnome-keyring-3.20.0-1.fc24.x86_64 libp11-0.3.0-2.fc24.x86_64Hm, if I import the key into the token with softhsm2-util --import instead of p11tool --write then it seems a little happier. Still doesn't work but at least it doesn't crash...
SOFTHSM2_CONF=softhsm2.conf ../openconnect -c ../../tests/certs/ec-cert.pem -k 'pkcs11:token=openconnect-test;id=%04;pin-value=1234' i7:4443/data.txt --no-cert-check
POST https://i7:4443/data.txt
Connected to [2001:8b0:10b:1:21e:67ff:fecb:7a92]:4443
Using client certificate '/CN=A user/UID=test'
C_Initialize
IN: pInitArgs = NULL
C_Initialize = CKR_OK
C_GetSlotList
IN: tokenPresent = CK_FALSE
IN: pulCount = 0x7FFCCD1085E0 = 2
OUT: pSlotList = (2) NO-VALUES
C_GetSlotList = CKR_OK
C_GetSlotList
IN: tokenPresent = CK_FALSE
IN: pulCount = 0x7FFCCD1085E0 = 2
OUT: pSlotList = (2) [ SL0, SL1 ]
C_GetSlotList = CKR_OK
C_GetSlotInfo
IN: slotID = SL0
OUT: pInfo = {
slotDescription: "SoftHSM slot 0"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
IN: slotID = SL0
OUT: pInfo = {
label: "openconnect-test"
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: "d4c4174ce337f765"
flags: 1069 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL1
OUT: pInfo = {
slotDescription: "SoftHSM slot 1"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
IN: slotID = SL1
OUT: pInfo = {
label: ""
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: ""
flags: 12582949 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_SO_PIN_LOCKED | CKF_SO_PIN_TO_BE_CHANGED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_OpenSession
IN: slotID = SL0
IN: flags = 4 = CKF_SERIAL_SESSION
IN: pApplication = NULL
IN: Notify = NULL
OUT: phSession = 0x00E3EA38 = S1
C_OpenSession = CKR_OK
C_FindObjectsInit
IN: hSession = S1
IN: pTemplate = (1) [ CKA_CLASS ]
C_FindObjectsInit = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (0) [ ]
C_FindObjects = CKR_OK
C_FindObjectsFinal
IN: hSession = S1
C_FindObjectsFinal = CKR_OK
C_FindObjectsInit
IN: hSession = S1
IN: pTemplate = (1) [ CKA_CLASS ]
C_FindObjectsInit = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (0) [ ]
C_FindObjects = CKR_OK
C_FindObjectsFinal
IN: hSession = S1
C_FindObjectsFinal = CKR_OK
Logging in to PKCS#11 slot 'SoftHSM slot 0'
C_Login
IN: hSession = S1
IN: userType = CKU_USER
IN: pPin = (4) "1234"
C_Login = CKR_OK
C_FindObjectsInit
IN: hSession = S1
IN: pTemplate = (1) [ CKA_CLASS ]
C_FindObjectsInit = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H2 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_KEY_TYPE ]
OUT: pTemplate = (1) [ { CKA_KEY_TYPE = CKK_EC } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_LABEL ]
OUT: pTemplate = (1) [ { CKA_LABEL = (2) "EC" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x03" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x03" } ]
C_GetAttributeValue = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H3 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H3
IN: pTemplate = (1) [ CKA_KEY_TYPE ]
OUT: pTemplate = (1) [ { CKA_KEY_TYPE = CKK_RSA } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H3
IN: pTemplate = (1) [ CKA_LABEL ]
OUT: pTemplate = (1) [ { CKA_LABEL = (3) "RSA" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H3
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x01" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H3
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x01" } ]
C_GetAttributeValue = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H4 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_KEY_TYPE ]
OUT: pTemplate = (1) [ { CKA_KEY_TYPE = CKK_EC } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_LABEL ]
OUT: pTemplate = (1) [ { CKA_LABEL = (4) "shec" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x04" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x04" } ]
C_GetAttributeValue = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H5 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H5
IN: pTemplate = (1) [ CKA_KEY_TYPE ]
OUT: pTemplate = (1) [ { CKA_KEY_TYPE = CKK_DSA } ]
C_GetAttributeValue = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (0) [ ]
C_FindObjects = CKR_OK
C_FindObjectsFinal
IN: hSession = S1
C_FindObjectsFinal = CKR_OK
C_FindObjectsInit
IN: hSession = S1
IN: pTemplate = (1) [ CKA_CLASS ]
C_FindObjectsInit = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H6 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_KEY_TYPE ]
OUT: pTemplate = (1) [ { CKA_KEY_TYPE = CKK_EC } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_LABEL ]
OUT: pTemplate = (1) [ { CKA_LABEL = (4) "shec" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x04" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x04" } ]
C_GetAttributeValue = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (0) [ ]
C_FindObjects = CKR_OK
C_FindObjectsFinal
IN: hSession = S1
C_FindObjectsFinal = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_SENSITIVE ]
OUT: pTemplate = (1) [ { CKA_SENSITIVE = (1) "\x01" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_EXTRACTABLE ]
OUT: pTemplate = (1) [ { CKA_EXTRACTABLE = (1) "\x00" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_ECDSA_PARAMS ]
OUT: pTemplate = (1) [ { CKA_ECDSA_PARAMS = (10) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_ECDSA_PARAMS ]
OUT: pTemplate = (1) [ { CKA_ECDSA_PARAMS = (10) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_EC_POINT ]
OUT: pTemplate = (1) [ { CKA_EC_POINT = (67) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_EC_POINT ]
OUT: pTemplate = (1) [ { CKA_EC_POINT = (67) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_SENSITIVE ]
OUT: pTemplate = (1) [ { CKA_SENSITIVE = (1) "\x01" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_EXTRACTABLE ]
OUT: pTemplate = (1) [ { CKA_EXTRACTABLE = (1) "\x00" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_ECDSA_PARAMS ]
OUT: pTemplate = (1) [ { CKA_ECDSA_PARAMS = (10) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H4
IN: pTemplate = (1) [ CKA_ECDSA_PARAMS ]
OUT: pTemplate = (1) [ { CKA_ECDSA_PARAMS = (10) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_EC_POINT ]
OUT: pTemplate = (1) [ { CKA_EC_POINT = (67) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H6
IN: pTemplate = (1) [ CKA_EC_POINT ]
OUT: pTemplate = (1) [ { CKA_EC_POINT = (67) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
SSL negotiation with i7
Server certificate verify failed: unable to get local issuer certificate
SSL connection failure
140171809581120:error:2A065043:lib(42):ECDSA_do_sign:passed a null parameter:ecs_ossl.c:263:
Failed to open HTTPS connection to i7FWIW they both work with GnuTLS:
$ SOFTHSM2_CONF=softhsm2.conf ../openconnect -c 'pkcs11:token=openconnect-test;id=%03;pin-value=1234' i7:443 --no-cert-check -u test --authenticate
POST https://i7/
Connected to [2001:8b0:10b:1:21e:67ff:fecb:7a92]:443
C_Initialize
IN: pInitArgs = NULL
C_Initialize = CKR_OK
C_GetInfo
OUT: pInfo = {
cryptokiVersion: 2.30
manufacturerID: "SoftHSM"
flags: 0
libraryDescription: "Implementation of PKCS11"
libraryVersion: 2.1
}
C_GetInfo = CKR_OK
C_GetSlotList
IN: tokenPresent = CK_TRUE
IN: pulCount = 0x7FFC1FBDB4F8 = 48
OUT: pSlotList = (2) [ SL0, SL1 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
IN: slotID = SL0
OUT: pInfo = {
label: "openconnect-test"
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: "d4c4174ce337f765"
flags: 1069 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL0
OUT: pInfo = {
slotDescription: "SoftHSM slot 0"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
IN: slotID = SL1
OUT: pInfo = {
label: ""
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: ""
flags: 12582949 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_SO_PIN_LOCKED | CKF_SO_PIN_TO_BE_CHANGED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL1
OUT: pInfo = {
slotDescription: "SoftHSM slot 1"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
C_GetSlotList
IN: tokenPresent = CK_TRUE
IN: pulCount = 0x7FFC1FBDB388 = 48
OUT: pSlotList = (2) [ SL0, SL1 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
IN: slotID = SL0
OUT: pInfo = {
label: "openconnect-test"
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: "d4c4174ce337f765"
flags: 1069 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL0
OUT: pInfo = {
slotDescription: "SoftHSM slot 0"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
C_OpenSession
IN: slotID = SL0
IN: flags = 4 = CKF_SERIAL_SESSION
IN: pApplication = NULL
IN: Notify = NULL
OUT: phSession = 0x7FFC1FBDB380 = S1
C_OpenSession = CKR_OK
C_FindObjectsInit
IN: hSession = S1
IN: pTemplate = (3) [ CKA_ID, CKA_CLASS, CKA_CERTIFICATE_TYPE ]
C_FindObjectsInit = CKR_OK
C_FindObjects
IN: hSession = S1
IN: max_object_count = 1
OUT: object = (1) [ H2 ]
C_FindObjects = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_WRAP ]
C_GetAttributeValue = CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_UNWRAP ]
C_GetAttributeValue = CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_PRIVATE ]
OUT: pTemplate = (1) [ { CKA_PRIVATE = (1) "\x00" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_TRUSTED ]
OUT: pTemplate = (1) [ { CKA_TRUSTED = (1) "\x00" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_SENSITIVE ]
C_GetAttributeValue = CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_EXTRACTABLE ]
C_GetAttributeValue = CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_NEVER_EXTRACTABLE ]
C_GetAttributeValue = CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_CERTIFICATE_CATEGORY ]
OUT: pTemplate = (1) [ { CKA_CERTIFICATE_CATEGORY = 0 (unspecified) } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_ALWAYS_AUTHENTICATE ]
C_GetAttributeValue = CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_LABEL ]
OUT: pTemplate = (1) [ { CKA_LABEL = (2) "EC" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_ID ]
OUT: pTemplate = (1) [ { CKA_ID = (1) "\x03" } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_VALUE ]
OUT: pTemplate = (1) [ { CKA_VALUE = (531) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S1
IN: hObject = H2
IN: pTemplate = (1) [ CKA_VALUE ]
OUT: pTemplate = (1) [ { CKA_VALUE = (531) NOT-PRINTED } ]
C_GetAttributeValue = CKR_OK
C_FindObjectsFinal
IN: hSession = S1
C_FindObjectsFinal = CKR_OK
C_CloseSession
IN: hSession = S1
C_CloseSession = CKR_OK
C_GetSlotList
IN: tokenPresent = CK_TRUE
IN: pulCount = 0x7FFC1FBDB338 = 48
OUT: pSlotList = (2) [ SL0, SL1 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
IN: slotID = SL0
OUT: pInfo = {
label: "openconnect-test"
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: "d4c4174ce337f765"
flags: 1069 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL0
OUT: pInfo = {
slotDescription: "SoftHSM slot 0"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
C_OpenSession
IN: slotID = SL0
IN: flags = 4 = CKF_SERIAL_SESSION
IN: pApplication = NULL
IN: Notify = NULL
OUT: phSession = 0x7FFC1FBDB658 = S3
C_OpenSession = CKR_OK
C_GetSessionInfo
IN: hSession = S3
OUT: pInfo = {
slotID: SL0
state: CKS_RO_PUBLIC_SESSION
flags: 4 = CKF_SERIAL_SESSION
ulDeviceError: 0
}
C_GetSessionInfo = CKR_OK
C_Login
IN: hSession = S3
IN: userType = CKU_USER
IN: pPin = (4) "1234"
C_Login = CKR_OK
C_FindObjectsInit
IN: hSession = S3
IN: pTemplate = (2) [ CKA_ID, CKA_CLASS ]
C_FindObjectsInit = CKR_OK
C_FindObjects
IN: hSession = S3
IN: max_object_count = 1
OUT: object = (1) [ H4 ]
C_FindObjects = CKR_OK
C_FindObjectsFinal
IN: hSession = S3
C_FindObjectsFinal = CKR_OK
C_GetAttributeValue
IN: hSession = S3
IN: hObject = H4
IN: pTemplate = (1) [ CKA_KEY_TYPE ]
OUT: pTemplate = (1) [ { CKA_KEY_TYPE = CKK_EC } ]
C_GetAttributeValue = CKR_OK
C_GetAttributeValue
IN: hSession = S3
IN: hObject = H4
IN: pTemplate = (1) [ CKA_ALWAYS_AUTHENTICATE ]
OUT: pTemplate = (1) [ { CKA_ALWAYS_AUTHENTICATE = (1) "\x00" } ]
C_GetAttributeValue = CKR_OK
C_SignInit
IN: hSession = S3
IN: pMechanism = {
mechanism: CKM_ECDSA
pParameter: (0) NULL
}
IN: hKey = H4
C_SignInit = CKR_OK
C_Sign
IN: hSession = S3
IN: pData = (20) ",l|Y\xF6O\x98\xC6\x1D\x94\x7F43\xA8\x90e\xEF\xD1\xCF\x81"
OUT: pSignature = (64) NOTHING
C_Sign = CKR_OK
C_Sign
IN: hSession = S3
IN: pData = (20) ",l|Y\xF6O\x98\xC6\x1D\x94\x7F43\xA8\x90e\xEF\xD1\xCF\x81"
OUT: pSignature = (64) "8\x95\x8A\xAD\xAF\xAD\x13{U\xCA\x83d\xB4\x9B\x93[5B`\xCA\xFE\xE9U.w\xC5\x94y\xAF3\x89\xA7\xFDp\xB7\x91\x03\xE0\xDF\xC69..."
C_Sign = CKR_OK
Using client certificate 'A user'
C_GetSlotList
IN: tokenPresent = CK_TRUE
IN: pulCount = 0x7FFC1FBDB248 = 48
OUT: pSlotList = (2) [ SL0, SL1 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
IN: slotID = SL0
OUT: pInfo = {
label: "openconnect-test"
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: "d4c4174ce337f765"
flags: 1069 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL0
OUT: pInfo = {
slotDescription: "SoftHSM slot 0"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
IN: slotID = SL1
OUT: pInfo = {
label: ""
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: ""
flags: 12582949 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_SO_PIN_LOCKED | CKF_SO_PIN_TO_BE_CHANGED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL1
OUT: pInfo = {
slotDescription: "SoftHSM slot 1"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
C_GetSlotList
IN: tokenPresent = CK_TRUE
IN: pulCount = 0x7FFC1FBDB2C8 = 48
OUT: pSlotList = (2) [ SL0, SL1 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
IN: slotID = SL0
OUT: pInfo = {
label: "openconnect-test"
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: "d4c4174ce337f765"
flags: 1069 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL0
OUT: pInfo = {
slotDescription: "SoftHSM slot 0"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
C_OpenSession
IN: slotID = SL0
IN: flags = 4 = CKF_SERIAL_SESSION
IN: pApplication = NULL
IN: Notify = NULL
OUT: phSession = 0x7FFC1FBDB2C0 = S5
C_OpenSession = CKR_OK
C_FindObjectsInit
IN: hSession = S5
IN: pTemplate = (4) [ CKA_CLASS, CKA_TRUSTED, CKA_CERTIFICATE_TYPE, CKA_SUBJECT ]
C_FindObjectsInit = CKR_OK
C_FindObjects
IN: hSession = S5
IN: max_object_count = 1
OUT: object = (0) [ ]
C_FindObjects = CKR_OK
C_FindObjectsFinal
IN: hSession = S5
C_FindObjectsFinal = CKR_OK
C_CloseSession
IN: hSession = S5
C_CloseSession = CKR_OK
C_GetTokenInfo
IN: slotID = SL1
OUT: pInfo = {
label: ""
manufacturerID: "SoftHSM project"
model: "SoftHSM v2"
serialNumber: ""
flags: 12582949 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_SO_PIN_LOCKED | CKF_SO_PIN_TO_BE_CHANGED
ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
ulSessionCount: 18446744073709551615
ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 255
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 2.1
firmwareVersion: 2.1
utcTime:
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL1
OUT: pInfo = {
slotDescription: "SoftHSM slot 1"
manufacturerID: "SoftHSM project"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 2.1
firmwareVersion: 2.1
}
C_GetSlotInfo = CKR_OK
Got no issuer from PKCS#11
C_SignInit
IN: hSession = S3
IN: pMechanism = {
mechanism: CKM_ECDSA
pParameter: (0) NULL
}
IN: hKey = H4
C_SignInit = CKR_OK
C_Sign
IN: hSession = S3
IN: pData = (32) "\x0FFs\x8E\xBE\xD3p\xC5\xC5.\xE0\xAD\x96\xDE\xC8\xF4Y\xFB\x90\x1C,\xA4\xE2\x85!\x1E\xDD\xF9\x03\xBF\x15\x98"
OUT: pSignature = (64) NOTHING
C_Sign = CKR_OK
C_Sign
IN: hSession = S3
IN: pData = (32) "\x0FFs\x8E\xBE\xD3p\xC5\xC5.\xE0\xAD\x96\xDE\xC8\xF4Y\xFB\x90\x1C,\xA4\xE2\x85!\x1E\xDD\xF9\x03\xBF\x15\x98"
OUT: pSignature = (64) "u\xC0\xFA\xE7\x87p\x0Fv=\x9E\xAE\x10\xB5\x91re\x8ENJ\xBC\xB5\xA1\xCAq:[\xEAY\xBC\xBCO\xEBz\xA1\xDA\x9A\xA6\xDA U\x91\xB..."
C_Sign = CKR_OK
SSL negotiation with i7
Server certificate verify failed: signer not found
C_SignInit
IN: hSession = S3
IN: pMechanism = {
mechanism: CKM_ECDSA
pParameter: (0) NULL
}
IN: hKey = H4
C_SignInit = CKR_OK
C_Sign
IN: hSession = S3
IN: pData = (32) "l\x9E\n\x95\x0F\xBB\xAC4\x8Eo\x89\xE0y\xBD\x03\xC8|\xA1\xCD\xBA\x91\xD7\xEA\xA1-\xCA\x1B\x0C&\xE8\x02\xE1"
OUT: pSignature = (64) NOTHING
C_Sign = CKR_OK
C_Sign
IN: hSession = S3
IN: pData = (32) "l\x9E\n\x95\x0F\xBB\xAC4\x8Eo\x89\xE0y\xBD\x03\xC8|\xA1\xCD\xBA\x91\xD7\xEA\xA1-\xCA\x1B\x0C&\xE8\x02\xE1"
OUT: pSignature = (64) "\xD5]K\xD3x\xB7c\x8C\xF0\xD8\xCF\xFDzN\xB7\x03fF\x8A\x82A\x98\x01il\x02\xED\xD6\xC5\xC5\x1A\t&\xAD^\xA1\xD4\xEA\n\xFB?\..."
C_Sign = CKR_OK
Connected to HTTPS on i7
XML POST enabled
Please enter your username.
POST https://i7/auth
SSL negotiation with i7
Server certificate verify failed: signer not found
C_SignInit
IN: hSession = S3
IN: pMechanism = {
mechanism: CKM_ECDSA
pParameter: (0) NULL
}
IN: hKey = H4
C_SignInit = CKR_OK
C_Sign
IN: hSession = S3
IN: pData = (32) "x\xEC\xFF\xBB\xBF\x08\x1334s\x04\xC1g\x03/\x83\xB2}\xB0\x98{Z\x19\x05\xC3KSyY\xF6\xE1\"
OUT: pSignature = (64) NOTHING
C_Sign = CKR_OK
C_Sign
IN: hSession = S3
IN: pData = (32) "x\xEC\xFF\xBB\xBF\x08\x1334s\x04\xC1g\x03/\x83\xB2}\xB0\x98{Z\x19\x05\xC3KSyY\xF6\xE1\"
OUT: pSignature = (64) "N\xABL\xA4 Y\x00|\xCA\x8FTe\xA2\x86\xD8\xE6K"\xA7\xC99?\x9B\x97x\xF6\xB6\x7F\rA\x9C\x9C\xC8\x92\x13$\xDE\xDE\xCB\xF1<\x..."
C_Sign = CKR_OK
Connected to HTTPS on i7
Please enter your password.
Password:
In first trace the certificate and key both have CKA_ID = 03. Libp11 tries to match the public key (maybe from certificate) to private key. It expects all 3 to have the same CKA_ID, and they do. And it looks like it queries the token for the CKA_ECDSA_PARAMS that are 10 bytes long. (trace does not show what they are but 10 sounds about right). Anyway to have the trace print the values of some of the attributes? And it looks like to me it segfaults in OpenSSL when b == NULL. Is it losing the fact that it is using libp11 as an engine?
In the second trace, it looks like the CKA_ID of the key is 04, but no certificate has been read and the failure is "Server certificate verify failed". It may not have gotten far enough to fail with b ==NULL ?
In the third with GnuTLS I assume you mean you replaced the OpenSSL libs with GnuTLS?
dwmw2
commented
8 years ago @dengert yes, in the first trace we're using the same test case that I pointed you at, which you can run locally to reproduce with exactly the same keys.
In the second trace, I have imported the same EC key a second time using softhsm-util instead of p11tool, as I said. I gave it an ID of %04. We don't care about the CKA_ID of cert and key matching. In fact I've taken to using cert from a PEM file and only the key from PKCS#11 for simplicity.
In the third trace yes, I'm running the same self-test suite having built OpenConnect against GnuTLS instead of OpenSSL+libp11. Just to see if there was a problem in SoftHSM itself, and there doesn't seem to be. Actually, the results there are confusing. Connecting to ocserv as the test suite does, it works consistently. Connecting to openssl s_client for my own ad-hoc testing, I often see complaints of a bad signature in the TLS handshake:
ACCEPT
depth=1 CN = CA
verify return:1
depth=0 CN = A user, UID = test
verify return:1
140576115423096:error:1408807B:SSL routines:ssl3_get_cert_verify:bad signature:s3_srvr.c:3059:
140576115423096:error:140780E5:SSL routines:ssl23_read:ssl handshake failure:s23_lib.c:137:
ACCEPTI'm kind of lost here. All I want to do is validate that my VPN client can support all types of certs+keys, but I can't find any way to use an EC key from PKCS#11 reliably...
dwmw2
commented
8 years ago Note that we're not using the engine here; we're using a key from PKCS11_get_private_key() and passing it to SSL_CTX_use_PrivateKey().
dengert
commented
8 years ago Yes, but libp11 is using the the engine code under the covers so when you pass a EVP_KEY it has the engine hooks to have the crypto done on the token.
The problem from the first trace may be from here: ./crypto/ec/ec_ameth.c: eckey_pub_cmp 223 *pb = EC_KEY_get0_public_key(b->pkey.ec); EC_KEY_get0_public_key is return NULL as shown in the call to EC_POINT_cmp. The EC_POINT appears to be missing.
PKCS11_get_private_key ends up calling: EVP_PKEY pkcs11_get_key(PKCS11_KEY key, int isPrivate)
libp11.h: PKCS11_KEY contains: EVP_PKEY _evpkey; /< initially NULL, need to call PKCS11_load_key /
This could be an issue with the PKCS#11 that does not return the EC_POINT (A token may not allow the EC_POINT to be read from the private key.) But the EC_POINT is also in the pub key, or the certificate.
libp11 will try and read the pub key to get the EC_POINT. I don't see a pub key being read. (It might read the certificate. The OpenSC PKCS#11 piv driver for example reads the certificate to get the pubkey to get the EC_POINT. Not sure what the SoftHSM does.
So It could be that however the EVP_PKEY was created, the EC_POINT is not in the EVP_KEY.
I
dwmw2
commented
8 years ago OK... if you 'git pull' you'll see I've switched to using softhsm2-util to import the key into the token. Now I have public key objects too and the failure mode is different, as you'll see with 'make check'...
Connecting to obtain cookie (with key object=RSA)... 0orRw7xiqFYptK7E1+xNBqBlypfN5NEcVu8eAcpda+vOMnowXQePwjQeaTRvCgD66i9ixRb2/x+5nYIXkmsNeryF9UWB69yP3c2dvPjHzlzD
Connecting to obtain cookie (with key id=%01)... VSmUfJWxT0VpPTUPD4k7XgGr+rc6GAqZAFBES6v+gza0fvtiqa5PaWfERdgmDu6c+SSeOF0MTZ9Mw7xsqP8n4z3rcCy/qDDh2eiWfb+Qr3Re
Connecting to obtain cookie (with key object=EC)... SSL connection failure
47923348854912:error:2A065043:lib(42):ECDSA_do_sign:passed a null parameter:ecs_ossl.c:263:
Failed to open HTTPS connection to 127.0.0.2And that one is fixed by updating to libp11 git master. The SEGV does still remain if the public key isn't in the token though, in the latest git.
dengert
commented
8 years ago OK sounds like a bug. But whose bug.
If using libp11 for a key on the token, you should never get into the ECDSA_do_sign in ecs_ossl.c That is the default ecdsa_do_sign for OpenSSL software signatures.
pkcs11_get_evp_key_ec in 1.0.2 should call: ECDSA_set_method(ec, PKCS11_get_ecdsa_method()) which calls ECDSA_METHOD_set_sign(ops, pkcs11_ecdsa_sign_sig); so pkcs11_ecdsa_sign_sig is called instead of ECDSA_do_sign.
See comments before pkcs11_get_evp_key_ec in p11_ec.c
If you are willing to do some debugging, can you step through pkcs11_init_key in p11_key.c and see if ops gets set.
dwmw2
commented
8 years ago That testing was done with libp11 0.3.0, which is what is in Fedora 24. (I'll update it ASAP).
If I update libp11 to 0.4.0, I don't have that problem. I don't get into the default software ecdsa_do_sign(), and things can be made to work. So let's ignore that particular problem.
However, the original problem for which this ticket was filed still remains (and I had tried git HEAD before filing it). We still get that SEGV if the public key isn't in the token. Note that GnuTLS does seem to work even without the public key being present. And I'd almost even accept not-working, as long as it doesn't crash.
dengert
commented
8 years ago OpenSSL assuming a private EVP_KEY contains the EC_POINT and fails when it tries to compare keys from X509_check_private_key. So the failure cold be considered in OpenSSL. Not sure what GnuTLS does.
PKCS#11 does not provide an EC_POINT for a private key. It will for a public key. libp11 tries to match them up so the libp11 returns a private EVP_KEY with an EC_POINT.
So if you don't put the pubkey on the token but have it in a PEM file...
PKCS11_get_private_key could return failure (or partial failure) because it cant get the EC_POINT.
You add code to test if the EC_POINT was not returned then fail gracefully or add the EC_POINT to the EVP_KEY from the PEM version of the public key, just after PKCS11_get_private_key returns.
IIRC, The libp11-engine code could still do a sign even without the knowing the EC_POINT if the PKCS#11 implementation and/or token had it on the token. Its OpenSSL X509_check_private_key that is failing.
dwmw2
commented
8 years ago FWIW GnuTLS seems to work fine by just doing the signature. You could even make X509_check_private_key() work by doing an actual signature and then validating it, surely? There's no need for any additional "knowledge" of the private key?
dengert
commented
8 years ago I agree. The issue is where is the bug?
I contend it is in OpenSSL that does not check for a NULL pointer.Lib
The backtrace from the first log you posted above shows: openconnect_open_https ../openssl.c:1633 openconnect load_certificate ../openssl.c:889 openconnect load_pkcs11_key ../openssl-pkcs11.c:574 openconnect
You said: "we're using a key from PKCS11_get_private_key() and passing it to SSL_CTX_use_PrivateKey()."
SSL_CTX_use_PrivateKey ../ssl_rsa.c:616 openssl ssl_set_pkey ../ssl_rsa.c:223 openssl X509_check_private_key ../x509_cmp.c:333 openssl eckey_pub_cmp ec_ameth.c:224 openssl in lines: 223 *pb = EC_KEY_get0_public_key(b->pkey.ec); pb is not checked, and: 224 r = EC_POINT_cmp(group, pa, pb, NULL); is called with pb=NULL.
GnuTLS may work, because it is not trying to compare the keys. or if it can handle a NULL pointer if the EC_POINT is not present. OpenSSL is doing a compare for some reason, and the compare fails.
You said: There's no need for any additional "knowledge" of the private key?" I agree. The group is needed, but not EC_POINT. This issue is related to these comments:
libp11/p11_ec.c has these comments: 100 /* For OpenSSL req we need at least the 101 * EC_KEY_get0_group(ec_key)) to return the group. 102 * Continue even if it fails, as the sign operation does not need 103 * it if the PKCS#11 module or the hardware can figure this out 104 */
These were originally committed to master via https://github.com/OpenSC/libp11/commit/1f0aa4a737d520a3668967e5a1a2afaee503ccdf and originally submitted via https://github.com/OpenSC/libp11/commit/88f980d864d45e9e72591bad99ac56641bf4516a
So I believe this is not a LIBP11 bug, but an OpenSSL bug.
mtrojnar
commented
8 years ago The following (ugly!) workaround has been proposed: https://github.com/openssl/openssl/issues/1532#issuecomment-244815649 Personally I don't like it. What do you think?
dengert
commented
8 years ago I like the fail gracefully part. Addressing matching a private key
to a certificate/public key via doing crypto I don't like.
See my comments about using p11-kit to provide a way for libp11 to
get certificate from location other then token.For the case where the public key is present, no crypto operation would be required to match cert and key. In the case where it isn't present, you have the option of assuming that they match, and potentially having an opaque failure mode when they don't — or actually checking and giving a coherent error message if they don't. I much prefer the latter, even if it involves one more sign operation in the hopefully-rare-case that the public key isn't available.
dwmw2
commented
8 years ago Strictly speaking, perhaps we could do it without an additional sign operation. Perhaps we could store them unchecked, and only validate later, when we are already performing a signature as part of the SSL negotiation, that the resulting signature actually does match the certificate we're using. But that may be relatively intrusive in OpenSSL and result in the 'cert + key don't match!' error being returned at an unexpected time for the application.
mouse07410
commented
8 years ago Personally I don't like it. What do you think?
Same thing as you do. :-)
I like the fail gracefully part. Addressing matching a private key to a certificate/public key via doing crypto I don't like.
Cannot agree more.
If possible, let's fail gracefully rather than with SEGV - but that's about as far as I'd go.
dwmw2
commented
8 years ago As noted in the OpenSSL ticket, I've worked around this in OpenConnect by checking for EC keys which lack a public key, manually validating that they match the cert that the user handed me (yes, using crypto since that's the only way to do it), and then copying the EC_POINT public key data to stop OpenSSL from crashing.
dwmw2
commented
8 years ago I'll close this now. I don't think there's a lot we can do in libp11 to cope with this; it needs fixing in OpenSSL.
I have fixed the crash, at least. And https://github.com/openssl/openssl/pull/1551 makes it actually work.
On Fedora 24 using the packaged versions of OpenSSL (1.0.2h) and libp11 (0.3.0). I have added some certificate torture tests to OpenConnect and they fail with EC keys: