Find way to test fallback to pull public key out of certificate

[simo5]

The code that extract public key info can fallback to pull that information out of a certificate if there is no corresponding public key object in the token. Unfortunately it is not easy to add a certificate w/o pkcs12-util also covertly extracting and adding a public key object to softokn.

[dengert]

Can you delete the pubkey after install? Or will softokn fail without a pubkey?

On Wed, Nov 30, 2022, 3:15 PM Simo Sorce @.***> wrote:

The code that extract public key info can fallback to pull that information out of a certificate if there is no corresponding public key object in the token. Unfortunately it is not easy to add a certificate w/o pkcs12-util also covertly extracting and adding a public key object to softokn.

— Reply to this email directly, view it on GitHub https://github.com/latchset/pkcs11-provider/issues/133, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGTIMJO5RTUJSPXCCHIKVDWK67XZANCNFSM6AAAAAASQCE24Q . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[simo5]

I haven't found a tool that allows you to delete just the public key. I can probably write a small C program to do that, but that was beyond writing a quick test.

[simo5]

And then there is softhsm, I was hoping to do create the right objects in the setup script.

[Jakuje]

With softhsm you should be able to delete the public key through the pkcs11 interface with pkcs11-tool --delete-object. I have POC (which is failing) on top of #144 here:

https://github.com/latchset/pkcs11-provider/compare/main...Jakuje:pkcs11-provider:softhsm-pubkey https://github.com/latchset/pkcs11-provider/commit/25f1c0acc8d48b745288e033d95aad9bdbdb7b3d

there are couple of problems:

• all the tests use the same key store so removing the public key affects all the following tests. It can be moved to the setup though
• the NSS requires the parameters to C_Initialize so it does not work with the pkcs11-tool -- for that some other steps might be needed
• reading the public keys fails now in the session test:

  
  $ cat tests/session-softhsm-proxy.log
  Executing /home/jjelen/devel/pkcs11-provider/tests/softhsm-proxy.sh ./tsession

Start the p11-kit server and check if it works

Using slot 0 with a present token (0x11) Failed to load public key killing p11-kit server FAIL session-softhsm-proxy (exit status: 1)

Leaving this as WIP for now

[Jakuje]

@simo5 I rebased and updated my branch from previous comment to add tests for reading a public keys from certificates, but neither of the attempts worked for me. The base URI, Priv, Pub and Cert URI just keep failing with the bogus errors like described in #212. The object looks like created successfully inside of the provider, but it looks like OpenSSL does not like it in the end somewhere around this place (this run was with base URI):

0x00007ffff7c0232c in OSSL_STORE_load (ctx=ctx@entry=0x5555556713c0) at crypto/store/store_lib.c:428
428             if (!ctx->fetched_loader->p_load(ctx->loader_ctx,
Value returned is $10 = 1
(gdb) n
437             v = load_data.v;
(gdb) 
440         if (ctx->fetched_loader == NULL)
(gdb) 
447     if (ctx->post_process != NULL && v != NULL) {
(gdb) 
459     (void)ossl_pw_clear_passphrase_cache(&ctx->pwdata);
(gdb) 
461     if (v != NULL && ctx->expected_type != 0) {
(gdb) 
462         int returned_type = OSSL_STORE_INFO_get_type(v);
(gdb) n
464         if (returned_type != OSSL_STORE_INFO_NAME && returned_type != 0) {
(gdb) 
465             if (ctx->expected_type != returned_type) {
(gdb) p ctx->expected_type 
$12 = 3
(gdb) p returned_type 
$13 = 5
466                 OSSL_STORE_INFO_free(v);
(gdb) 
407     if (OSSL_STORE_eof(ctx))

https://github.com/latchset/pkcs11-provider/compare/main...Jakuje:pkcs11-provider:softhsm-pubkey

[simo5]

So it is expecting a public key, and we are returning a certificate ?

[Jakuje]

So it is expecting a public key, and we are returning a certificate ?

Probably yes. I did not go further into openssl internals with gdb, decoding int enums. But with the changes in my branch you should have all to reproduce the issue. Or I can have a look further into that next week.

[simo5]

Do you want to create a PR so I can pull from there and push in any fixes ?

[Jakuje]

Sure. I will just rebase on top of the ed25519 so it cleanly applies

[simo5]

Completed with the merging of #213