Migrate serialization format to standard PKCS#11 URIs compliant with RFC7512 #4
Conversation
dwmw2
force-pushed
the
master
branch
3 times, most recently
from
21a7ad1
to
b0787e8
Compare
|
Updated push: helps if I NUL-terminate the serialised strings. |
|
I am unsure what is the cutoff between these two patches, can you please explain? |
|
I think this should address the feedback. I've made incremental commits for easy of review but obviously we can collapse this into the original commit(s) before merging if that's preferred. I've made it use _pkcs11h_util_hexToBinary() as you suggest, for which I had to stop that function requiring that the string be NUL-terminated after the length it was asked to parse. Which was simple enough; there was only one other caller and I just made sure it checked for itself. The loop parsing URI attributes no longer contains I've cleaned up the code parsing the legacy token/certificate IDs to be more symmetric with the URI parsing instead of duplicating the return paths. I think you were asking why we keep I've made a table of the token ID fields which can now be used in three places — the parsing code, and twice during the serialization, which (following the lead of the existing code) was processing the fields twice: once for calculating the length of the string required, and again for actually generating the string. I've cleaned up some of the other code paths and duplication in the latter too. I've prefixed static symbols with __ although I'm a little confused about that request. These really are static symbols within the C unit, not functions which are visible to other C units within the library, but intended to be private to the library. My understanding is that even if you're building without a decent linker that has visibility controls and symbols maps, a symbol which is declared as 'static' within a C file is really not going to be seen elsewhere. So you can call it absolutely anything you like... with the caveat that you should not use symbols starting with two underscores, because those are reserved for the system. But OK :) I've defined URI_SCHEME and used it instead of the bare "pkcs11:" where appropriate. |
|
Now that the PKCS#11 URI format has been published as RFC7512 it would be very good to get this merged... should I collapse the above fixes into the original commits and resubmit? After this length of time there doesn't seem much point in keeping them incremental any more... |
dwmw2
changed the title
|
The pkcs11: URI format is a standard (RFC7512) since this April. It would be nice if pkcs11-helper would support that format. |
|
Updated patch with minor fix from https://bugzilla.redhat.com/show_bug.cgi?id=1264645 |
|
Ping. It would be really good to get this merged... |
|
Hi, On 23 August 2016 at 16:47, dwmw2 [email protected] wrote:
|
|
It could be massively simplified if it were to just use libp11-kit for the URI parsing. Other than that, I'm not sure how it could be simpler. |
|
Hi, RFC7512 is now two years old. Could this patch (or any equivalent patch) be merged into pkcs11-helper ? Best regards, -- Emmanuel Deloget |
|
Updated with bug fix from https://bugzilla.redhat.com/show_bug.cgi?id=1516474 |
|
Can we get this crap merged finally so openvpn actualy works with smartcards properly via NetworkManager? Thanks. |
|
Any updates on this one? |
|
As I wrote, this patch is way to complex to achieve the desired task, and is partial as it supports only full pkcs11 url which as far as I understand is the opposite of reaching portability between applications that support the notation. I also got reports that the windows version of openvpn in which this patch is applied is failing to parse urls. I am unsure how it is that important to network manager and am unsure why the openvpn management interface cannot be used to detect the available ids and apply id as opaque. And I keep reminding people that at daemon context openvpn should not have access to user's devices anyway, and the proper solution is to remove the entire pkcs11 support from the daemon and make sure the management interface is capable of delegating all private key operation to the user interface program, however, it seems like the openvpn project is on freeze. |
|
Updated with fix for https://bugzilla.redhat.com/show_bug.cgi?id=1825496
I'm not quite sure how it could be simpler. I suppose it could take a library like
That doesn't seem to make much sense to me; can you explain what you mean? It will output the full URI when serialising, when listing all available objects. But obviously accepts only a partial URI (i.e. not redundantly specifying all attributes) when identifying an object. In that respect, it behaves like everything else does, and should.
A specific bug report would be very much appreciated, if there is misbehaviour.
There is work on displaying the available objects through a UI (like in Seahorse) and that widget will emit the RFC7512 ID identifying the chosen object. For that, we need to be using the standard.
Yeah, it should do proxying from something in the user's session. But that's slightly orthogonal to the fact that we want to use a standard form to identify PKCS#11 objects. |
|
OpenVPN uses an out-of-date patch set which is bound to fail when maxing out certain token attribute entries, 16-byte serials being the most common case. This was my first problem as well, then something else cropped up. Sadly neither seems to have made it in time for OpenVPN 2.4.9 release. |
|
Literally without this patch, things are broken. Fedora patches their stuff with this. I just bumped into this, can we somehow get this merged or get a clear path forward? |
|
The menioned problems with |
|
Seems like this change might break access to some HSMs https://bugzilla.redhat.com/show_bug.cgi?id=2298882 alonbl/gnupg-pkcs11-scd#63 |
#69 is my attempt to see if this can be done simpler. For now, this branch can only use URL encoding instead of |
We are going to want to use this for parsing %XX hex escapes in RFC7512 PKCS#11 URIs, where we cannot expect a trailing NUL. Since there's only one existing caller at the moment, it's simple just to let the caller have responsibility for that check. Signed-off-by: David Woodhouse <[email protected]>
… IDs The old format is still accepted for compatibility. Signed-off-by: David Woodhouse <[email protected]>
Signed-off-by: David Woodhouse <[email protected]>
It's a limitation of the core pkcs11-helper token matching code that we need to specify *all* of model=, token=, manufacturer= and serial=. This was true of the legacy serialization format, so it isn't a regression. At least it *wouldn't* have been, if we it had distinguished between an *explicit* "model=" parameter, and the model not being specified at all. Thus https://bugzilla.redhat.com/show_bug.cgi?id=2298882 The requirement for all four token fields to be specified does mean that applications using pkcs11-helper aren't *quite* as versatile and user friendly as something which implements the full search algorithm shown in §8 of http://david.woodhou.se/draft-woodhouse-cert-best-practice.html by first searching for the specified certificate in all tokens without a login, then only logging into the token in which the *certificate* was found, to access the key. But that's OK, and something we can improve on later. It's not a barrier to using the RFC7512 URI format in place of the legacy serialization format.
|
Updated with fix for https://bugzilla.redhat.com/show_bug.cgi?id=2298882 (untested). Discussion in alonbl/gnupg-pkcs11-scd#63 |
|
Hi everyone. I've just spent a while tripping over this issue until just now when it occurred to me that Redhat might have patched their pkcs11-helper library build. My problem is that I already have some data (including and others also much like gpg private key shadow files) that refer to the original serialized token info returned by eg, CENTOS7, Debian, Ubuntu, compiled-from-source etc: Yet when I run my same binary on a RHEL8+ system due to the RFC7512 patch this comes back instead as: I can 100% see the logic of the newer form, but It would really be nice if this was a configurable opt in/out, perhaps simply an environment variable to switch between the two schemes. P.S. I'm one of the developers who maintains the nCipher PKCS#11 stack. |
|
It continues to accept key identifiers in the old non-standard format; it now accepts both forms. It just generates the RFC7512 standard form rather than the legacy form. There waa simple bug in handling the RFC7512 form of identifier (as an input) when the |
Thanks, I will build this PR branch and give it a try! |
Hi David, I've been able to build this branch and test it. Things fail early because of how the "serial number" of the smartcard is reported. This is computed from the sha1 hash of the "serialized" token info that this branch adds. So now gpg thinks it has a different card in the reader. I'll experiment and see what I can come up with. |
|
For a moment I thought you meant the |
The gnupg-pkcs11-scd app needs to return a value for it's With the unmodified pkcs11-helper you get: With the uri-scheme output of |
This migrates the serialization format to conform to the PKCS#11 URI scheme as described in RFC7512.
The old form is still recognised for compatibility, but standard PKCS#11 URIs are now generated and accepted. Testing with OpenVPN now gives me the following output:
... and the PKCS#11 URI thus generated is also usable with the
--pkcs11-idoption.