Skip Menu |

This queue is for tickets about the Crypt-PKCS11 CPAN distribution.

Report information
The Basics
Id: 114205
Status: patched
Priority: 0/
Queue: Crypt-PKCS11
People
Owner: lundstrom.jerry [...] gmail.com
Requestors: vartiait [...] open.com.au
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri May 06 05:51:24 2016 vartiait [...] open.com.au - Ticket created
Subject: Crypt-PKCS11-1.03 using Crypt::PKCS11::Attribute::Value in a template fails __check_pTemplate check
Date: Fri, 6 May 2016 12:51:45 +0300
To: bug-Crypt-PKCS11 [...] rt.cpan.org
From: Tuure Vartiainen <vartiait [...] open.com.au>
Hello, with Crypt-PKCS11-1.03 when using Crypt::PKCS11::Attribute::Value in a template, __check_pTemplate check seems to fail for the attribute. More precisely SvUOK(sv) in crypt_pkcs11_xs_SvUOK(SV* sv) returns a non-zero value when checking Crypt::PKCS11::Attribute::Value. When comparing Crypt::PKCS11::Attribute::Label and Crypt::PKCS11::Attribute::Value types being checked in crypt_pkcs11_xs_SvUOK(SV* sv), difference was (SV) $4 = { sv_any = 0x0000000101dbf648 sv_refcnt = 1 sv_flags = 21765 sv_u = { svu_pv = 0x0000000102a13420 "3" svu_iv = 4339086368 svu_uv = 4339086368 svu_nv = 2.1437935087668688E-314 svu_rv = 0x0000000102a13420 svu_rx = 0x0000000102a13420 svu_array = 0x0000000102a13420 svu_hash = 0x0000000102a13420 svu_gp = 0x0000000102a13420 svu_fp = 0x0000000102a13420 } } (SV) $5 = { sv_any = 0x0000000101259b60 sv_refcnt = 1 sv_flags = 268452867 sv_u = { svu_pv = 0x000000010067c6d0 "CKA_VALUE" svu_iv = 4301768400 svu_uv = 4301768400 svu_nv = 2.1253559828054658E-314 svu_rv = 0x000000010067c6d0 svu_rx = 0x000000010067c6d0 svu_array = 0x000000010067c6d0 svu_hash = 0x000000010067c6d0 svu_gp = 0x000000010067c6d0 svu_fp = 0x000000010067c6d0 } } Crypt::PKCS11::Attribute::Value seemed to be an only class which direct parent is Crypt::PKCS11::Attribute and which defines type() in a class itself. Problem seemed to fix by renaming Crypt::PKCS11::Attribute::Value to Crypt::PKCS11::Attribute::ValueBase and defining Crypt::PKCS11::Attribute::Value in a same way as other attribute classes. Perl version used is 5.23.8. BR -- Tuure Vartiainen <vartiait@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
  Fri May 06 06:22:16 2016 lundstrom.jerry [...] gmail.com - Correspondence added
Hi Tuure, On Fri May 06 05:51:24 2016, vartiait@open.com.au wrote: Show quoted text
> with Crypt-PKCS11-1.03 when using Crypt::PKCS11::Attribute::Value in a > template, > __check_pTemplate check seems to fail for the attribute.
I have moved this to GitHub: https://github.com/dotse/p5-Crypt-PKCS11/issues/15 Cheers, Jerry
  Fri May 06 06:22:17 2016 The RT System itself - Status changed from 'new' to 'open'
  Fri May 06 06:22:20 2016 lundstrom.jerry [...] gmail.com - Taken
  Sun May 08 04:28:45 2016 lundstrom.jerry [...] gmail.com - Correspondence added
Hi Tuure, How are you using Crypt::PKCS11::Attribute::Value with a template? Can you send me your code? Are you doing it like this with a Crypt::PKCS11::Attributes object: my $publicKeyTemplate = Crypt::PKCS11::Attributes->new->push( Crypt::PKCS11::Attribute::Encrypt->new->set(1), Crypt::PKCS11::Attribute::Verify->new->set(1), Crypt::PKCS11::Attribute::Wrap->new->set(1), Crypt::PKCS11::Attribute::PublicExponent->new->set(0x01, 0x00, 0x01), Crypt::PKCS11::Attribute::Token->new->set(1), Crypt::PKCS11::Attribute::ModulusBits->new->set(768) ); Cheers, Jerry
  Sun May 08 04:28:46 2016 lundstrom.jerry [...] gmail.com - Status changed from 'open' to 'stalled'
  Sun May 08 08:18:36 2016 vartiait [...] open.com.au - Correspondence added
Subject: Re: [rt.cpan.org #114205] Crypt-PKCS11-1.03 using Crypt::PKCS11::Attribute::Value in a template fails __check_pTemplate check
Date: Sun, 8 May 2016 15:18:23 +0300
To: bug-Crypt-PKCS11 [...] rt.cpan.org
From: Tuure Vartiainen <vartiait [...] open.com.au>
Hi, Show quoted text
> On 08 May 2016, at 11:28, Jerry Lundström via RT <bug-Crypt-PKCS11@rt.cpan.org> wrote: > > How are you using Crypt::PKCS11::Attribute::Value with a template?
yes Show quoted text
> Can you send me your code? >
here you go ... my $cipher = new Crypt::Rijndael $key, Crypt::Rijndael::MODE_ECB; my $kcv = $cipher->encrypt("\x00" x 16); my @kcv = unpack("C3", $kcv); my $template = Crypt::PKCS11::Attributes->new; $template->push( Crypt::PKCS11::Attribute::Class->new->set(Crypt::PKCS11::CKO_SECRET_KEY), Crypt::PKCS11::Attribute::KeyType->new->set(Crypt::PKCS11::CKK_AES), Crypt::PKCS11::Attribute::Token->new->set(1), Crypt::PKCS11::Attribute::Label->new->set("new key"), Crypt::PKCS11::Attribute::Private->new->set(1), Crypt::PKCS11::Attribute::Sensitive->new->set(1), Crypt::PKCS11::Attribute::Extractable->new->set(1), Crypt::PKCS11::Attribute::Encrypt->new->set(1), Crypt::PKCS11::Attribute::Decrypt->new->set(1), Crypt::PKCS11::Attribute::Sign->new->set(1), Crypt::PKCS11::Attribute::Verify->new->set(1), Crypt::PKCS11::Attribute::Value->new->set($key), Crypt::PKCS11::Attribute::CheckValue->new->set(@kcv) ); my $privateKey = $session->CreateObject($template); print $session->errstr . "\n”; ... Error returned is CKR_ARGUMENTS_BAD. PKCS11 library used is SoftHSMv2 git develop branch. BR -- Tuure Vartiainen <vartiait@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
  Sun May 08 08:18:37 2016 The RT System itself - Status changed from 'stalled' to 'open'
  Sun May 08 11:39:56 2016 lundstrom.jerry [...] gmail.com - Correspondence added
Hi Tuure, On Sun May 08 08:18:36 2016, vartiait@open.com.au wrote: Show quoted text
> Error returned is CKR_ARGUMENTS_BAD.
This error is from SoftHSM. I do not know why you want to include Value, what I can find is that ValueLen is required for creating this AES key. If I remove Value and add a ValueLen it goes further but hits some other check within SoftHSM, if you have workable C/C++ code doing the same thing we can look at it but right now this does not look like an issue with the Perl module. Cheers, Jerry
  Sun May 08 11:39:57 2016 lundstrom.jerry [...] gmail.com - Status changed from 'open' to 'rejected'
  Sun May 08 14:29:49 2016 vartiait [...] open.com.au - Correspondence added
Subject: Re: [rt.cpan.org #114205] Crypt-PKCS11-1.03 using Crypt::PKCS11::Attribute::Value in a template fails __check_pTemplate check
Date: Sun, 8 May 2016 21:29:36 +0300
To: bug-Crypt-PKCS11 [...] rt.cpan.org
From: Tuure Vartiainen <vartiait [...] open.com.au>
Hi, Show quoted text
> On 08 May 2016, at 18:39, Jerry Lundström via RT <bug-Crypt-PKCS11@rt.cpan.org> wrote: > > On Sun May 08 08:18:36 2016, vartiait@open.com.au wrote:
>> Error returned is CKR_ARGUMENTS_BAD.
> > This error is from SoftHSM. >
when I ran the code with a debugger, the value was returned from __check_pTemplate() in crypt_pkcs11.c, as crypt_pkcs11_xs_SvUOK() check failed for the Crypt::PKCS11::Attribute::Value. Show quoted text
> I do not know why you want to include Value, what I can find is that ValueLen is required for creating this AES key. >
AES key is not generated in HSM, but imported. Show quoted text
> If I remove Value and add a ValueLen it goes further but hits some other check within SoftHSM, if you have workable C/C++ code doing the same thing we can look at it but right now this does not look like an issue with the Perl module. >
I attached a patch for Crypt::PKCS11 which fixes the error. After applying the patch, CreateObject() returns CKR_OK.

Message body is not shown because sender requested not to inline it.

When adding ValueLen to the template, SoftHSM seems to return P11Attributes.cpp(420): Prohibited attribute was passed to object creation function CKR_ATTRIBUTE_READ_ONLY BR -- Tuure Vartiainen <vartiait@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
  Sun May 08 14:59:16 2016 lundstrom.jerry [...] gmail.com - Correspondence added
Hi, On Sun May 08 14:29:49 2016, vartiait@open.com.au wrote: Show quoted text
> when I ran the code with a debugger, the value was returned from > __check_pTemplate() in crypt_pkcs11.c, as crypt_pkcs11_xs_SvUOK() > check > failed for the Crypt::PKCS11::Attribute::Value.
Please give me that output. The Crypt::PKCS11::Attribute::Value object should never go into __check_pTemplate(), it's pValue should as it will be passed by Attributes->toArray(). Show quoted text
> I attached a patch for Crypt::PKCS11 which fixes the error. After > applying > the patch, CreateObject() returns CKR_OK.
Your patch doesn't really do anything and I will not apply it unless I can replicate the problem, please try and give me steps to replicate. Have you tested SoftHSM 1.3.x, SoftHSM 2.1.0, any other Perl versions? Show quoted text
> When adding ValueLen to the template, SoftHSM seems to return > > P11Attributes.cpp(420): Prohibited attribute was passed to object creation function > CKR_ATTRIBUTE_READ_ONLY
Yes, because it goes further inside SoftHSM, the same with CKR_ARGUMENTS_BAD, it was returned by SoftHSM. /Jerry
  Sun May 08 19:19:54 2016 lundstrom.jerry [...] gmail.com - Correspondence added
Hi, This had nothing to do with *SvUOK(), more a "problem" with Perls magic: https://github.com/dotse/p5-Crypt-PKCS11/pull/16 /Jerry
  Sun May 08 19:19:54 2016 lundstrom.jerry [...] gmail.com - Status changed from 'rejected' to 'patched'
  Mon May 09 02:41:44 2016 vartiait [...] open.com.au - Correspondence added
Subject: Re: [rt.cpan.org #114205] Crypt-PKCS11-1.03 using Crypt::PKCS11::Attribute::Value in a template fails __check_pTemplate check
Date: Mon, 9 May 2016 09:41:25 +0300
To: bug-Crypt-PKCS11 [...] rt.cpan.org
From: Tuure Vartiainen <vartiait [...] open.com.au>
Hi, Show quoted text
> On 09 May 2016, at 02:19, Jerry Lundström via RT <bug-Crypt-PKCS11@rt.cpan.org> wrote: > > This had nothing to do with *SvUOK(), more a "problem" with Perls magic: > > https://github.com/dotse/p5-Crypt-PKCS11/pull/16 >
ack, yes, that fixed the problem, thanks a lot! BR -- Tuure Vartiainen <vartiait@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.