[gnutls-devel] GnuTLS | p11tool is using a R/O session when logging as a SO (#721)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Mar 5 11:42:51 CET 2019 

New Issue was created.

Issue 721: https://gitlab.com/gnutls/gnutls/issues/721
Author:    Anderson Sasaki
Assignee:  

## Description of problem:
p11tool tries to use a R/O session when the user requests SO login. This is not allowed by PKCS#11 specification.
The SO can only log in using R/W sessions.

This was originally reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=1685434

See also the discussion in:
https://github.com/opendnssec/SoftHSMv2/issues/451

## Version of gnutls used:
In the original report were used the following versions:

* gnutls-utils-3.6.5-2.fc29.x86_64
* softhsm-2.5.0-2.fc29.x86_64

I reproduced the issue using the current master (c7c01872b).

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Fedora 29

## How reproducible:
always

Steps to Reproduce:

 * Initialize a new token using SoftHSM:
```
$ softhsm2-util --init-token --label softhsm --free --pin 1234 --so-pin 1234
```
 * Generate a key pair (to have an object to be listed):
```
$ p11tool --generate-privkey=RSA --bits=2048 --label=pkey --login --set-pin=1234 pkcs11:token=softhsm
```
 * Try to list the objects using SO login:
```
p11tool --list-all --so-login --set-so-pin=1234 pkcs11:token=softhsm
```

## Actual results:
```
$ p11tool -d9 --list-all --so-login --set-so-pin=1234 pkcs11:token=softhsm
Setting log level to 9
|<2>| p11: Initializing module: p11-kit-trust
|<2>| p11: Initializing module: opensc
|<2>| p11: Initializing module: softhsm2
|<3>| ASSERT: pkcs11.c[compat_load]:894
|<2>| p11: No login requested.
|<2>| p11: Login result = A read-only session exists (183)
|<3>| ASSERT: pkcs11.c[_pkcs11_traverse_tokens]:1620
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_obj_list_import_url4]:3510
Error in crt_list_import (1): PKCS #11 error in session
```

## Expected results:
Objects listed (only public).

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/721
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190305/ed508955/attachment.html>

More information about the Gnutls-devel mailing list