[gnutls-devel] GnuTLS | p11tool fails to find certs with AWS KMS token (#1340)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Fri Mar 18 02:55:17 CET 2022 


Benjamin Herrenschmidt created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1340



Hi !

I am a contributor to this "soft" token which talks to AWS KMS: https://github.com/JackOfMostTrades/aws-kms-pkcs11

A given slot with this token has just two objects: A private key and a certificate.

Retrieving the certificate fails with p11tool consistently. The error seem to be a disconnect between those two functions in gnutls lib/pkcs11.c:

* find_privkeys()

It properly finds the private key and reaches the following code:

```
	current = 0;
	while (pkcs11_find_objects
	       (sinfo->module, sinfo->pks, &ctx, 1, &count) == CKR_OK
	       && count == 1) {

		a[0].type = CKA_ID;
		a[0].value = certid_tmp;
		a[0].value_len = sizeof(certid_tmp);

		_gnutls_buffer_init(&list->key_ids[current]);

		if (pkcs11_get_attribute_value
		    (sinfo->module, sinfo->pks, ctx, a, 1) == CKR_OK) {
			ret = _gnutls_buffer_append_data(&list->key_ids[current],
						   a[0].value,
						   a[0].value_len);
			if (ret < 0)
				return gnutls_assert_val(ret);
			current++;
		}

		if (current > list->key_ids_size)
			break;
	}

	pkcs11_find_objects_final(sinfo);

	list->key_ids_size = current - 1;
```

There is only one iteration of the loop since there's only one object of type CKO_PRIVATE_KEY
in the token. The retrieval of the attribute works fine, so we exist the loop with:

```
current = 1
```

We thus return from the function with
```
list->key_ids_size = 0
```

Now, this is called from this code in find_multi_objs_cb() (note: this is the only caller)

```
	memset(&plist, 0, sizeof(plist));

	if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY) {
		ret = find_privkeys(sinfo, tinfo, &plist);
		if (ret < 0) {
			gnutls_assert();
			return ret;
		}

		if (plist.key_ids_size == 0) {
			gnutls_assert();
			return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
		}
	}
```

As you can see, it will hit the case where plist.key_ids_size is 0 and fail. There seem
to be a disconnect as to whether key_ids_size is 0 or 1 based between the caller and the
callee....

Now I'm happy to send a pull request with a fix provided somebody can confirm that my analysis
is correct. I can see two main approach to fix this:

 - Remove the "-1" when setting key_ids_size in find_privKeys(). This is IMHO the most
   obvious fix and provides the clearest semantic

 - Remvoe the second test in the caller

Recommendations ? Did I get something very wrong ? :-)

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1340
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220318/8b367213/attachment.html>

More information about the Gnutls-devel mailing list