[gnutls-devel] GnuTLS | Regression in certtool handling Ed25519 keys from PKCS#11 in 3.8.2 (#1515)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Nov 29 10:04:33 CET 2023



Jakub Jelen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1515



## Description of problem:
This works fine with 3.8.1, but stopped working with macos updating the gnutls package. Reproducible also in Fedora rawhide

Logs:
https://github.com/latchset/pkcs11-provider/actions/runs/7029081189/job/19126109458?pr=309

## Version of gnutls used:
3.8.2

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Fedora/Brew

## How reproducible:

deterministic, with Fedora rawhide in podman container

Steps to Reproduce:

```
podman run -ti fedora:rawhide
# in container
dnf install -y softhsm opensc p11-kit-devel p11-kit-server gnutls-utils
PINVALUE="12345678"               
TOKDIR="tokens"
mkdir ${TOKDIR}
cat >"$TMPPDIR/softhsm.conf" <<EOF
directories.tokendir = $PWD/$TOKDIR
objectstore.backend = file
log.level = DEBUG
EOF
export SOFTHSM2_CONF=$TMPPDIR/softhsm.conf
cat >> ${TMPPDIR}/cert.cfg <<HEREDOC
ca
cn = "Issuer"
serial = 1
expiration_days = 365
email = "testcert at example.org"
signing_key
encryption_key
HEREDOC
export GNUTLS_PIN=$PINVALUE
softhsm2-util --init-token --label "token_name" --free --pin $PINVALUE --so-pin $PINVALUE
pkcs11-tool --keypairgen --key-type="EC:edwards25519" --login --pin=$PINVALUE --module=/usr/lib64/pkcs11/libsofthsm2.so --label="${EDCRTN}" --id="$KEYID"
certtool -d9999 --generate-self-signed --outfile="cacert.crt" --template=cert.cfg --provider=/usr/lib64/pkcs11/libsofthsm2.so --load-privkey "pkcs11:object=edCert;type=private"  --load-pubkey "pkcs11:object=edCert;type=public" --outder
```
## Actual results:

```
Setting log level to 9999
|<2>| p11: Initializing module: /usr/lib64/pkcs11/libsofthsm2.so
Generating a self signed certificate...
|<2>| p11: Login result = ok (0)
|<3>| ASSERT: ../../../lib/x509/key_decode.c[_gnutls_x509_read_ecc_params]:257
|<2>| Cannot determine PKCS #11 key algorithm
|<3>| ASSERT: ../../lib/privkey.c[_gnutls_privkey_import_pkcs11_url]:607
error importing key at pkcs11:object=edCert;type=private: The specified algorithm or protocol is unknown.
```

## Expected results:

The Ed25519 key is imported and self-signed certificate is created

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1515
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20231129/36b6c845/attachment-0001.html>


More information about the Gnutls-devel mailing list