Hi Michael,
On 12-04-2023 08:28, Michael Olbrich wrote:
On Thu, Apr 06, 2023 at 04:50:14PM +0200, Robin van der Gracht wrote:
Signed-off-by: Robin van der Gracht <ro...@protonic.nl>
With this update pkcs11-tool (from host-opensc) does not work correctly any
more. I'm getting "error: OpenSSL error during RSA private key parsing" and
then a segfault. For example with the host-ptx-code-signing-dev package.
I'm not sure what's wrong here.
I'm not seeing this error with our setup but we're on 2023.02.0 with
openssl 1.1.1t.
I did notice a fix for RSA key imports in the opensc repository shortly
after version 0.23.0 was released. I've created a ptxdist patch that
includes that patch. It's attached to this email.
Can you verify if this fixes the error?
Kind regards,
Robin
From 7c85dd2c365031bc793cac7ba29ac67e5105e144 Mon Sep 17 00:00:00 2001
From: Robin van der Gracht <ro...@protonic.nl>
Date: Thu, 13 Apr 2023 09:18:00 +0200
Subject: [PATCH] opensc: Add patch that fixes RSA private key imports
Signed-off-by: Robin van der Gracht <ro...@protonic.nl>
---
...1-pkcs11-tool-Fix-private-key-import.patch | 32 +++++++++++++++++++
patches/OpenSC-0.23.0/series | 1 +
2 files changed, 33 insertions(+)
create mode 100644 patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch
create mode 100644 patches/OpenSC-0.23.0/series
diff --git a/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch b/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch
new file mode 100644
index 000000000..a58fc69a4
--- /dev/null
+++ b/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch
@@ -0,0 +1,32 @@
+From 9294183e07ff4944e3f5e590f343f5727636767e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jje...@redhat.com>
+Date: Thu, 1 Dec 2022 20:08:53 +0100
+Subject: [PATCH] pkcs11-tool: Fix private key import
+
+---
+ src/tools/pkcs11-tool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index aae205fe..cfee8526 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ RSA_get0_factors(r, &r_p, &r_q);
+ RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
+ #else
+- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
+- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
+ util_fatal("OpenSSL error during RSA private key parsing");
++ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
+ }
+ #endif
+ RSA_GET_BN(rsa, private_exponent, r_d);
+--
+2.37.2
+
diff --git a/patches/OpenSC-0.23.0/series b/patches/OpenSC-0.23.0/series
new file mode 100644
index 000000000..ebefe3cd1
--- /dev/null
+++ b/patches/OpenSC-0.23.0/series
@@ -0,0 +1 @@
+0001-pkcs11-tool-Fix-private-key-import.patch
--
2.37.2