From: Michael Olbrich <m.olbrich@pengutronix.de>
To: Robin van der Gracht <robin@protonic.nl>
Cc: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH 1/3] rules: opensc: Version bumb to 0.23.0
Date: Thu, 13 Apr 2023 15:57:48 +0200 [thread overview]
Message-ID: <20230413135748.GW17392@pengutronix.de> (raw)
In-Reply-To: <deacf1d3-b7b5-b87d-e7b3-d69df52a5ddc@protonic.nl>
On Thu, Apr 13, 2023 at 09:25:54AM +0200, Robin van der Gracht wrote:
> Hi Michael,
>
> On 12-04-2023 08:28, Michael Olbrich wrote:
> > On Thu, Apr 06, 2023 at 04:50:14PM +0200, Robin van der Gracht wrote:
> > > Signed-off-by: Robin van der Gracht <robin@protonic.nl>
> >
> > With this update pkcs11-tool (from host-opensc) does not work correctly any
> > more. I'm getting "error: OpenSSL error during RSA private key parsing" and
> > then a segfault. For example with the host-ptx-code-signing-dev package.
> > I'm not sure what's wrong here.
>
> I'm not seeing this error with our setup but we're on 2023.02.0 with openssl
> 1.1.1t.
So probably an issue with OpenSSL 3.x
> I did notice a fix for RSA key imports in the opensc repository shortly
> after version 0.23.0 was released. I've created a ptxdist patch that
> includes that patch. It's attached to this email.
>
> Can you verify if this fixes the error?
>
> Kind regards,
> Robin
> From 7c85dd2c365031bc793cac7ba29ac67e5105e144 Mon Sep 17 00:00:00 2001
> From: Robin van der Gracht <robin@protonic.nl>
> Date: Thu, 13 Apr 2023 09:18:00 +0200
> Subject: [PATCH] opensc: Add patch that fixes RSA private key imports
>
> Signed-off-by: Robin van der Gracht <robin@protonic.nl>
> ---
> ...1-pkcs11-tool-Fix-private-key-import.patch | 32 +++++++++++++++++++
> patches/OpenSC-0.23.0/series | 1 +
> 2 files changed, 33 insertions(+)
> create mode 100644 patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch
> create mode 100644 patches/OpenSC-0.23.0/series
>
> diff --git a/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch b/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch
> new file mode 100644
> index 000000000..a58fc69a4
> --- /dev/null
> +++ b/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch
> @@ -0,0 +1,32 @@
> +From 9294183e07ff4944e3f5e590f343f5727636767e Mon Sep 17 00:00:00 2001
> +From: Jakub Jelen <jjelen@redhat.com>
> +Date: Thu, 1 Dec 2022 20:08:53 +0100
> +Subject: [PATCH] pkcs11-tool: Fix private key import
> +
> +---
> + src/tools/pkcs11-tool.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
> +index aae205fe..cfee8526 100644
> +--- a/src/tools/pkcs11-tool.c
> ++++ b/src/tools/pkcs11-tool.c
> +@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
> + RSA_get0_factors(r, &r_p, &r_q);
> + RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
> + #else
> +- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
> ++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
> + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
> + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
> + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
> + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
> +- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
> + util_fatal("OpenSSL error during RSA private key parsing");
> ++ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
This is broken. Probably a bad conflict resolution. The next upstream
commit fixes this. So far it looks promising. I'll do some more testing and
clean it up.
Regards,
Michael
> + }
> + #endif
> + RSA_GET_BN(rsa, private_exponent, r_d);
> +--
> +2.37.2
> +
> diff --git a/patches/OpenSC-0.23.0/series b/patches/OpenSC-0.23.0/series
> new file mode 100644
> index 000000000..ebefe3cd1
> --- /dev/null
> +++ b/patches/OpenSC-0.23.0/series
> @@ -0,0 +1 @@
> +0001-pkcs11-tool-Fix-private-key-import.patch
> --
> 2.37.2
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2023-04-13 13:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-06 14:50 Robin van der Gracht
2023-04-06 14:50 ` [ptxdist] [PATCH 2/3] rules: pcsc-lite: Version bumb to 1.9.8 Robin van der Gracht
2023-04-12 6:29 ` [ptxdist] [APPLIED] " Michael Olbrich
2023-04-06 14:50 ` [ptxdist] [PATCH 3/3] rules: pcsc-lite: Add option for building with USB support Robin van der Gracht
2023-04-12 6:32 ` Michael Olbrich
2023-04-12 7:56 ` Robin van der Gracht
2023-04-14 10:08 ` Michael Olbrich
2023-04-12 6:28 ` [ptxdist] [PATCH 1/3] rules: opensc: Version bumb to 0.23.0 Michael Olbrich
2023-04-13 7:25 ` Robin van der Gracht
2023-04-13 13:57 ` Michael Olbrich [this message]
2023-04-17 8:54 ` Robin van der Gracht
2023-04-14 10:03 ` [ptxdist] [APPLIED] " Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230413135748.GW17392@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
--cc=robin@protonic.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox