From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 13 Apr 2023 15:58:16 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pmxSp-002HAE-Be for lore@lore.pengutronix.de; Thu, 13 Apr 2023 15:58:16 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1pmxSp-00016C-Hi; Thu, 13 Apr 2023 15:58:15 +0200 Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pmxSO-000162-KK; Thu, 13 Apr 2023 15:57:48 +0200 Received: from mol by ptx.hi.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1pmxSO-0008BF-3G; Thu, 13 Apr 2023 15:57:48 +0200 Date: Thu, 13 Apr 2023 15:57:48 +0200 From: Michael Olbrich To: Robin van der Gracht Message-ID: <20230413135748.GW17392@pengutronix.de> Mail-Followup-To: Robin van der Gracht , ptxdist@pengutronix.de References: <20230406145016.3074015-1-robin@protonic.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Sent-From: Pengutronix Hildesheim X-URL: http://www.pengutronix.de/ X-Accept-Language: de,en X-Accept-Content-Type: text/plain User-Agent: Mutt/1.10.1 (2018-07-13) Subject: Re: [ptxdist] [PATCH 1/3] rules: opensc: Version bumb to 0.23.0 X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: ptxdist@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false On Thu, Apr 13, 2023 at 09:25:54AM +0200, Robin van der Gracht wrote: > Hi Michael, > > On 12-04-2023 08:28, Michael Olbrich wrote: > > On Thu, Apr 06, 2023 at 04:50:14PM +0200, Robin van der Gracht wrote: > > > Signed-off-by: Robin van der Gracht > > > > With this update pkcs11-tool (from host-opensc) does not work correctly any > > more. I'm getting "error: OpenSSL error during RSA private key parsing" and > > then a segfault. For example with the host-ptx-code-signing-dev package. > > I'm not sure what's wrong here. > > I'm not seeing this error with our setup but we're on 2023.02.0 with openssl > 1.1.1t. So probably an issue with OpenSSL 3.x > I did notice a fix for RSA key imports in the opensc repository shortly > after version 0.23.0 was released. I've created a ptxdist patch that > includes that patch. It's attached to this email. > > Can you verify if this fixes the error? > > Kind regards, > Robin > From 7c85dd2c365031bc793cac7ba29ac67e5105e144 Mon Sep 17 00:00:00 2001 > From: Robin van der Gracht > Date: Thu, 13 Apr 2023 09:18:00 +0200 > Subject: [PATCH] opensc: Add patch that fixes RSA private key imports > > Signed-off-by: Robin van der Gracht > --- > ...1-pkcs11-tool-Fix-private-key-import.patch | 32 +++++++++++++++++++ > patches/OpenSC-0.23.0/series | 1 + > 2 files changed, 33 insertions(+) > create mode 100644 patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch > create mode 100644 patches/OpenSC-0.23.0/series > > diff --git a/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch b/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch > new file mode 100644 > index 000000000..a58fc69a4 > --- /dev/null > +++ b/patches/OpenSC-0.23.0/0001-pkcs11-tool-Fix-private-key-import.patch > @@ -0,0 +1,32 @@ > +From 9294183e07ff4944e3f5e590f343f5727636767e Mon Sep 17 00:00:00 2001 > +From: Jakub Jelen > +Date: Thu, 1 Dec 2022 20:08:53 +0100 > +Subject: [PATCH] pkcs11-tool: Fix private key import > + > +--- > + src/tools/pkcs11-tool.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c > +index aae205fe..cfee8526 100644 > +--- a/src/tools/pkcs11-tool.c > ++++ b/src/tools/pkcs11-tool.c > +@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) > + RSA_get0_factors(r, &r_p, &r_q); > + RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp); > + #else > +- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 || > ++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 || > + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 || > + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || > + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || > + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || > +- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) { > + util_fatal("OpenSSL error during RSA private key parsing"); > ++ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { This is broken. Probably a bad conflict resolution. The next upstream commit fixes this. So far it looks promising. I'll do some more testing and clean it up. Regards, Michael > + } > + #endif > + RSA_GET_BN(rsa, private_exponent, r_d); > +-- > +2.37.2 > + > diff --git a/patches/OpenSC-0.23.0/series b/patches/OpenSC-0.23.0/series > new file mode 100644 > index 000000000..ebefe3cd1 > --- /dev/null > +++ b/patches/OpenSC-0.23.0/series > @@ -0,0 +1 @@ > +0001-pkcs11-tool-Fix-private-key-import.patch > -- > 2.37.2 > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |