Comments (7)
gerow
commented on May 7, 2024
OK, if we implement C_GetSessionInfo it no longer cares about the pin, but it does segfault :)
gdb says it's trying to duplicate 4GB of memory, which isn't going to work.
(gdb) bt
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:400
#1 0x00007f98c4a02b82 in memdup (data=0x7ffdfe85a310, length=4294967295) at common/compat.c:503
#2 0x00007f98c49ff7ec in attrs_build (attrs=0x55c79e4cd890, count_to_add=1, take_values=false, override=true,
generator=0x7f98c49ffa93 <template_generator>, state=0x7ffdfe85a120) at common/attrs.c:156
#3 0x00007f98c49ffaf3 in p11_attrs_buildn (attrs=0x55c79e5101c0, add=0x7ffdfe85a188, count=1) at common/attrs.c:207
#4 0x00007f98c495de54 in p11_kit_uri_set_attribute (uri=0x55c79e534fb0, attr=0x7ffdfe85a170) at p11-kit/uri.c:473
#5 0x00007f98c4d29f71 in pkcs11_obj_import (class=<optimized out>, class@entry=1, obj=obj@entry=0x55c79e4cf420, data=data@entry=0x7ffdfe85a240,
id=id@entry=0x7ffdfe85a220, label=label@entry=0x7ffdfe85a230, tinfo=tinfo@entry=0x7ffdfe85a800, lib_info=0x7f98c4e989a8 <providers+136>)
at ../../lib/pkcs11.c:1750
#6 0x00007f98c4d2d905 in pkcs11_import_object (ctx=17585635778897907809, class=1, sinfo=sinfo@entry=0x7ffdfe85a8d0,
tinfo=tinfo@entry=0x7ffdfe85a800, lib_info=lib_info@entry=0x7f98c4e989a8 <providers+136>, pobj=0x55c79e4cf420) at ../../lib/pkcs11.c:2188
#7 0x00007f98c4d2e9eb in find_multi_objs_cb (module=<optimized out>, sinfo=sinfo@entry=0x7ffdfe85a8d0, tinfo=tinfo@entry=0x7ffdfe85a800,
lib_info=lib_info@entry=0x7f98c4e989a8 <providers+136>, input=input@entry=0x7ffdfe85ac00) at ../../lib/pkcs11.c:3356
#8 0x00007f98c4d304bf in _pkcs11_traverse_tokens (find_func=find_func@entry=0x7f98c4d2e220 <find_multi_objs_cb>, input=input@entry=0x7ffdfe85ac00,
info=0x55c79e524dc0, pin_info=pin_info@entry=0x0, flags=0) at ../../lib/pkcs11.c:1632
#9 0x00007f98c4d31267 in gnutls_pkcs11_obj_list_import_url4 (p_list=p_list@entry=0x7ffdfe85acb0, n_list=n_list@entry=0x7ffdfe85aca0,
url=url@entry=0x7ffdfe85d295 "pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example", flags=0)
at ../../lib/pkcs11.c:3538
#10 0x000055c79d406cb9 in pkcs11_list (outfile=0x7f98c4c506c0 <_IO_2_1_stdout_>,
url=url@entry=0x7ffdfe85d295 "pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example", type=type@entry=4,
flags=<optimized out>, flags@entry=0, detailed=detailed@entry=0, info=info@entry=0x7ffdfe85ae90) at ../../src/pkcs11.c:265
#11 0x000055c79d405adf in cmd_parser (argv=<optimized out>, argc=<optimized out>) at ../../src/p11tool.c:303
#12 main (argc=<optimized out>, argv=<optimized out>) at ../../src/p11tool.c:75
(gdb) up
#1 0x00007f98c4a02b82 in memdup (data=0x7ffdfe85a310, length=4294967295) at common/compat.c:503
503 memcpy (dup, data, length);
(gdb) up
#2 0x00007f98c49ff7ec in attrs_build (attrs=0x55c79e4cd890, count_to_add=1, take_values=false, override=true,
generator=0x7f98c49ffa93 <template_generator>, state=0x7ffdfe85a120) at common/attrs.c:156
156 attr->pValue = memdup (attr->pValue, attr->ulValueLen);
(gdb) up
#3 0x00007f98c49ffaf3 in p11_attrs_buildn (attrs=0x55c79e5101c0, add=0x7ffdfe85a188, count=1) at common/attrs.c:207
207 return attrs_build (attrs, count, false, true,
(gdb) up
#4 0x00007f98c495de54 in p11_kit_uri_set_attribute (uri=0x55c79e534fb0, attr=0x7ffdfe85a170) at p11-kit/uri.c:473
473 uri->attrs = p11_attrs_buildn (uri->attrs, attr, 1);
(gdb) p *attr
$9 = {type = 3, pValue = 0x7ffdfe85a310, ulValueLen = 4294967295}
Type 3 is attributeTypeMechanismArray which isn't implemented yet. So I guess we gotta do that
case attributeTypeMechanismArray:
// TODO(ericchiang): implement
return false
from go-p11-kit.
gerow
commented on May 7, 2024
With the invalid attributes fix we're closer, but still not there. It seems p11tool only sees one object in the test example.
$ p11tool --list-all pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example
Object 0:
URL: pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example;id=%02%14%66%0D%75%76%73%F5%44%7F%53%C2%4F%26%61%EF%47%A7%5A%D7%21%95;type=cert
Type: X.509 Certificate (RSA-2048)
Expires: Thu Jan 8 15:37:09 2122
Label:
ID: 02:14:66:0d:75:76:73:f5:44:7f:53:c2:4f:26:61:ef:47:a7:5a:d7:21:95
from go-p11-kit.
gerow
commented on May 7, 2024
OK neat, so it seems the only thing we need in order to ensure gnutls does the right thing here is to make sure the CKA_ID values for the cert, privkey, and pubkey all match. Right now it's only getting set for the cert in the example server, but hopefully it shouldn't be too hard to make that easier.
from go-p11-kit.
gerow
commented on May 7, 2024
OK, to do this properly will take a bit of finesse, but I don't think it should be too bad.
Right now the attributes of an Object are one big slice, which makes it unwieldy to replace existing attributes, and right we set the CKA_ID for certs to the public key fingerprint. I think ideally we want to have a SetID func on object which would be able to override whatever the helper funcs do.
@ericchiang what do you think about changing the object attributes to be a map keyed on the attributeType, and then adding a SetID func to the public interface so one can group objects together in such a way to make p11-kit/gnutls happy?
from go-p11-kit.
ericchiang
commented on May 7, 2024
Switching to a map seem reasonable. If you do that please try removing the "typ" field on the attribute struct so the information's not duplicated.
This might be a fast-and-dirty way of doing it:
func (o *Object) setAttribute(a attribute) {
for i, attr := range o.attributes {
if attr.typ == a.typ {
o.attributes[i] = a
return
}
}
o.attributes = append(o.attributes, a)
}
SetCertificate() is intended to associate a public/private key with a certificate and already sets CKA_ID, though it seems like it's not de-duping? Is that what you're looking for?
https://github.com/google/go-p11-kit/blob/3f7ed3fb3cec/p11kit/attribute.go#L83
I've been trying to avoid exposing PKCS #11 details in the public API as much as possible. SetID seems a little low level.
from go-p11-kit.
gerow
commented on May 7, 2024
oh, I think SetCertificate() is actually exactly what I need. Let me try using that.
from go-p11-kit.
ericchiang
commented on May 7, 2024
I still think it's not de-duping attributes correctly (it's just appending another CKA_ID), so you might need to fix that :)
from go-p11-kit.
Related Issues (7)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-p11-kit.