Summary: "test_init_pin" fails because teardown_mock_module()
is missing a call to cleanup.

In p11-kit/test-proxy.c:
The static function teardown_mock_module() seems to be missing a call
to p11_proxy_module_cleanup(). This leads to an exhaustion of the cells
available in fixed_closures[] (see in p11-kit/virtual.c), meaning a test
may fail because the test previously run didn't free all the cells in
fixed_closures[].

Such an exhaustion leads to the failure of the test "test_init_pin".

The attached patch addresses this problem.

Local config:

• uname -a
  [...] Darwin Kernel Version 15.6.0: Thu Jun 21 20:07:40 PDT 2018; root:xnu-3248.73.11~1/RELEASE_X86_64 x86_64

• call to configure:
  ./configure --without-libffi --without-libtasn1 --without-gtk-doc --without-xlstproc --without-freebl3 --enable-doc=no --with-system-config=/usr/local/etc -enable-debug

No problem encountered while running configure, nor while compiling
through make.

test-proxy.diff.txt

=======================================
p11-kit 0.23.13: ./test-suite.log

TOTAL: 752

PASS: 751

SKIP: 0

XFAIL: 0

FAIL: 1

XPASS: 0

ERROR: 0

.. contents:: :depth: 2

FAIL: test-token

1..21
ok 1 /token/load
PASS: test-token 1 /token/load
ok 2 /token/flags
PASS: test-token 2 /token/flags
ok 3 /token/path
PASS: test-token 3 /token/path
ok 4 /token/label
PASS: test-token 4 /token/label
ok 5 /token/slot
PASS: test-token 5 /token/slot
not ok 6 /token/not-writable
FAIL: test-token 6 /token/not-writable

assertion failed (!p11_token_is_writable (token))

test-token: assertion failed (!p11_token_is_writable (token))

in test_not_writable() at test-token.c:256

test-token: in test_not_writable() at test-token.c:256

ok 7 /token/writable-no-exist
PASS: test-token 7 /token/writable-no-exist
ok 8 /token/writable-exists
PASS: test-token 8 /token/writable-exists
ok 9 /token/load-found
PASS: test-token 9 /token/load-found
ok 10 /token/load-already
PASS: test-token 10 /token/load-already
ok 11 /token/load-unreadable
PASS: test-token 11 /token/load-unreadable
ok 12 /token/load-gone
PASS: test-token 12 /token/load-gone
ok 13 /token/load-contrived
PASS: test-token 13 /token/load-contrived
ok 14 /token/reload-changed
PASS: test-token 14 /token/reload-changed
ok 15 /token/reload-gone
PASS: test-token 15 /token/reload-gone
ok 16 /token/reload-no-origin
PASS: test-token 16 /token/reload-no-origin
ok 17 /token/write-new
PASS: test-token 17 /token/write-new
ok 18 /token/write-no-label
PASS: test-token 18 /token/write-no-label
ok 19 /token/modify-multiple
PASS: test-token 19 /token/modify-multiple
ok 20 /token/remove-one
PASS: test-token 20 /token/remove-one
ok 21 /token/remove-multiple
PASS: test-token 21 /token/remove-multiple

Under MacPorts p11-kit 3.5.18 has broken gnutls 3.5.18, due to an issue with uri.h:

libtool: compile:  /usr/bin/clang -DHAVE_CONFIG_H -I. -I../.. -I./../../gl -I./../../gl -I./../includes -I./../includes -I./.. -I/opt/local/include -Wtype-limits -fno-common -W -Wabi -Waddress -Wall -Wattributes -Wbad-function-cast -Wbuiltin-macro-redefined -Wcast-align -Wchar-subscripts -Wcomment -Wcomments -Wcpp -Wdate-time -Wdeprecated -Wdeprecated-declarations -Wdisabled-optimization -Wdiv-by-zero -Wdouble-promotion -Wempty-body -Wendif-labels -Wenum-compare -Wextra -Wformat-extra-args -Wformat-security -Wformat-zero-length -Wignored-attributes -Wignored-qualifiers -Wimplicit -Wimplicit-function-declaration -Wimplicit-int -Wincompatible-pointer-types -Winit-self -Wint-conversion -Wint-to-pointer-cast -Winvalid-pch -Wlogical-not-parentheses -Wmain -Wmissing-braces -Wmissing-declarations -Wmissing-field-initializers -Wmissing-include-dirs -Wmissing-prototypes -Wmultichar -Wnarrowing -Wnested-externs -Wnonnull -Wnull-dereference -Wodr -Wold-style-definition -Woverflow -Wpacked -Wparentheses -Wpointer-arith -Wpointer-sign -Wpointer-to-int-cast -Wpragmas -Wreturn-type -Wsequence-point -Wshadow -Wshift-count-negative -Wshift-count-overflow -Wshift-negative-value -Wsizeof-array-argument -Wsizeof-pointer-memaccess -Wstrict-aliasing -Wstrict-prototypes -Wswitch -Wswitch-bool -Wtautological-compare -Wtrigraphs -Wtype-limits -Wuninitialized -Wunknown-pragmas -Wunused -Wunused-function -Wunused-label -Wunused-local-typedefs -Wunused-parameter -Wunused-result -Wunused-value -Wunused-variable -Wvarargs -Wvariadic-macros -Wvolatile-register-var -Wwrite-strings -Wno-missing-field-initializers -Wno-missing-field-initializers -Wno-unused-parameter -fdiagnostics-show-option -I/opt/local/include/p11-kit-1 -pipe -Os -arch x86_64 -MT verify-high2.lo -MD -MP -MF .deps/verify-high2.Tpo -c verify-high2.c  -fno-common -DPIC -o .libs/verify-high2.o
In file included from verify-high2.c:36:
In file included from ./../pkcs11_int.h:34:
/opt/local/include/p11-kit-1/p11-kit/uri.h:99:68: error: unknown type name 'CK_INFO'
                                                             const CK_INFO *info);
                                                                   ^
/opt/local/include/p11-kit-1/p11-kit/uri.h:104:68: error: unknown type name 'CK_SLOT_INFO'; did you mean 'CK_SLOT_ID'?
                                                             const CK_SLOT_INFO *slot_info);
                                                                   ^~~~~~~~~~~~
                                                                   CK_SLOT_ID
/opt/local/include/p11-kit-1/p11-kit/uri.h:88:22: note: 'CK_SLOT_ID' declared here
typedef ck_slot_id_t CK_SLOT_ID;
                     ^
/opt/local/include/p11-kit-1/p11-kit/uri.h:113:68: error: unknown type name 'CK_TOKEN_INFO'; did you mean 'CK_TOKEN_INFO_PTR'?
                                                             const CK_TOKEN_INFO *token_info);
                                                                   ^~~~~~~~~~~~~
                                                                   CK_TOKEN_INFO_PTR
/opt/local/include/p11-kit-1/p11-kit/uri.h:83:31: note: 'CK_TOKEN_INFO_PTR' declared here
typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
                              ^
/opt/local/include/p11-kit-1/p11-kit/uri.h:134:68: error: unknown type name 'CK_ATTRIBUTE'; did you mean 'CK_ATTRIBUTE_PTR'?
                                                             const CK_ATTRIBUTE *attrs,
                                                                   ^~~~~~~~~~~~
                                                                   CK_ATTRIBUTE_PTR
/opt/local/include/p11-kit-1/p11-kit/uri.h:85:30: note: 'CK_ATTRIBUTE_PTR' declared here
typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
                             ^
4 errors generated.
make[4]: *** [verify-high2.lo] Error 1

Apparently CK_INFO, CK_TOKEN_INFO, and CK_ATTRIBUTE (and CK_SLOT_INFO even-though not called out here) are no longer properly declared.

Currently the manpages of p11-kit mention:

       Please send bug reports to either the distribution bug tracker or the upstream bug tracker at
       https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&component=p11-kit.

They should refer to the github site instead.

This is continuation of OpenSC/libp11#156

@nmav I'm already using the latest p11-kit with latest centos 7. I did a yum update and no new updates. Or do you suggest I uninstall that and build my own from github? I know there are a few other centos packages dependent on p11-kit. If I replace it with latest from github, will they be compatible ?

When building p11-kit on Solaris 11.3/i86 using GCC 4.9.4, compilation fails with

CC common/lexer.lo
CC common/message.lo
In file included from /usr/include/sys/types.h:12:0,
from common/compat.h:40,
from common/message.c:46:
/opt/pkg-gcc/4.9.4/lib/gcc/i386-pc-solaris2.11/4.9.4/include-fixed/sys/feature_tests.h:367:2: error: #error "Compiler or options invalid; UNIX 03 and POSIX.1-2001 applications require the use of c99"
#error "Compiler or options invalid; UNIX 03 and POSIX.1-2001 applications
^
gmake[2]: *** [common/message.lo] Error 1

Passing '-std=c99' via CFLAGS results in

/opt/pkg-gcc/4.9.4/lib/gcc/i386-pc-solaris2.11/4.9.4/include-fixed/sys/feature_tests.h:363:2: error: #error "Compiler or options invalid for pre-UNIX 03 X/Open applications and pre-2001 POSIX applications"
#error "Compiler or options invalid for pre-UNIX 03 X/Open applications \

p11-kit fails to build with this error:

FAILED: p11-kit/p11-kit-server-testable 
ccache cc  -o p11-kit/p11-kit-server-testable 'p11-kit/077403d@@p11-kit-server-testable@exe/server.c.o' -Wl,--no-undefined -Wl,--as-needed -O2 -g -m64 -mtune=generic -Wl,--start-group p11-kit/libp11-kit-testable.a common/libp11-common.a common/libp11-library.a common/libp11-tool.a /usr/lib/libsystemd.so /usr/lib/libffi.so -ldl -Wl,--end-group '-Wl,-rpath,$ORIGIN/:$ORIGIN/../common' -Wl,-rpath-link,/ostbuild/source/p11-kit/_build/p11-kit:/ostbuild/source/p11-kit/_build/common 
common/libp11-library.a(library.c.o): In function `p11_library_init_impl':
/ostbuild/source/p11-kit/_build/../common/library.c:163: undefined reference to `pthread_atfork'
collect2: error: ld returned 1 exit status

Using the Meson build. The common library does not depend on pthreads, even if it uses pthreads API.

It appears that p11-kit fails to label built-in trust anchors in a way that Chromium recognizes as built-in. This causes Chromium to consider all trust anchors as user-defined, which causes problems because user-defined trust anchors are exempt from HPKP while built-in trust anchors aren't supposed to be. This can be tested via https://projects.dm.id.lv/Public-Key-Pins_test (Chromium fails the test when p11-kit is in use).

Arch Linux currently patches p11-kit for this; their patch is at https://git.archlinux.org/svntogit/packages.git/tree/trunk/libnssckbi-compat.patch?h=packages/p11-kit . Would p11-kit be interested in merging Arch Linux's patch?

Summary: 2 problems in test-managed.c when running "make check".

When running:

make check

the test "test_max_session_load" fails, first, because it attempts to
register 10 + P11_VIRTUAL_MAX_FIXED modules, while fixed_closures[] contains
only P11_VIRTUAL_MAX_FIXED cells (see in p11-kit/virtual.c) and trying to
store more than this limit will lead to a NULL result rejected by the function
p11_virtual_wrap_fixed (see p11-kit/virtual.c).

In the process of investigation this issue, I also found that a call
to p11_module_release_inlock_reentrant() seems missing in the function
test_initialize_fail() in test-managed.c. At the end of test_initialize_fail()
a cleanup is necessary to ensure that the cells in the array fixed_closures
(see p11-kit/virtual.c) are freed before the next test is run.

The attached patch addresses the missing cleanup function and shows that,
assuming one does not try to register more than P11_VIRTUAL_MAX_FIXED modules,
the test passes.

Local config:

• uname -a
  [...] Darwin Kernel Version 15.6.0: Thu Jun 21 20:07:40 PDT 2018; root:xnu-3248.73.11~1/RELEASE_X86_64 x86_64

• call to configure:
  ./configure --without-libffi --without-libtasn1 --without-gtk-doc --without-xlstproc --without-freebl3 --enable-doc=no --with-system-config=/usr/local/etc -enable-debug

No problem encountered while running configure, nor while compiling
through make.

test-managed.diff.txt

on Raspbian

sudo trust anchor MyCRT.crt 

errors

p11-kit: no configured writable location to store anchors

Improving the error to suggest pointers to a solution may be a worthwhile interim fix

I'm trying to find documented on the p11-kit website or github repo the pgp key used to generate the release signatures for p11-kit.

Sorry if i've missed an obvious link somewhere :(

When two certificates are put into /etc/pki/ca-trust/source/anchors which are different but have the same subject, only one of the two gets added to /etc/pki/ca-trust/extracted/java/cacerts by update-ca-trust (p11-kit).

Use case:
Root - 8 years validity
Intermediate - 4 years validity
Issued certificate - 2 years validity

To make sure the intermediate CA keeps issuing certificates which are valid for two years, its signing certificate has to be replaced at half of its validity period. In this use case a new intermediate certificate has been put in the issuing (intermediate) CA with the same subject as the old one and hence forward all newly issued certificates are signed with this new intermediate certificate. Obviously, all certificates signed with the previous intermediate certificate continue to be trusted.

p11-kit cannot deal with two (or more, but our CA isn't that old yet) valid root certificates with the same subject (or rather CN) when it comes to the central Java keystore.

github offers web pages, which could be used to automate (or at least include as part of release process), the generation of manual pages. That is for consideration only if the current p11-glue.freedesktop.org is not auto-generated.

• https://pages.github.com/
• https://gist.github.com/cobyism/4730490

Since 0.23.13, PKG_CHECK_VAR was introduced, but it fails on most older os version.
Do you plan to consider adding a PKG_CHECK_VAR.m4 to make the source compatible with older os.

the pwd.h included in commit 44c67d9 breaks MinGW build as there is no pwd.h in MinGW

Hi,
Please refer to [1], the date validation is failing because mktime() modify the struct tm based on daylight settings in some timezone, in our case Europe/Dublin, as mktime() is using local time.
I do not fully understand the test done at this[2] location, why is it not sufficient to check (time_t)-1 result of mktime(), I would have just remove it... as construction of dates in PKCS#11 should be UTC anyway.
An option is to use timegm() or _mkgmtime() in Windows, however, it is not that relevant as I do not see any mktime() usage within the core code, so it is not that we need to test the behavior of mktime() compared of what expected.
I suggest to remove this.
Thanks!

[1] https://bugs.gentoo.org/show_bug.cgi?id=688460
[2] https://github.com/p11-glue/p11-kit/blob/master/trust/builder.c#L263

This "Improve const correctness for P11KitUri" commit appears to break compilation of gnutls due to use of CRYPTOKI_GNU.

When trying to install p11-kit 0.23.11 using brew I have the following error:

==> ./configure --disable-silent-rules --disable-trust-module --prefix=/Volumes/diskE/Users/kakawait/.homebrew/Cellar/p11-kit/0.23.11 --sysconfdir=/Volumes/diskE/Users/kakawait/.homebrew/etc --with-module-config=/Volumes/diskE/Users/kakawait/.homebrew/etc/pkcs11/modules --without-libtas
==> make
==> make check
Last 15 lines from /Volumes/diskE/Users/kakawait/Library/Logs/Homebrew/p11-kit/03.make:
# PASS:  515
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to https://github.com/p11-glue/p11-kit/issues
============================================================================
make[4]: *** [test-suite.log] Error 1
make[3]: *** [check-TESTS] Error 2
make[2]: *** [check-am] Error 2
make[1]: *** [check-recursive] Error 1
make: *** [check] Error 2

READ THIS: https://docs.brew.sh/Troubleshooting

You can find more information inside attached file
make.txt

I'm not totally sure if it's more Homebrew or p11-kit issue, feel free to close it if is not directly related to p11-kit itself

Several Git tags did not survive the move to the new repository:

0.18.4
0.18.5
0.18.6
0.18.7
0.20.7

These should probably be re-pushed.

Currently we use C preprocessor macros to rename symbols/types/struct members in pkcs11.h to match the GNU coding style. These are a bit intrusive and prone to cause name conflicts.

Instead, it would be nice to generate a separate header, say pkcs11-gnu.h, from the header using non-GNU convention at compile time.

Then it could be included from pkcs11.h if the GNU convention is enabled.

See https://bugzilla.redhat.com/show_bug.cgi?id=1665172

Hi,

I'm using p11-kit-proxy in Fedora 28 to make Firefox work with system wide pkcs11 proprietary modules. I have a proprietarylib.so in a proprietaryconfig.module file and works nicely in all p11-kit supported apps. For NSS is well known that Firefox is not using the pkcs11.txt from /etc/pki/nssdb, then so far I was replacing libnssckbi.so with the p11-kit-proxy replacement as the documentation was suggesting:

sudo alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/p11-kit-proxy.so 50
sudo alternatives --auto libnssckbi.so.x86_64

With the latest p11-kit update in Fedora, which adds the disable-in: p11-kit-proxy change in p11-kit-trust.module, Firefox won't trust any HTTPS site anymore. It works by commenting out this line as a workaround in the meanwhile. However, is this issue on purpose or an unexpected side effect? I'm aware of upcoming improvements targeted for Fedora 29, if they are related somehow.

Thanks.

The last 'stable' release I can find is dated October 2014. Have you dropped the stable/devel designations?

While docbook seems to have some leverage with gnome, it is phased out as a documentation format in favor of simpler forms such as markdown. I find that such a move would simplify the update/addition of new documentation pages.

After the commit common: Don't rely on issetugid() when it is broken when we try to compile p11-kit for musl libc cross target architectures, running the brokenness test fails for obvious reasons. For glibc cross targets that test is not run.

Instead of patching away the test in configure.ac, which we would need to do, it'd be good to have a configure option like --with-issetugid-openbsd[=yes|no] to tell configure to not run that test but just add or not add #define HAVE_ISSETUGID_OPENBSD 1 accordingly.

Hello,
CKM_CAMELLIA_KEY_GEN is #defined twice in pkcs11.h.

Version: p11-kit 0.23.14

cu Andreas

I'm trying to build P11-kit on IRIX so I can build gnutls. However, it's giving me this error when I compile it. I've tried it with both MIPSPro (SGI's proprietary compiler) and GCC with no such luck. As I understand this also happens on AIX.

Is there anyway I can get this to work?

Any help is appreciated!

bash-4.3$ gmake
gmake all-recursive
gmake[1]: Entering directory /usr/people/wfisher/p11-kit-0.23.3' Making all in . gmake[2]: Entering directory /usr/people/wfisher/p11-kit-0.23.3'
CC common/compat.lo
common/compat.c: In function 'getprogname':
common/compat.c:118:3: error: #error No way to retrieve short program name
common/compat.c: In function 'strerror_r':
common/compat.c:854:3: error: #error no strerror_r implementation
common/compat.c: In function 'fdwalk':
common/compat.c:894:8: warning: implicit declaration of function 'dirfd' [-Wimplicit-function-declaration]
common/compat.c:894:8: warning: nested extern declaration of 'dirfd' [-Wnested-externs]
common/compat.c: In function 'strerror_r':
common/compat.c:856:1: warning: control reaches end of non-void function [-Wreturn-type]
gmake[2]: *** [common/compat.lo] Error 1
gmake[2]: Leaving directory /usr/people/wfisher/p11-kit-0.23.3' gmake[1]: *** [all-recursive] Error 1 gmake[1]: Leaving directory /usr/people/wfisher/p11-kit-0.23.3'
gmake: *** [all] Error 2

Just letting you know of a bug filed and fixed at: http://gnats.netbsd.org/53387

Essentially

assertion "type == AT_SECURE" failed: file "common/compat.c", line 801,
function "getauxval"
[1]   Abort trap (core dumped) scanimage

Fixed with the first section of: http://cdn.netbsd.org/pub/pkgsrc/current/pkgsrc/security/p11-kit/patches/patch-common_compat.c

Although it is still in the "Draft" state, it would be nice to prepare for the upcoming changes in PKCS#11 3.0, in particular the new entry point functions (C_GetInterface, etc).

https://www.oasis-open.org/committees/documents.php?wg_abbrev=pkcs11&show_descriptions=yes

Hello,

this is https://bugs.debian.org/914199 submitted by Sam Morris:
XXXXXXXX Quote
$ grep BEGIN /etc/ssl/certs/ca-certificates.crt | wc -l
154

$ trust list; echo $0
0

That's from p11-kit 0.23.14-2. If I use the version from stable there is at
least a clue that something is amiss:

# trust list; echo $?
p11-kit: ca-certificates.crt: BEGIN ...: pem block before p11-kit section header
p11-kit: ca-certificates.crt: BEGIN ...: pem block before p11-kit section header
0

It turns out that, in-between the PEM-encoded certificates in
ca-certificates.crt, I have some lines:

...
-----END CERTIFICATE-----
# This file was created by IPA. Do not edit.

[p11-kit-object-v1]
class: certificate
certificate-type: x-509
certificate-category: authority
label: "CN%3Dipa-CA%2CDC%3Dipa%2CDC%3Dexample%2CDC%3Dcom"
subject: "..."
issuer: "..."
serial-number: "..."
x-public-key-info: "..."
trusted: true
-----BEGIN CERTIFICATE-----
...

These are in turn taken from the file that ipa-client-install dropped into
/usr/local/share/ca-certificates/ipa-ca.crt.

IMO p11-kit should treat these extra lines as comments since other tools
(openssl, gnutls) are perfectly happy to ignore them.

It would also be nice if it printed some more useful output to help users
debug issues such as these, and not exit with status 0 if problems are
detected. :)
XXXXXXXX End Quote

On Debian p11-kit is configured with --with-trust-paths=/etc/ssl/certs/ca-certificates.crt. Looking at the documentation for the trust module https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-module.html afaict p11-kit should indeed interpret these as RFC 7468 PEM files, ignoring anything outside BEGIN/END markers.

hi. i'm trying to install p11-kit 0.23.10 on OS X 10.11.6 via homebrew and it is failing. 0.23.9 installed successfully using the same method.

see Homebrew/homebrew-core/issues/26703 and https://gist.github.com/rajiv/7a2d79848c9e1841aaf2643e08727738

in p11-kit/test-server.sh.log

p11-kit: 'strlen (address) < sizeof (sa.sun_path)' not true at create_socket
FAIL p11-kit/test-server.sh (exit status: 1)

i can even replicate this manually in the debug shell:

bash-3.2$ export abs_top_builddir=`pwd`
bash-3.2$ bash -x ./p11-kit/test-server.sh 
+ testdir=/Volumes/black/Users/rajiv/tmp/p11-kit-20180422-38762-1mx8pvd/p11-kit-0.23.10/test-server-72884
+ test -d /Volumes/black/Users/rajiv/tmp/p11-kit-20180422-38762-1mx8pvd/p11-kit-0.23.10/test-server-72884
+ mkdir /Volumes/black/Users/rajiv/tmp/p11-kit-20180422-38762-1mx8pvd/p11-kit-0.23.10/test-server-72884
+ trap cleanup 0
+ cd /Volumes/black/Users/rajiv/tmp/p11-kit-20180422-38762-1mx8pvd/p11-kit-0.23.10/test-server-72884
+ unset P11_KIT_SERVER_ADDRESS
+ unset P11_KIT_SERVER_PID
+ XDG_RUNTIME_DIR=/Volumes/black/Users/rajiv/tmp/p11-kit-20180422-38762-1mx8pvd/p11-kit-0.23.10/test-server-72884
+ export XDG_RUNTIME_DIR
+ /Volumes/black/Users/rajiv/tmp/p11-kit-20180422-38762-1mx8pvd/p11-kit-0.23.10/p11-kit-server -s --provider /Volumes/black/Users/rajiv/tmp/p11-kit-20180422-38762-1mx8pvd/p11-kit-0.23.10/.libs/mock-one.so pkcs11:
+ test 1 -ne 0
+ cat start.err
p11-kit: 'strlen (address) < sizeof (sa.sun_path)' not true at create_socket
+ exit 1
+ cleanup
+ rm -rf /Volumes/black/Users/rajiv/tmp/p11-kit-20180422-38762-1mx8pvd/p11-kit-0.23.10/test-server-72884

The current implementation of vendor attributes in PKCS#11 URI uses a dictionary, which makes the output unpredictable and forbids duplication of vendor query attributes. Remove the use of the dictionary and rewrite it using an array, as in the NSS implementation:
https://github.com/nss-dev/nss/blob/master/lib/util/pkcs11uri.c

libtool: compile:  clang -DHAVE_CONFIG_H -I. -I. -I./common -DBINDIR=\"/usr/local/Cellar/p11-kit/0.23.8/bin\" -DBUILDDIR=\"/private/tmp/p11-kit-20170815-64820-14apsw1/p11-kit-0.23.8\" -DDATA_DIR=\"/usr/local/Cellar/p11-kit/0.23.8/share\" -DPRIVATEDIR=\"/usr/local/Cellar/p11-kit/0.23.8/libexec/p11-kit\" -DSRCDIR=\"/private/tmp/p11-kit-20170815-64820-14apsw1/p11-kit-0.23.8\" -DSYSCONFDIR=\"/usr/local/etc\" -DP11_KIT_FUTURE_UNSTABLE_API -g -O2 -g -Wall -Wstrict-prototypes -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wdeclaration-after-statement -Wformat=2 -Winit-self -Waggregate-return -Wno-missing-format-attribute -fno-strict-aliasing -fno-common -Wmissing-include-dirs -Wundef -c common/debug.c  -fno-common -DPIC -o common/.libs/debug.o
common/compat.c:498:6: error: use of undeclared identifier 'SIZE_MAX'
        if (SIZE_MAX / nmemb < size) {
            ^
1 error generated.
make[2]: *** [common/compat.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
libtool: compile:  clang -DHAVE_CONFIG_H -I. -I. -I./common -DBINDIR=\"/usr/local/Cellar/p11-kit/0.23.8/bin\" -DBUILDDIR=\"/private/tmp/p11-kit-20170815-64820-14apsw1/p11-kit-0.23.8\" -DDATA_DIR=\"/usr/local/Cellar/p11-kit/0.23.8/share\" -DPRIVATEDIR=\"/usr/local/Cellar/p11-kit/0.23.8/libexec/p11-kit\" -DSRCDIR=\"/private/tmp/p11-kit-20170815-64820-14apsw1/p11-kit-0.23.8\" -DSYSCONFDIR=\"/usr/local/etc\" -DP11_KIT_FUTURE_UNSTABLE_API -g -O2 -g -Wall -Wstrict-prototypes -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wdeclaration-after-statement -Wformat=2 -Winit-self -Waggregate-return -Wno-missing-format-attribute -fno-strict-aliasing -fno-common -Wmissing-include-dirs -Wundef -c common/dict.c  -fno-common -DPIC -o common/.libs/dict.o
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

https://jenkins.brew.sh/job/Homebrew%20Core%20Pull%20Requests/6619/version=sierra/testReport/junit/brew-test-bot/sierra/install_p11_kit/

RE: Homebrew/homebrew-core#16823

Commit efe6dc5 broke --disable-debug build:

libtool: link: x86_64-pc-linux-gnu-gcc -march=native -mtune=native -O2 -pipe -Wa
ll -Wstrict-prototypes -Wmissing-declarations -Wmissing-prototypes -Wnested-exte
rns -Wpointer-arith -Wdeclaration-after-statement -Wformat=2 -Winit-self -Waggre
gate-return -Wno-missing-format-attribute -fno-strict-aliasing -fno-common -Wmis
sing-include-dirs -Wundef -Wl,-O1 -Wl,--hash-style=gnu -Wl,--sort-common -Wl,--a
s-needed -o p11-kit/.libs/p11-kit p11-kit/lists.o p11-kit/p11-kit.o  ./.libs/lib
p11-kit.so -L/usr/lib64/../lib64 -lffi ./.libs/libp11-tool.a ./.libs/libp11-comm
on.a -ldl -lpthread
./.libs/libp11-kit.so: undefined reference to `p11_debug'
collect2: error: ld returned 1 exit status
make[2]: *** [Makefile:2328: p11-kit/p11-kit] Error 1
make[2]: Leaving directory '/var/tmp/portage/app-crypt/p11-kit-0.23.8_pre/work/p
11-kit-0.23.8-abi_x86_64.amd64'
make[1]: *** [Makefile:3894: all-recursive] Error 1
make[1]: Leaving directory '/var/tmp/portage/app-crypt/p11-kit-0.23.8_pre/work/p
11-kit-0.23.8-abi_x86_64.amd64'
make: *** [Makefile:1750: all] Error 2

because the commit removed #define p11_debug(... from common/debug.h file.
Simple fix:

--- p11-kit-0.23.8/common/debug.h
+++ p11-kit-0.23.8/common/debug.h
@@ -144,6 +144,10 @@
 
 #else /* !defined (WITH_DEBUG) */
 
+#undef p11_debug
+#define p11_debug(format, ...) \
+       do {} while (false)
+
 #undef p11_debug_err
 #define p11_debug_err(errnum, format, ...) \
        do {} while (false)

common/debug.c:77:8: error: unknown type name 'locale_t'

https://jenkins.brew.sh/job/Homebrew%20Core%20Pull%20Requests/24732/version=high_sierra/console

You need to use

#include <xlocale.h>

on macOS.

See for example
https://lists.freedesktop.org/archives/mesa-dev/2014-August/066248.html
mpv-player/mpv#5108

The affected sites

./common/debug.c:#include <locale.h>
./common/library.c:#include <locale.h>
./common/message.c:#include <locale.h>
./common/test-message.c:#include <locale.h>

I have been looking at the ca-certificate story for flatpak. Currently each runtime ships a ca-certificatates bundle and is set up to use that. However, that is basically wrong, what we want to do is expose the ca-certs from the host (in a read-only fashion). I looked into exporting the raw files, but it seems like every distro is doing things in their own way, so this seems pretty painful.

Instead we could rely on the host shipping with p11-kit, and bind-mount a unix socket into the sandbox in a well known location (this is how we expose X11/wayland/pulseaudio too). Then the runtime/apps could be configured with modules to get ca:s from there.

Would this be a reasonable approach? And would it work for both OpenSSL and gnutls? Does it work already, or does it require any p11-kit work?

Now that the "Default Trust" token is marked as read-only, it would be possible to speed up certificate lookup by certain attributes, by filtering false-negatives early using a bloom filter. Maybe we could add a tool to output the filter into a file, and let the token load it.

I reported this p11-kit related issue to the Chromium team but they stated that the issue needs to be fixed in p11-kit because it is loaded into Chromium. Here's the bug report I filed with them:

https://bugs.chromium.org/p/chromium/issues/detail?id=944529

Steps to reproduce the problem:

1. Set any CA certificate installed under /etc/ca-certificates/trust-source/anchors/ to only be readable by root.

2. Start Chromium and observe constant errors like:
   p11-kit: 'ret >=0' not true at loader_load_directory

Running "trust list" will show a similar error.

3. Continue using Chromium as usual. Within about half to a full day, Chromium will crash with a warning like:

WARNING:shared_memory_posix.cc(386)] Shared memory creation failed; out of file descriptors

At the point, the browser becomes unresponsive with the current tab not reacting. Shortly thereafter, Chromium crashes.

What is the expected behavior?
Chromium should not run out of file descriptors on a system with normal limits such as the 1024 file descriptor limit that is normal for most Linux distributions and was configured on my system.

What went wrong?
It looks like there is some error path being hit in p11-kit within Chromium that is causing a file descriptor leak. Once I fix permissions on the bad certificate, the file descriptor limit is not exceeded and Chromium does not crash.

It’s been more than a year without pulling updated translations from Transifex. It would be great if it could be made a part of the release process.

All other .po files seem to be there, but not these two. Probably they should be committed? We (the yocto project) are running into build issues because of it.

When an application calls C_Initialize() in the proxy module, the proxy calls C_GetSlotList() in all of the p11-kit modules and assigns each slot a "wrapped" slot ID. The proxy never checks for new slots in the p11-kit modules after this; it always returns the same slots whenever the application calls C_GetSlotList(). (However the proxy will filter the returned slot list if the tokenPresent parameter is TRUE; to do this it will call C_GetSlotInfo() for each slot to determine if a token is present.)

Although this is valid behavior in PKCS#11, it imposes a usability limitation that does not exist if the individual PKCS#11 modules (such as OpenSC) are installed directly in the NSS database instead.

For example, if Firefox and/or Thunderbird are open, and the user now plugs in a Yubikey or attaches the laptop to a docking station connected to a USB keyboard with a smart card reader, these will not be usable by Firefox or Thunderbird via the proxy until those applications are completely closed and re-opened.

Hi there,

I was following a tutorial for smart card forwarding using the p11-kit tooling. (Specifically https://access.redhat.com/blogs/766093/posts/3248871)

It looks like p11-kit-client.so is provided by the p11-kit-server package.

My dev remote host is Centos 7.6 and I couldn't find a release rpm of p11-kit-server for Centos 7, only Fedora. Is this expected because of some dependent library being too old?

Is there an alternative approach when the remote host is CentOS7?

Thanks

Currently, all calls to C_WaitForSlotEvent() in the proxy module return CKR_FUNCTION_NOT_SUPPORTED.

While blocking calls might not be practical to handle, is anything known that would prevent non-blocking calls from being handled correctly (where CKF_DONT_BLOCK is set in flags)?

Some applications appear not to work if the PKCS#11 module cannot handle non-blocking C_WaitForSlotEvent(). In particular I have noticed this with VMware Horizon Client for Linux.

When using a multi-slot token, there is no way to limit the access to some of the tokens when using an application like ssh or ssh-agent. Although, eventually, some of these applications might get native p11 support that would allow them to request for an specific URI, a much more straightforward approach would be to implement a URI filter feature in p11-proxy. The idea would be to retrieve the URI pattern from an environment variable and filter the result of the proxy according to that pattern.

If you use a project like ssh-ident (I am writing a patch for adding pkcs11 support), this would allow to have different ssh agents accessing different slots in a single token to enhance overall security.

Moving to github is fine, but a note on https://p11-glue.freedesktop.org/p11-kit.html advising that would be nice; otherwise, it looks like the last release is 0.23.2.

The code assumes that when strerror_l exists, uselocale must also exist. That is wrong on at least NetBSD.
Please check for uselocale separately.

See
https://github.com/p11-glue/p11-kit/blob/master/common/debug.c#L165
and
https://github.com/p11-glue/p11-kit/blob/master/common/message.c#L121

The jks tests fail if SOURCE_DATE_EPOCH is set, e.g. SOURCE_DATE_EPOCH=1548112693.

FAIL: test-jks 1 /jks/test_file_multiple
# test-jks: File contents not as expected: /tmp/test-extract.LqiZRh/extract.jks
# test-jks: in test_file_multiple() at test-jks.c:192
FAIL: test-jks 2 /jks/test_file_duplicated
# test-jks: File contents not as expected: /tmp/test-extract.rZEib8/extract.jks
# test-jks: in test_file_duplicated() at test-jks.c:242

p11-kit 0.23.15

If p11_kit_modules_initialize() is called twice from the same thread (I think even if the module is deinnited, but I'm not sure), it will miss most child modules.
This is a problem in, for example, wpa_supplicant, which initializes a new SSL context for each 802.1x exchange.

This problem occurs because when p11-kit is deinitted, it (correctly) doesn't deinit its children. And when it's initting modules in a new context, they (correctly) return CKR_CRYPTOKI_ALREADY_INITIALIZED

Note that this doesn't happen when the p11_kit_modules_initialize() calls are in different threads, because p11-kit explicitly detects this case.

I have a patch for this; I'm in the process of filing a PR for it :-)