[gnutls-devel] GnuTLS | p11tool --initialize-so-pin does not change so pin but initializes user pin (#561)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Thu Sep 13 00:44:45 CEST 2018
New Issue was created.
Issue 561: https://gitlab.com/gnutls/gnutls/issues/561
Author: Patrick Steuer
Assignee:
## Description of problem:
Hello gnutls team,
I have some problems with p11tool's --initialize-so-pin and --initialize-pin options:
I configured opencryptoki as pkcs11 provider using a p11-kit config file /etc/pkcs11/modules/opencryptoki.module.
I initialized the token as follows:
```
p11tool --list-tokens
Token 0:
URL: pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=IBM%20OS%20PKCS%2311
Label: IBM OS PKCS#11
Type: Generic token
Flags: RNG, Requires login, Uninitialized, uPIN uninitialized
Manufacturer: IBM Corp.
Model: IBM SoftTok
Serial: 123
Module: /usr/local/lib/opencryptoki/libopencryptoki.so
p11tool --initialize --label="swtok" pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=IBM%20OS%20PKCS%2311
Enter Security Officer's PIN: (INPUT: 87654321, "default so pin")
Initializing token... done
Token was successfully initialized; use --initialize-pin and --initialize-so-pin to set or reset PINs
p11tool --list-tokens
Token 0:
URL: pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok
Label: swtok
Type: Generic token
Flags: RNG, Requires login, uPIN uninitialized
Manufacturer: IBM Corp.
Model: IBM SoftTok
Serial: 123
Module: /usr/local/lib/opencryptoki/libopencryptoki.so
```
After initialization, the token has the default pin (87654321) and so the CKF_SO_PIN_TO_BE_CHANGED flag is set.
The flag is not shown in the --list-tokens output, but when i activated p11-kit's log-calls (pkcs11.conf(5)), I
could see it is actually set. Next i tried to change the so pin using --initialize-so-pin. When i set the
default so pin using the environment variable (GNUTLS_SO_PIN=87654321), i could not even enter a new so pin,
it just says "Setting token's user PIN...". The debug trace shows a successfull login using the default so pin
and initializing the user pin (C_InitPIN) to the same value (87654321):
```
GNUTLS_SO_PIN=87654321 p11tool --initialize-so-pin pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok
C_Initialize
IN: pInitArgs = NULL
C_Initialize = CKR_OK
C_GetInfo
OUT: pInfo = {
cryptokiVersion: 2.20
manufacturerID: "IBM"
flags: 0
libraryDescription: "Meta PKCS11 LIBRARY"
libraryVersion: 3.10
}
C_GetInfo = CKR_OK
Setting token's user PIN...
C_GetSlotList
IN: tokenPresent = CK_TRUE
IN: pulCount = 0x3FFDD67DE28 = 48
OUT: pSlotList = (1) [ SL3 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
IN: slotID = SL3
OUT: pInfo = {
label: "swtok"
manufacturerID: "IBM Corp."
model: "IBM SoftTok"
serialNumber: "123"
flags: 8389709 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED | CKF_SO_PIN_TO_BE_CHANGED
ulMaxSessionCount: 18446744073709551614
ulSessionCount: 0
ulMaxRwSessionCount: 18446744073709551614
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 8
ulMinPinLen: 4
ulTotalPublicMemory: 18446744073709551614
ulFreePublicMemory: 18446744073709551614
ulTotalPrivateMemory: 18446744073709551614
ulFreePrivateMemory: 18446744073709551614
ulFreePrivateMemory: 18446744073709551614
hardwareVersion: 1.0
firmwareVersion: 1.0
utcTime: 2018091222592200
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL3
OUT: pInfo = {
slotDescription: "Linux"
manufacturerID: "IBM"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 0.0
firmwareVersion: 0.0
}
C_GetSlotInfo = CKR_OK
C_OpenSession:wa
IN: slotID = SL3
IN: flags = 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
IN: pApplication = NULL
IN: Notify = NULL
OUT: phSession = 0x3FFDD67E1D8 = S1
C_OpenSession = CKR_OK
C_GetSessionInfo
IN: hSession = S1
OUT: pInfo = {
slotID: SL3
state: CKS_RW_PUBLIC_SESSION
flags: 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
ulDeviceError: 0
}
C_GetSessionInfo = CKR_OK
C_Login
IN: hSession = S1
IN: userType = CKU_SO
IN: pPin = (8) "87654321"
C_Login = CKR_OK
C_InitPIN
IN: hSession = S1
IN: pPin = (8) "87654321"
C_InitPIN = CKR_OK
C_CloseSession
IN: hSession = S1
C_CloseSession = CKR_OK
C_Finalize
IN: pReserved = NULL
C_Finalize = CKR_OK
```
Next thing i tried is changing the so pin without having the environment variable set. In that case
i was asked to enter a new so pin ("Enter Administrators's new PIN") and entered a pin different from
the default so pin. However, the debug trace still shows a successful login using the default so pin
and afterwards initializes the user pin to the same value:
```
p11tool --initialize-so-pin pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok
C_Initialize
IN: pInitArgs = NULL
C_Initialize = CKR_OK
C_GetInfo
OUT: pInfo = {
cryptokiVersion: 2.20
manufacturerID: "IBM"
flags: 0
libraryDescription: "Meta PKCS11 LIBRARY"
libraryVersion: 3.10
}
C_GetInfo = CKR_OK
Setting token's user PIN...
Enter Administrators's new PIN: (INPUT: 76543210, "new so pin")
C_GetSlotList
IN: tokenPresent = CK_TRUE
IN: pulCount = 0x3FFEC77E0A8 = 48
OUT: pSlotList = (1) [ SL3 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
IN: slotID = SL3
OUT: pInfo = {
label: "swtok"
manufacturerID: "IBM Corp."
model: "IBM SoftTok"
serialNumber: "123"
flags: 8913989 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED | CKF_USER_PIN_TO_BE_CHANGED | CKF_SO_PIN_TO_BE_CHANGED
ulMaxSessionCount: 18446744073709551614
ulSessionCount: 0
ulMaxRwSessionCount: 18446744073709551614
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 8
ulMinPinLen: 4
ulTotalPublicMemory: 18446744073709551614
ulFreePublicMemory: 18446744073709551614
ulTotalPrivateMemory: 18446744073709551614
ulFreePrivateMemory: 18446744073709551614
ulFreePrivateMemory: 18446744073709551614
hardwareVersion: 1.0
firmwareVersion: 1.0
utcTime: 2018091222532100
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL3
OUT: pInfo = {
slotDescription: "Linux"
manufacturerID: "IBM"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 0.0
firmwareVersion: 0.0
}
C_GetSlotInfo = CKR_OK
C_OpenSession
IN: slotID = SL3
IN: flags = 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
IN: pApplication = NULL
IN: Notify = NULL
OUT: phSession = 0x3FFEC77E458 = S1
C_OpenSession = CKR_OK
C_GetSessionInfo
IN: hSession = S1
OUT: pInfo = {
slotID: SL3
state: CKS_RW_PUBLIC_SESSION
flags: 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
ulDeviceError: 0
}
C_GetSessionInfo = CKR_OK
Token 'swtok' with URL 'pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok' requires security officer PIN
Enter PIN: (INPUT: 87654321, "default so pin")
C_Login
IN: hSession = S1
IN: userType = CKU_SO
IN: pPin = (8) "87654321"
C_Login = CKR_OK
C_InitPIN
IN: hSession = S1
IN: pPin = (8) "87654321"
C_InitPIN = CKR_OK
C_CloseSession
IN: hSession = S1
C_CloseSession = CKR_OK
C_Finalize
IN: pReserved = NULL
C_Finalize = CKR_OK
```
In both cases (instead of changing the so pin) the user pin was initialized (to the default so pin):
```
p11tool --list-tokens
Token 0:
URL: pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok
Label: swtok
Type: Generic token
Flags: RNG, Requires login
Manufacturer: IBM Corp.
Model: IBM SoftTok
Serial: 123
Module: /usr/local/lib/opencryptoki/libopencryptoki.so
```
pkcs11 v2.20 says regarding CKF_SO_PIN_TO_BE_CHANGED (which is set
after the initialization):
> [CKF_SO_PIN_TO_BE_CHANGED:] True if the SO PIN value is the default value set by token initialization or manufacturing, or the PIN has been expired by the card.
> If a PIN is set to the default value, or has expired, the
appropriate CKF_USER_PIN_TO_BE_CHANGED or CKF_SO_PIN_TO_BE_CHANGED
flag is set to true. When either of these flags are true, logging
in with the corresponding PIN will succeed, but only the C_SetPIN
function can be called. Calling any other function that required the
user to be logged in will cause CKR_PIN_EXPIRED to be returned until
C_SetPIN is called successfully.
pkcs11 v2.20 says regarding C_InitPin:
> C_InitPIN initializes the normal user’s PIN.
If the --initialize-so-pin option is meant to change the so pin,
then it should do a C_Login with default so pin and a C_SetPIN
using a new so pin instead of calling C_Login and C_InitPIN both
with default so pin, as it is shown in the debug output above?
Moreover, if the environment variable GNUTLS_SO_PIN is set,
the pin for C_Login and C_InitPIN is read from it, so even if
C_InitPIN could be used to change the so pin, it would always be set
to the same default so pin.
In case the environment variable is not set, both the new pin and
the pin (for login) are read by the getpass function. However, it
seems that function writes to a static buffer such that the
second input (the default so pin for login) overwrites the first
input, since it was not copied at the time it was obtained. So
again, even if C_InitPin could be used to change the so pin,
it would always be set to the same default so pin.
If the --initialize-so-pin option is not meant to change the so pin,
but instead just re-initialize it to its default value, why does
it ask to enter a new admin pin (in case the environment variable is not
set)? Which option should be used to change the so pin i.e., leave the
CKF_SO_PIN_TO_BE_CHANGED state after initialization?
Also, the static buffer problem described above, seems also to affect
the --initialize-pin option:
```
p11tool --initialize-pin pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok
C_Initialize
IN: pInitArgs = NULL
C_Initialize = CKR_OK
C_GetInfo
OUT: pInfo = {
cryptokiVersion: 2.20
manufacturerID: "IBM"
flags: 0
libraryDescription: "Meta PKCS11 LIBRARY"
libraryVersion: 3.10
}
C_GetInfo = CKR_OK
Setting token's user PIN...
Enter User's new PIN: (INPUT: 76543210, "new user pin")
C_GetSlotList
IN: tokenPresent = CK_TRUE
IN: pulCount = 0x3FFE2FFDC28 = 48
OUT: pSlotList = (1) [ SL3 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
IN: slotID = SL3
OUT: pInfo = {
label: "swtok"
manufacturerID: "IBM Corp."
model: "IBM SoftTok"
serialNumber: "123"
flags: 8913989 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED | CKF_USER_PIN_TO_BE_CHANGED | CKF_SO_PIN_TO_BE_CHANGED
ulMaxSessionCount: 18446744073709551614
ulSessionCount: 0
ulMaxRwSessionCount: 18446744073709551614
ulRwSessionCount: 18446744073709551615
ulMaxPinLen: 8
ulMinPinLen: 4
ulTotalPublicMemory: 18446744073709551614
ulFreePublicMemory: 18446744073709551614
ulTotalPrivateMemory: 18446744073709551614
ulFreePrivateMemory: 18446744073709551614
ulFreePrivateMemory: 18446744073709551614
hardwareVersion: 1.0
firmwareVersion: 1.0
utcTime: 2018091223495800
}
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
IN: slotID = SL3
OUT: pInfo = {
slotDescription: "Linux"
manufacturerID: "IBM"
flags: 1 = CKF_TOKEN_PRESENT
hardwareVersion: 0.0
firmwareVersion: 0.0
}
C_GetSlotInfo = CKR_OK
C_OpenSession
IN: slotID = SL3
IN: flags = 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
IN: pApplication = NULL
IN: Notify = NULL
OUT: phSession = 0x3FFE2FFDFD8 = S1
C_OpenSession = CKR_OK
C_GetSessionInfo
IN: hSession = S1
OUT: pInfo = {
slotID: SL3
state: CKS_RW_PUBLIC_SESSION
flags: 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
ulDeviceError: 0
}
C_GetSessionInfo = CKR_OK
Token 'swtok' with URL 'pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok' requires security officer PIN
Enter PIN: (INPUT: 87654321, "default so pin")
C_Login
IN: hSession = S1
IN: userType = CKU_SO
IN: pPin = (8) "87654321"
C_Login = CKR_OK
C_InitPIN
IN: hSession = S1
IN: pPin = (8) "87654321"
C_InitPIN = CKR_OK
C_CloseSession
IN: hSession = S1
C_CloseSession = CKR_OK
C_Finalize
IN: pReserved = NULL
C_Finalize = CKR_OK
```
A work-around for the --initialize-pin option is to provide the default so pin via the corresponding environment variable.
## Version of gnutls used:
gnutls-3.6.2-1.fc28.s390x
gnutls-utils-3.6.2-1.fc28.s390x
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Fedora 28 (on s390x)
## How reproducible:
1. Set up opencryptoki as a pkcs11 provider using a p11-kit config file.
2. Initilize a token: p11tool --initialize --label="<label>" <url>
3. Try to change the default so pin: p11tool --initialize-so-pin <url>
4. See "Description of problem" for more details.
## Actual results:
SO pin is not changed. Instead, user pin is initialized to default SO pin.
## Expected results:
SO pin is changed i.e., the CKF_SO_PIN_TO_BE_CHANGED flag is set to false.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/561
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180912/310bd0a6/attachment-0001.html>
More information about the Gnutls-devel
mailing list