[gnutls-devel] GnuTLS | multiple remote PKCS#11 modules not working (#961)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri Mar 27 16:49:38 CET 2020 


Marc Kleine-Budde created an issue: https://gitlab.com/gnutls/gnutls/-/issues/961



Hello,

I have two almost identical smartcards (just the serial numbers are different), each one attached via an USB based smart card reader, on the hosts `certos` and `certos2`. To access them I have these config files in my home:
```
➜ (pts/58) mkl at dude02:~ (master) ✗ cat ~/.config/pkcs11/modules/certos.module
remote: |ssh certos.hi.pengutronix.de p11-kit remote /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#log-calls: yes

➜ (pts/58) mkl at dude02:~ (master) ✗ cat ~/.config/pkcs11/modules/certos2.module
remote: |ssh certos2.hi.pengutronix.de p11-kit remote /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#log-calls: yes
```

When I access them via `p11-kit-proxy.so` both are properly detected:

```
➜ (pts/58) mkl at dude02:~ (master) ✗ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so -L
Available slots:
Slot 0 (0x10): SCM Microsystems Inc. SPR 532 [Vendor Interface] (60206024) 0...
  token label        : CycurCard   (User PIN)
  token manufacturer : xxx
  token model        : PKCS#15
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 244f8b131a1e
  pin min/max        : 6/8
Slot 1 (0x11): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...
  (empty)
Slot 2 (0x12): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...
  (empty)
Slot 3 (0x13): Gemalto USB GemPCPinpad SmartCard Reader 01 00
  token label        : CycurCard   (User PIN)
  token manufacturer : xxx
  token model        : PKCS#15
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 24c8c609160f
  pin min/max        : 4/8
```

However when using `p11tool`, not.
```
➜ (pts/58) mkl at dude02:~ (master) ✗ p11tool --list-token-urls
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=PKCS%2315;manufacturer=xxx;serial=244f8b131a1e;token=CycurCard%20%20%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00%00
```

I found out that `lib/pkcs11.c` refuses to load two modules with the same info :(
```
        /* initially check if this module is a duplicate */
        for (i = 0; i < active_providers; i++) {
                /* already loaded, skip the rest */
                if (module == providers[i].module ||
                    memcmp(&info, &providers[i].info, sizeof(info)) == 0) {
                        _gnutls_debug_log("p11: module %s is already loaded.\n", name);
                        return GNUTLS_E_INT_RET_0;
                }
        }
```

In my use case the `module` pointers are not the same, but the info is:
```
$14 = {cryptoki_version = {major = 2 '\002', minor = 20 '\024'}, manufacturer_id = "OpenSC Project", ' ' <repeats 18 times>, flags = 0, library_description = "OpenSC smartcard framework      ", library_version = {major = 0 '\000', minor = 20 '\024'}}
```
as both hosts use the same version of p11-kit.

The `memcmp()` on the `info` was added in 12f4abc02e718e2ab0f7ae80b3026a29028536e7 by @nmav, any idea how to work around this check.

regards,
Marc

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/961
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200327/9e37928b/attachment.html>

More information about the Gnutls-devel mailing list