[gnutls-devel] GnuTLS | PKCS#11 Auto-Initialization Not Working (#1798)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat Feb 14 18:08:39 CET 2026 


Claudio Ferreira created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1798



## Context

This issue was discovered while investigating OpenConnect VPN client authentication failures with PKCS#11 tokens.

**OpenConnect issue #835**: "GnuTLS backend does not initialize PKCS#11 modules"
- URL: https://gitlab.com/openconnect/openconnect/-/issues/835
- OpenConnect maintainer (Dimitri Papadopoulos) suggested this is a GnuTLS bug
- OpenConnect calls multiple `gnutls_pkcs11_*()` functions but auto-init doesn't trigger
- Workaround being implemented in OpenConnect pending GnuTLS fix

## Summary

GnuTLS 3.8.12 does not automatically initialize PKCS#11 modules when applications call `gnutls_pkcs11_*()` functions, despite documentation stating that `gnutls_pkcs11_init()` is called automatically since version 3.3.0.

## Environment

- **GnuTLS**: 3.8.12-2
- **p11-kit**: 0.25.10
- **OS**: Debian GNU/Linux Sid
- **Application**: OpenConnect 9.12
- **Token**: G&D StarSign CUT S (SafeSign IC driver)
- **Certificate**: ICP-Brasil A3

## Expected Behavior

According to GnuTLS documentation:

> Since GnuTLS 3.3.0 this function is no longer necessary to be explicitly called. It is being called during the first request PKCS 11 operation.

When an application calls `gnutls_pkcs11_*()` functions (e.g., when processing a PKCS#11 URI), GnuTLS should automatically initialize PKCS#11 modules.

## Actual Behavior

PKCS#11 modules are **not** initialized automatically. Applications must explicitly call `gnutls_pkcs11_init()` or PKCS#11 operations fail silently.

## Reproduction

### Test Case 1: OpenConnect (Real-World Application)

OpenConnect calls multiple `gnutls_pkcs11_*()` functions when processing PKCS#11 URIs, but PKCS#11 modules are never initialized.

**Command:**
```bash
export GNUTLS_DEBUG_LEVEL=3
openconnect --protocol=gp -c "pkcs11:token=MyToken" vpn.example.com
```

**Result WITHOUT explicit `gnutls_pkcs11_init()`:**
```
gnutls[2]: Enabled GnuTLS 3.8.12 logging...
gnutls[2]: getrandom random generator was selected
...
(zero PKCS#11-related messages)
...
Valid client certificate is required
Failed to complete authentication
```

No PKCS#11 initialization occurs, even though OpenConnect calls `gnutls_pkcs11_*()` functions.

**Result WITH explicit `gnutls_pkcs11_init()`:**
```
gnutls[2]: Enabled GnuTLS 3.8.12 logging...
gnutls[2]: Initializing all PKCS #11 modules
gnutls[2]: p11: Initializing module: p11-kit-trust
gnutls[2]: p11: Initializing module: safesign
gnutls[2]: p11: Module safesign is initialized in a thread-safe mode
PIN required for MyToken
Enter PIN:
```

PKCS#11 modules are loaded and authentication succeeds.

### Test Case 2: Minimal Reproduction (Suggested)

```c
#include <gnutls/gnutls.h>
#include <gnutls/pkcs11.h>
#include <stdio.h>

int main(void) {
    int ret;
    
    // Initialize GnuTLS (but NOT PKCS#11)
    gnutls_global_init();
    
    // Try to use PKCS#11 - should trigger auto-init according to docs
    gnutls_pkcs11_token_get_info(
        "pkcs11:token=MyToken",
        GNUTLS_PKCS11_TOKEN_LABEL,
        NULL, NULL
    );
    
    // Check if PKCS#11 was initialized
    // Expected: modules loaded automatically
    // Actual: no initialization occurs
    
    gnutls_global_deinit();
    return 0;
}
```

**Expected**: First `gnutls_pkcs11_*()` call triggers automatic initialization.  
**Actual**: No initialization occurs, PKCS#11 operations fail.

## Analysis

### Code Flow in OpenConnect

1. `openconnect_init_ssl()` calls `gnutls_global_init()` only
2. Later, certificate loading code calls various `gnutls_pkcs11_*()` functions
3. These functions should trigger auto-initialization per documentation
4. But they don't - no PKCS#11 modules are loaded

### Which Functions Are Called

OpenConnect calls (at minimum):
- `gnutls_pkcs11_obj_*()` functions for certificate operations
- `gnutls_pkcs11_privkey_*()` functions for private key operations
- Other PKCS#11-related GnuTLS APIs

These should qualify as "PKCS 11 operations" that trigger auto-init.

## Impact

This affects any application that:
1. Calls `gnutls_global_init()` but not `gnutls_pkcs11_init()`
2. Relies on documented automatic PKCS#11 initialization
3. Uses PKCS#11 tokens for authentication

Real-world affected applications:
- OpenConnect VPN client
- Potentially other VPN clients using GnuTLS
- Any application following GnuTLS documentation

## Workaround

Applications must explicitly call `gnutls_pkcs11_init()`:

```c
int openconnect_init_ssl(void)
{
    if (gnutls_global_init())
        return -EIO;
    
    // Workaround for GnuTLS auto-init not working
    #if defined(HAVE_P11KIT)
    if (gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL) < 0) {
        // Handle error
    }
    #endif
    
    return 0;
}
```

## Questions

1. Is automatic PKCS#11 initialization still supposed to work in GnuTLS 3.8.x?
2. Which specific GnuTLS functions should trigger auto-initialization?
3. Is there a specific initialization order or condition required?
4. Should this be considered a regression or documentation issue?

## References

- GnuTLS PKCS#11 docs: https://gnutls.org/manual/html_node/PKCS11-Initialization.html
- OpenConnect issue #835: https://gitlab.com/openconnect/openconnect/-/issues/835
- RFC 7512 (PKCS#11 URI): https://tools.ietf.org/html/rfc7512

## Related Issues

- **GnuTLS #1784** - "SafeSign token compatibility: CKR_ARGUMENTS_BAD with threading flags" (January 2026)
  - URL: https://gitlab.com/gnutls/gnutls/-/issues/1784
  - Our previous report about SafeSign driver rejecting PKCS#11 threading flags
  - Patch submitted to add fallback for `CKR_ARGUMENTS_BAD` with `flags=0`
  - This current issue is different but related: auto-initialization not working

- **GnuTLS #1060** - "Uninitialized lock when using pkcs11 private key for signing" (August 2020)
  - URL: https://gitlab.com/gnutls/gnutls/-/issues/1060
  - Similar symptom: "Thread locking error" in single-threaded application
  - Context: Lock not initialized when using PKCS#11 private key
  - May be related to PKCS#11 initialization issues

## Additional Information

I can provide:
- Complete debug logs (with `GNUTLS_DEBUG_LEVEL=9`)
- Minimal test case if needed
- Testing on different GnuTLS versions
- p11-kit configuration details

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1798
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260214/aa5eaa2b/attachment-0001.html>

More information about the Gnutls-devel mailing list