<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<p class="details" style="font-style: italic; color: #777;">
<a href="https://gitlab.com/marckleinebudde">Marc Kleine-Budde</a> created an issue:
</p>
<div></div>
<p dir="auto">Hello,</p>
<p dir="auto">I have two almost identical smartcards (just the serial numbers are different), each one attached via an USB based smart card reader, on the hosts <code>certos</code> and <code>certos2</code>. To access them I have these config files in my home:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">➜ (pts/58) mkl@dude02:~ (master) ✗ cat ~/.config/pkcs11/modules/certos.module</span>
<span id="LC2" class="line" lang="plaintext">remote: |ssh certos.hi.pengutronix.de p11-kit remote /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so</span>
<span id="LC3" class="line" lang="plaintext">#log-calls: yes</span>
<span id="LC4" class="line" lang="plaintext"></span>
<span id="LC5" class="line" lang="plaintext">➜ (pts/58) mkl@dude02:~ (master) ✗ cat ~/.config/pkcs11/modules/certos2.module</span>
<span id="LC6" class="line" lang="plaintext">remote: |ssh certos2.hi.pengutronix.de p11-kit remote /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so</span>
<span id="LC7" class="line" lang="plaintext">#log-calls: yes</span></code></pre>
<p dir="auto">When I access them via <code>p11-kit-proxy.so</code> both are properly detected:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">➜ (pts/58) mkl@dude02:~ (master) ✗ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so -L</span>
<span id="LC2" class="line" lang="plaintext">Available slots:</span>
<span id="LC3" class="line" lang="plaintext">Slot 0 (0x10): SCM Microsystems Inc. SPR 532 [Vendor Interface] (60206024) 0...</span>
<span id="LC4" class="line" lang="plaintext"> token label : CycurCard (User PIN)</span>
<span id="LC5" class="line" lang="plaintext"> token manufacturer : xxx</span>
<span id="LC6" class="line" lang="plaintext"> token model : PKCS#15</span>
<span id="LC7" class="line" lang="plaintext"> token flags : login required, token initialized, PIN initialized</span>
<span id="LC8" class="line" lang="plaintext"> hardware version : 0.0</span>
<span id="LC9" class="line" lang="plaintext"> firmware version : 0.0</span>
<span id="LC10" class="line" lang="plaintext"> serial num : 244f8b131a1e</span>
<span id="LC11" class="line" lang="plaintext"> pin min/max : 6/8</span>
<span id="LC12" class="line" lang="plaintext">Slot 1 (0x11): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...</span>
<span id="LC13" class="line" lang="plaintext"> (empty)</span>
<span id="LC14" class="line" lang="plaintext">Slot 2 (0x12): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...</span>
<span id="LC15" class="line" lang="plaintext"> (empty)</span>
<span id="LC16" class="line" lang="plaintext">Slot 3 (0x13): Gemalto USB GemPCPinpad SmartCard Reader 01 00</span>
<span id="LC17" class="line" lang="plaintext"> token label : CycurCard (User PIN)</span>
<span id="LC18" class="line" lang="plaintext"> token manufacturer : xxx</span>
<span id="LC19" class="line" lang="plaintext"> token model : PKCS#15</span>
<span id="LC20" class="line" lang="plaintext"> token flags : login required, token initialized, PIN initialized</span>
<span id="LC21" class="line" lang="plaintext"> hardware version : 0.0</span>
<span id="LC22" class="line" lang="plaintext"> firmware version : 0.0</span>
<span id="LC23" class="line" lang="plaintext"> serial num : 24c8c609160f</span>
<span id="LC24" class="line" lang="plaintext"> pin min/max : 4/8</span></code></pre>
<p dir="auto">However when using <code>p11tool</code>, not.</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">➜ (pts/58) mkl@dude02:~ (master) ✗ p11tool --list-token-urls</span>
<span id="LC2" class="line" lang="plaintext">pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust</span>
<span id="LC3" class="line" lang="plaintext">pkcs11:model=PKCS%2315;manufacturer=xxx;serial=244f8b131a1e;token=CycurCard%20%20%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00%00</span></code></pre>
<p dir="auto">I found out that <code>lib/pkcs11.c</code> refuses to load two modules with the same info :(</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"> /* initially check if this module is a duplicate */</span>
<span id="LC2" class="line" lang="plaintext"> for (i = 0; i < active_providers; i++) {</span>
<span id="LC3" class="line" lang="plaintext"> /* already loaded, skip the rest */</span>
<span id="LC4" class="line" lang="plaintext"> if (module == providers[i].module ||</span>
<span id="LC5" class="line" lang="plaintext"> memcmp(&info, &providers[i].info, sizeof(info)) == 0) {</span>
<span id="LC6" class="line" lang="plaintext"> _gnutls_debug_log("p11: module %s is already loaded.\n", name);</span>
<span id="LC7" class="line" lang="plaintext"> return GNUTLS_E_INT_RET_0;</span>
<span id="LC8" class="line" lang="plaintext"> }</span>
<span id="LC9" class="line" lang="plaintext"> }</span></code></pre>
<p dir="auto">In my use case the <code>module</code> pointers are not the same, but the info is:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">$14 = {cryptoki_version = {major = 2 '\002', minor = 20 '\024'}, manufacturer_id = "OpenSC Project", ' ' <repeats 18 times>, flags = 0, library_description = "OpenSC smartcard framework ", library_version = {major = 0 '\000', minor = 20 '\024'}}</span></code></pre>
<p dir="auto">as both hosts use the same version of p11-kit.</p>
<p dir="auto">The <code>memcmp()</code> on the <code>info</code> was added in <a href="https://gitlab.com/gnutls/gnutls/-/commit/12f4abc02e718e2ab0f7ae80b3026a29028536e7" data-original="12f4abc02e718e2ab0f7ae80b3026a29028536e7" data-link="false" data-link-reference="false" data-project="179611" data-commit="12f4abc02e718e2ab0f7ae80b3026a29028536e7" data-reference-type="commit" data-container="body" data-placement="top" data-html="true" title="pkcs11: refuse to load modules with duplicate information" class="gfm gfm-commit has-tooltip">12f4abc0</a> by <a href="https://gitlab.com/nmav" data-user="105950" data-reference-type="user" data-container="body" data-placement="top" data-html="true" class="gfm gfm-project_member" title="Nikos Mavrogiannopoulos">@nmav</a>, any idea how to work around this check.</p>
<p dir="auto">regards,
Marc</p>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/961">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/c5ed3ecb3a6ae6cf5a87e7097de30d02/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/961"}}</script>
</p>
</div>
</body>
</html>