Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-53115

[RFE] opensc: backport "uri:" output in pkcs11-tool

XMLWordPrintable

    • rhel-sst-security-crypto
    • ssg_security
    • 11
    • 12
    • 1
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • Crypto24Q4
    • Hide

      AC1) A URI filed with a valid URI is printed from pkcs11-tool -L and pkcs11-tool -O

      Show
      AC1) A URI filed with a valid URI is printed from pkcs11-tool -L and pkcs11-tool -O
    • Pass
    • Not Needed
    • Automated
    • Enhancement
    • Hide
      Feature, enhancement (describe the feature or enhancement from the user’s point of view): Add a new field showing object URI to pkcs11-tool output when listing slot or object information.
      Reason (why has the feature or enhancement been implemented): In order to provide a new feature for PKCS#11 unlocking in Clevis and handle different devices through pkcs11-tool.
      Result (what is the current user experience): The users can see and use the URI of an object or token.
      Show
      Feature, enhancement (describe the feature or enhancement from the user’s point of view): Add a new field showing object URI to pkcs11-tool output when listing slot or object information. Reason (why has the feature or enhancement been implemented): In order to provide a new feature for PKCS#11 unlocking in Clevis and handle different devices through pkcs11-tool. Result (what is the current user experience): The users can see and use the URI of an object or token.
    • Proposed
    • Unspecified
    • None

      In order to provide a new feature for PKCS#11 unlocking in Clevis and handle different devices through pkcs11-tool, it would be nice to backport the "uri:" field for it.

      In the current version, pkcs11-tool -L and pkcs11-tool -O shows output similar to this:

      $ pkcs11-tool -L
Available slots:
Slot 0 (0x0): Yubico YubiKey OTP+CCID 00 00
  token label        : clevis
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 42facd1f749ece7f
  pin min/max        : 4/8

$ pkcs11-tool --module /usr/lib64/libykcs11.so --type pubkey -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      Public key for Key Management
  ID:         03
  Usage:      encrypt, verify
  Access:     local

      Meanwhile, in the master branch of OpenSC, the output is as follows:

      $ pkcs11-tool -L
Available slots:
Slot 0 (0x0): Yubico YubiKey OTP+CCID 00 00
  token label        : clevis
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 42facd1f749ece7f
  pin min/max        : 4/8
  uri                : pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=42facd1f749ece7f;token=clevis

$ pkcs11-tool --module /usr/lib64/libykcs11.so --type pubkey -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      Public key for Key Management
  ID:         03
  Usage:      encrypt, verify
  Access:     local
  uri:        pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=28083311;token=YubiKey%20PIV%20%2328083311;id=%03;object=Public%20key%20for%20Key%20Manage
ment;type=public

      It would be nice to backport this functionality to  RHEL9.6, by backporting this upstream changes:
      https://github.com/OpenSC/OpenSC/pull/3125
      https://github.com/OpenSC/OpenSC/pull/3130

      This functionality has not been released upstream. It will be included in release after OpenSC 0.25.1, possibly OpenSC_0.25.2 or OpenSC_0.26.0. In case developer considers it necessary, a rebase to this last version is also an alternative.

      Thanks

       

              vhanulik@redhat.com Veronika Hanulikova
              sarroutb@redhat.com Sergio Arroutbi
              Veronika Hanulikova Veronika Hanulikova
              George Pantelakis George Pantelakis
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: