-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkcs11-provider can't handle NULL bytes in token URL model parameter #296
Comments
Null bytes are illegal per PKCS11 spec.
This is a bug in tmp2-pkcs11, please report it to them. All of the strings returned in CK_INFO, CK_SLOT_INFO, CK_TOKEN_INFO structure MUST NOT be NULL terminated and must be blank (space) padded to their length. |
or potentially p11tool ... |
The broken code starts here: They use the correct padding helpers but the code is wrong because it always passes 16 byte as the source len, regardless of what's in the vendor structure. |
Thank you for tracking this down. I have opened tpm2-software/tpm2-pkcs11#846 |
Describe the bug
My computer contains a TPM2 chip "SLB9672" from Infineon. I get its token URL from
p11tool --list-token-urls
and it returnsThis breaks pkcs11-provider, because it can't handle null bytes:
To Reproduce
Steps to reproduce the behavior:
p11tool --login --list-all-privkeys
=>
pkcs11:model=SLB9672%00%00%00%00%00%00%00%00%00;manufacturer=Infineon;serial=0000000000000000;token=mytoken
openssl req -new -provider pkcs11 -key ${URL};pin-value=${PIN};so-pin-value=${PUK} -subj /CN=${CN}/
Expected behavior
A CSR should be returned on stdout. Instead, the error from above is printed. Repeating these steps and stripping
%00
from the URL makes it work.Operating environment (please complete the following information):
Token and application used (please complete the following information):
tpm2-pkcs11-1.9.0-1.fc38.x86_64
(is this the right information?)Additional context
This used to work in pkcs11-provider v0.1. I think this commit may be relevant: 24d72cc
The text was updated successfully, but these errors were encountered: