Re: [MacPorts] #52623: p11-kit @0.23.2_1: fails to properly complete operation and disconnect on Sierra

#52623: p11-kit @0.23.2_1: fails to properly complete operation and disconnect on Sierra ----------------------+---------------------- Reporter: uri@… | Owner: devans@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.4 Resolution: | Keywords: Port: p11-kit | ----------------------+---------------------- Comment (by uri@…): The only two modules I (explicitly) enabled are OpenSC PKCS#11 and Yubico YKCS11 (subset of PKCS#11 with extensions for YubiKey devices): {{{ $ ll ~/.config/pkcs11/modules/ total 16 drwxr-xr-x 4 uri staff 136 Oct 3 10:19 ./ drwxr-xr-x 3 uri staff 102 Oct 2 12:42 ../ -rw-r--r-- 1 uri staff 48 Oct 2 12:44 pkcs11.module -rw-r--r-- 1 uri staff 39 Oct 2 12:44 ykcs11.module $ }}} Here's what happens if I remove ykcs11.module: {{{ $ export PKCS11_MODULE_PATH=/opt/local/lib/p11-kit-proxy.dylib $ mv ~/.config/pkcs11/modules/ykcs11.module /tmp/ $ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -sha384 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out t256.dat.sig t256.dat engine "pkcs11" set. PKCS#11 token PIN: ^C $ }}} With PKCS11SPY: {{{ PKCS11_MODULE_PATH=/Library/OpenSC/lib/pkcs11-spy.dylib openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -sha384 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out t256.dat.sig t256.dat *************** OpenSC PKCS#11 spy ***************** Loaded: "/opt/local/lib/p11-kit-proxy.dylib" 0: C_GetFunctionList 2016-10-16 11:43:40.125 Returned: 0 CKR_OK 1: C_Initialize 2016-10-16 11:43:40.126 [in] pInitArgs = 0x7fff5a42b5f0 flags: 2 CKF_OS_LOCKING_OK Returned: 0 CKR_OK 2: C_GetInfo 2016-10-16 11:43:40.866 [out] pInfo: cryptokiVersion: 2.20 manufacturerID: 'PKCS#11 Kit ' flags: 0 libraryDescription: 'PKCS#11 Kit Proxy Module ' libraryVersion: 1.1 Returned: 0 CKR_OK 3: C_GetSlotList 2016-10-16 11:43:40.866 [in] tokenPresent = 0x0 [out] pSlotList: Count is 6 [out] *pulCount = 0x6 Returned: 0 CKR_OK 4: C_GetSlotList 2016-10-16 11:43:40.866 [in] tokenPresent = 0x0 [out] pSlotList: Slot 16 Slot 17 Slot 18 Slot 19 Slot 20 Slot 21 [out] *pulCount = 0x6 Returned: 0 CKR_OK 5: C_GetSlotInfo 2016-10-16 11:43:40.866 [in] slotID = 0x10 [out] pInfo: slotDescription: '/opt/local/share/curl/curl-ca-bu' 'ndle.crt ' manufacturerID: 'PKCS#11 Kit ' hardwareVersion: 0.23 firmwareVersion: 0.0 flags: 1 CKF_TOKEN_PRESENT Returned: 0 CKR_OK 6: C_GetTokenInfo 2016-10-16 11:43:40.866 [in] slotID = 0x10 [out] pInfo: label: 'Default Trust ' manufacturerID: 'PKCS#11 Kit ' model: 'p11-kit-trust ' serialNumber: '1 ' ulMaxSessionCount: 0 ulSessionCount: -1 ulMaxRwSessionCount: 0 ulRwSessionCount: -1 ulMaxPinLen: 0 ulMinPinLen: 0 ulTotalPublicMemory: -1 ulFreePublicMemory: -1 ulTotalPrivateMemory: -1 ulFreePrivateMemory: -1 hardwareVersion: 0.23 firmwareVersion: 0.0 time: ' ' flags: 402 CKF_WRITE_PROTECTED CKF_TOKEN_INITIALIZED Returned: 0 CKR_OK 7: C_GetSlotInfo 2016-10-16 11:43:40.866 [in] slotID = 0x11 [out] pInfo: slotDescription: '/opt/local/etc/openssl ' ' ' manufacturerID: 'PKCS#11 Kit ' hardwareVersion: 0.23 firmwareVersion: 0.0 flags: 1 CKF_TOKEN_PRESENT Returned: 0 CKR_OK 8: C_GetTokenInfo 2016-10-16 11:43:40.866 [in] slotID = 0x11 [out] pInfo: label: 'System Trust ' manufacturerID: 'PKCS#11 Kit ' model: 'p11-kit-trust ' serialNumber: '1 ' ulMaxSessionCount: 0 ulSessionCount: -1 ulMaxRwSessionCount: 0 ulRwSessionCount: -1 ulMaxPinLen: 0 ulMinPinLen: 0 ulTotalPublicMemory: -1 ulFreePublicMemory: -1 ulTotalPrivateMemory: -1 ulFreePrivateMemory: -1 hardwareVersion: 0.23 firmwareVersion: 0.0 time: ' ' flags: 402 CKF_WRITE_PROTECTED CKF_TOKEN_INITIALIZED Returned: 0 CKR_OK 9: C_GetSlotInfo 2016-10-16 11:43:40.867 [in] slotID = 0x12 [out] pInfo: slotDescription: 'Yubico Yubikey NEO OTP+U2F+CCID ' ' ' manufacturerID: 'Yubico ' hardwareVersion: 3.70 firmwareVersion: 0.0 flags: 7 CKF_TOKEN_PRESENT CKF_REMOVABLE_DEVICE CKF_HW_SLOT Returned: 0 CKR_OK 10: C_GetTokenInfo 2016-10-16 11:43:40.868 [in] slotID = 0x12 [out] pInfo: label: 'PIV Card Holder pin (PIV_II) ' manufacturerID: 'piv_II ' model: 'PKCS#15 emulated' serialNumber: 'a0fxxxxxxxxxxxxx' ulMaxSessionCount: 0 ulSessionCount: 0 ulMaxRwSessionCount: 0 ulRwSessionCount: 0 ulMaxPinLen: 8 ulMinPinLen: 4 ulTotalPublicMemory: -1 ulFreePublicMemory: -1 ulTotalPrivateMemory: -1 ulFreePrivateMemory: -1 hardwareVersion: 0.0 firmwareVersion: 0.0 time: ' ' flags: 40d CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_TOKEN_INITIALIZED Returned: 0 CKR_OK 11: C_GetSlotInfo 2016-10-16 11:43:40.891 [in] slotID = 0x13 [out] pInfo: slotDescription: 'SoftHSM slot ID 0x21bc4979 ' ' ' manufacturerID: 'SoftHSM project ' hardwareVersion: 2.1 firmwareVersion: 2.1 flags: 1 CKF_TOKEN_PRESENT Returned: 0 CKR_OK 12: C_GetTokenInfo 2016-10-16 11:43:40.891 [in] slotID = 0x13 [out] pInfo: label: 'Botan PKCS#11 tests ' manufacturerID: 'SoftHSM project ' model: 'SoftHSM v2 ' serialNumber: 'b15xxxxxxxxxxxxx' ulMaxSessionCount: 0 ulSessionCount: -1 ulMaxRwSessionCount: 0 ulRwSessionCount: -1 ulMaxPinLen: 255 ulMinPinLen: 4 ulTotalPublicMemory: -1 ulFreePublicMemory: -1 ulTotalPrivateMemory: -1 ulFreePrivateMemory: -1 hardwareVersion: 2.1 firmwareVersion: 2.1 time: '2016101615434000' flags: 42d CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED Returned: 0 CKR_OK 13: C_GetSlotInfo 2016-10-16 11:43:40.891 [in] slotID = 0x14 [out] pInfo: slotDescription: 'SoftHSM slot ID 0x2879828e ' ' ' manufacturerID: 'SoftHSM project ' hardwareVersion: 2.1 firmwareVersion: 2.1 flags: 1 CKF_TOKEN_PRESENT Returned: 0 CKR_OK 14: C_GetTokenInfo 2016-10-16 11:43:40.891 [in] slotID = 0x14 [out] pInfo: label: 'test ' manufacturerID: 'SoftHSM project ' model: 'SoftHSM v2 ' serialNumber: '02bxxxxxxxxxxxxx' ulMaxSessionCount: 0 ulSessionCount: -1 ulMaxRwSessionCount: 0 ulRwSessionCount: -1 ulMaxPinLen: 255 ulMinPinLen: 4 ulTotalPublicMemory: -1 ulFreePublicMemory: -1 ulTotalPrivateMemory: -1 ulFreePrivateMemory: -1 hardwareVersion: 2.1 firmwareVersion: 2.1 time: '2016101615434000' flags: 42d CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED Returned: 0 CKR_OK 15: C_GetSlotInfo 2016-10-16 11:43:40.892 [in] slotID = 0x15 [out] pInfo: slotDescription: 'SoftHSM slot ID 0x2 ' ' ' manufacturerID: 'SoftHSM project ' hardwareVersion: 2.1 firmwareVersion: 2.1 flags: 1 CKF_TOKEN_PRESENT Returned: 0 CKR_OK 16: C_GetTokenInfo 2016-10-16 11:43:40.892 [in] slotID = 0x15 [out] pInfo: label: ' ' manufacturerID: 'SoftHSM project ' model: 'SoftHSM v2 ' serialNumber: ' ' ulMaxSessionCount: 0 ulSessionCount: -1 ulMaxRwSessionCount: 0 ulRwSessionCount: -1 ulMaxPinLen: 255 ulMinPinLen: 4 ulTotalPublicMemory: -1 ulFreePublicMemory: -1 ulTotalPrivateMemory: -1 ulFreePrivateMemory: -1 hardwareVersion: 2.1 firmwareVersion: 2.1 time: '2016101615434000' flags: c00025 CKF_RNG CKF_LOGIN_REQUIRED CKF_RESTORE_KEY_NOT_NEEDED CKF_SO_PIN_LOCKED CKF_SO_PIN_TO_BE_CHANGED Returned: 0 CKR_OK engine "pkcs11" set. 17: C_OpenSession 2016-10-16 11:43:40.892 [in] slotID = 0x12 [in] flags = 0x4 pApplication=0x0 Notify=0x0 [out] *phSession = 0x11 Returned: 0 CKR_OK 18: C_FindObjectsInit 2016-10-16 11:43:40.892 [in] hSession = 0x11 [in] pTemplate[1]: CKA_CLASS CKO_CERTIFICATE Returned: 0 CKR_OK 19: C_FindObjects 2016-10-16 11:43:40.892 [in] hSession = 0x11 [in] ulMaxObjectCount = 0x1 [out] ulObjectCount = 0x1 Object 0x7fd27ad28c80 matches Returned: 0 CKR_OK 20: C_GetAttributeValue 2016-10-16 11:43:40.892 [in] hSession = 0x11 [in] hObject = 0x7fd27ad28c80 [in] pTemplate[1]: CKA_CERTIFICATE_TYPE 00007fff5a42b498 / 8 [out] pTemplate[1]: CKA_CERTIFICATE_TYPE CKC_X_509 Returned: 0 CKR_OK 21: C_GetAttributeValue 2016-10-16 11:43:40.892 [in] hSession = 0x11 [in] hObject = 0x7fd27ad28c80 [in] pTemplate[1]: CKA_LABEL 0000000000000000 / 0 [out] pTemplate[1]: CKA_LABEL 0000000000000000 / 34 Returned: 0 CKR_OK 22: C_GetAttributeValue 2016-10-16 11:43:40.892 [in] hSession = 0x11 [in] hObject = 0x7fd27ad28c80 [in] pTemplate[1]: CKA_LABEL 00007fd27af144f0 / 34 [out] pTemplate[1]: CKA_LABEL 00007fd27af144f0 / 34 43657274 69666963 61746520 666F7220 50495620 41757468 656E7469 63617469 C e r t i f i c a t e . f o r . P I V . A u t h e n t i c a t i6F6E o n Returned: 0 CKR_OK 23: C_GetAttributeValue 2016-10-16 11:43:40.892 [in] hSession = 0x11 [in] hObject = 0x7fd27ad28c80 [in] pTemplate[1]: . . . . . 95: C_SignInit 2016-10-16 11:43:43.504 [in] hSession = 0x11 pMechanism->type=CKM_RSA_X_509 [in] hKey = 0x7fd27af138f0 Returned: 0 CKR_OK 96: C_Sign 2016-10-16 11:43:43.504 [in] hSession = 0x11 [in] pData[ulDataLen] 00007fd27af14c10 / 256 00000000 5A 6B BB 1E 19 2F 6F D9 52 B7 40 E9 9D DA 21 EA Zk.../o.R.@...!. 00000010 2C 6C 59 CD B6 69 B6 4A 5C 85 4F DE CD C1 72 0E ,lY..i.J\.O...r. . . . . . 000000F0 AC DB FE 80 DE 31 13 F1 9F 85 D1 BD 1E B8 9E BC .....1.......... [out] pSignature[*pulSignatureLen] 00007fd27b801000 / 256 00000000 0E FA 39 F3 DD 9C B9 EB D1 F9 2F E6 28 4E E3 56 ..9......./.(N.V 00000010 53 DC 7F 90 3E 72 23 48 91 D2 E8 E8 E4 1C 59 D0 S..>r#H......Y. . . . . . 000000F0 59 1A 90 C8 D1 E0 B0 87 3C 5F 73 99 A2 73 F3 CB Y.......<_s..s.. Returned: 0 CKR_OK 97: C_CloseAllSessions 2016-10-16 11:43:44.174 [in] slotID = 0x10 Returned: 0 CKR_OK 98: C_CloseAllSessions 2016-10-16 11:43:44.174 [in] slotID = 0x11 Returned: 0 CKR_OK 99: C_CloseAllSessions 2016-10-16 11:43:44.174 [in] slotID = 0x12 Returned: 0 CKR_OK 100: C_CloseAllSessions 2016-10-16 11:43:44.175 [in] slotID = 0x13 Returned: 0 CKR_OK 101: C_CloseAllSessions 2016-10-16 11:43:44.175 [in] slotID = 0x14 Returned: 0 CKR_OK 102: C_CloseAllSessions 2016-10-16 11:43:44.175 [in] slotID = 0x15 Returned: 0 CKR_OK 103: C_Finalize 2016-10-16 11:43:44.175 ^C $ }}} I see SoftHSMv2 module(s), which I did NOT enable, at least explicitly. Nor do I have any idea what that "/opt/local/etc/openssl" is doing there. I'd appreciate some guidance how to perform the test you need. -- Ticket URL: <https://trac.macports.org/ticket/52623#comment:5> MacPorts <https://www.macports.org/> Ports system for the Mac operating system