SafeSign IC 3.8.0.0 PKCS#11 module and GnuTLS incompatible

Hello, this is http://bugs.debian.org/1125519 reported by Claudio Ferreira Filho. Attaching verbatim since I really have no opinion whether this is a clear-cut hardware bug or not.

Dear Maintainer,

I've discovered an incompatibility between GnuTLS 3.8.11 and SafeSign IC 3.8.0.0 PKCS#11 module that prevents the use of SafeSign tokens with applications like OpenConnect VPN.

Problem Description

When GnuTLS attempts to initialize the SafeSign PKCS#11 module, it fails with "Thread locking error" because SafeSign returns CKR_NEED_TO_CREATE_THREADS (0x09) when it receives the CKF_LIBRARY_CANT_CREATE_OS_THREADS flag.

This is contradictory behavior: the module is saying "I need to create threads" when explicitly told "you cannot create threads". However, SafeSign works correctly when initialized with flags=0.

Steps to Reproduce

  1. Install SafeSign IC 3.8.0.0 driver (libaetpkss.so)
  2. Insert a SafeSign token (e.g., G&D StarSign CUT S)
  3. Try to use the token with OpenConnect or any GnuTLS-based application
  4. Observe "Cannot initialize PKCS #11 (closed) module" error

Testing

Direct testing shows the issue:

CK_C_INITIALIZE_ARGS args = {NULL, NULL, NULL, NULL, 
                              CKF_OS_LOCKING_OK | CKF_LIBRARY_CANT_CREATE_OS_THREADS, 
                              NULL};
rv = C_Initialize(&args);
// SafeSign returns: 0x00000009 (CKR_NEED_TO_CREATE_THREADS)

args.flags = 0;
rv = C_Initialize(&args);
// SafeSign returns: 0x00000000 (CKR_OK)

Proposed Solution

Add a fallback for CKR_NEED_TO_CREATE_THREADS similar to the existing CKR_CANT_LOCK fallback. When a module returns CKR_NEED_TO_CREATE_THREADS, retry initialization with flags=0.

I've attached a patch that implements this solution. The patch:

  • Maintains compatibility with conforming PKCS#11 modules
  • Enables support for SafeSign and potentially other non-conforming modules
  • Follows the same pattern as the existing CKR_CANT_LOCK fallback
  • Has been tested successfully with SafeSign tokens

Impact

This issue affects users of:

  • SafeSign tokens (common in Brazilian government/corporate environments)
  • OpenConnect VPN with certificate authentication
  • Any GnuTLS-based application using PKCS#11

Environment

  • Debian: Sid/Forky
  • GnuTLS: 3.8.11-3
  • SafeSign: IC Standard Linux 3.8.0.0
  • Token: Giesecke & Devrient StarSign CUT S
  • Certificate: ICP-Brasil (Brazilian PKI)

Additional Information

The issue does NOT occur with:

  • pkcs11-tool (OpenSC) - works correctly
  • GnuTLS 3.7.x (Debian Trixie) - works correctly

This suggests the issue was introduced in GnuTLS 3.8.x or that 3.7.x had more lenient initialization logic.

Documentation

Complete investigation and testing documentation available at: https://github.com/dataprev/vpn-safesign-gnutls (if published)

The investigation took approximately 8 hours and included:

  • Analysis of GnuTLS source code
  • Testing with multiple PKCS#11 modules
  • Comparison between GnuTLS 3.7.x and 3.8.x
  • Validation with real-world VPN usage

Patch

Please find attached the patch file: 0001-pkcs11-Add-fallback-for-CKR_NEED_TO_CREATE_THREADS.patch

The patch is minimal (7 lines) and follows GnuTLS coding standards. sugggested.patch