p11tool is using a R/O session when logging as a SO
Description of problem:
p11tool tries to use a R/O session when the user requests SO login. This is not allowed by PKCS#11 specification. The SO can only log in using R/W sessions.
This was originally reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1685434
See also the discussion in: https://github.com/opendnssec/SoftHSMv2/issues/451
Version of gnutls used:
In the original report were used the following versions:
- gnutls-utils-3.6.5-2.fc29.x86_64
- softhsm-2.5.0-2.fc29.x86_64
I reproduced the issue using the current master (c7c01872).
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Fedora 29
How reproducible:
always
Steps to Reproduce:
- Initialize a new token using SoftHSM:
$ softhsm2-util --init-token --label softhsm --free --pin 1234 --so-pin 1234
- Generate a key pair (to have an object to be listed):
$ p11tool --generate-privkey=RSA --bits=2048 --label=pkey --login --set-pin=1234 pkcs11:token=softhsm
- Try to list the objects using SO login:
p11tool --list-all --so-login --set-so-pin=1234 pkcs11:token=softhsm
Actual results:
$ p11tool -d9 --list-all --so-login --set-so-pin=1234 pkcs11:token=softhsm
Setting log level to 9
|<2>| p11: Initializing module: p11-kit-trust
|<2>| p11: Initializing module: opensc
|<2>| p11: Initializing module: softhsm2
|<3>| ASSERT: pkcs11.c[compat_load]:894
|<2>| p11: No login requested.
|<2>| p11: Login result = A read-only session exists (183)
|<3>| ASSERT: pkcs11.c[_pkcs11_traverse_tokens]:1620
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_obj_list_import_url4]:3510
Error in crt_list_import (1): PKCS #11 error in session
Expected results:
Objects listed (only public).