Discussion:
Bug#1077060: Regression in switch to gnutls: pkcs11 no longer available
(too old to reply)
Sam Hartman
2024-07-25 16:50:01 UTC
Permalink
package: curl
version: 8.8.0-2
severity: important

We have been heavily using curl to make API requests using smartcard
authentication. We have a private key and certificate on a Yubikey, and
we use curl to perform a pkcs11-authenticated login to get an API token.

Unfortunately, according to the curl man page, pkcs11 support is only
available if curl is built against openssl.
Wouter Verhelst
2024-08-27 09:50:01 UTC
Permalink
Package: curl
Version: 8.9.1-2
Followup-For: Bug #1077060
Control: retitle -1 Regression in switch to gnutls: pkcs11 and pkcs12 no longer available

I have a similar problem, but with PKCS#12 files rather than PKCS#11
libraries. GnuTLS tries to interpret them as PEM files, which obviously
goes very wrong.

-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (999, 'testing'), (500, 'testing-debug'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64

Kernel: Linux 6.10.4-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8), LANGUAGE=nl_BE:nl
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages curl depends on:
ii libc6 2.39-7
ii libcurl3t64-gnutls 8.9.1-2
ii zlib1g 1:1.3.dfsg+really1.3.1-1

curl recommends no packages.

curl suggests no packages.

-- no debconf information
Samuel Henrique
2024-08-27 21:20:01 UTC
Permalink
Hello Wouter and Sam,

Thanks a lot for reporting this, I'm just replying to say we're aware of the
issue (thanks to the bug report) and we're still yet to perform a proper
investigation and decide what to do next.

This seems to be the biggest threat to the GnuTLS switch so far.

In the meantime, if any of you could provide an easy reproducer, it would save
us a bit of time.

Thank you!
--
Samuel Henrique <samueloph>
Sam Hartman
2024-08-27 21:40:02 UTC
Permalink
Samuel> This seems to be the biggest threat to the GnuTLS switch so
Samuel> far.

Samuel> In the meantime, if any of you could provide an easy
Samuel> reproducer, it would save us a bit of time.

So, for example with a yubikey with the PIV application configured, I
can log into vault using the following code on bookworm:
curl_args = []
if args.insecure: curl_args.append('-k')
curl_args.extend(['-E', args.pkcs11_url, '--key-type', 'eng'])
curl_args.extend(['--request', 'POST'])
if args.renew:
url ='v1/auth/token/renew-self'
curl_args.extend(['--header', f'x-vault-token: {args.renew}'])
else:
url = 'v1/auth/cert/login'

# sh has a bug where fd 0 is never considered a tty because 0 is falsy so we dup fd 0
result = sh.curl(*curl_args, f'{args.vault}{url}', _err=2, _in=os.dup(0))


Where args .pkcs11_url is initialized to
parser.add_argument('--pkcs11-url', '--pkcs11-uri',
default = "pkcs11:manufacturer=piv_II",
Vasudev Kamath
2024-09-19 05:40:01 UTC
Permalink
Package: curl
Followup-For: Bug #1077060

Dear Maintainer,

Not really reporting on the bug but just wondering, now that OpenSSL is supporting
http3 (from 3.2?) does it even make sense to continue with GnuTLS or revert back?

I'm writing this mail assuming switch to GnuTLS was for http3 support as mentioned
in the NEWS file.

Reverting back should solve this bug right?

Thanks and Regards,
Vasudev

-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.10.9-amd64 (SMP w/20 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages curl depends on:
ii libc6 2.40-2
ii libcurl3t64-gnutls 8.10.0-2
ii zlib1g 1:1.3.dfsg+really1.3.1-1

curl recommends no packages.

curl suggests no packages.

-- no debconf information
Carlos Henrique Lima Melara
2024-09-29 01:40:01 UTC
Permalink
Hi,
Post by Sam Hartman
We have been heavily using curl to make API requests using smartcard
authentication. We have a private key and certificate on a Yubikey, and
we use curl to perform a pkcs11-authenticated login to get an API token.
Unfortunately, according to the curl man page, pkcs11 support is only
available if curl is built against openssl.
We had some feedback from the discussion in upstream's BTS and
Post by Sam Hartman
curl --cert 'pkcs11:URL' --pass <PIN> https://...
Could you check that, Sam?
Post by Sam Hartman
I have a similar problem, but with PKCS#12 files rather than PKCS#11
libraries. GnuTLS tries to interpret them as PEM files, which obviously
goes very wrong.
It was merged upstream [2] and will be available in the next release
(8.11.0)!

Cheers,
Charles

[1] https://github.com/curl/curl/issues/14925#issuecomment-2373725382
[2] https://github.com/curl/curl/commit/7307c1a289a75e164bd5cf000458f2a5a2f133f4
Samuel Henrique
2024-10-26 17:40:02 UTC
Permalink
Hello Sam and Wouter,
Post by Carlos Henrique Lima Melara
We had some feedback from the discussion in upstream's BTS and
Post by Sam Hartman
curl --cert 'pkcs11:URL' --pass <PIN> https://...
Could you check that, Sam?
Sam, let us know if you can confirm there's still a problem there, please. It
was said on GitHub that they could make it work, so maybe your issue is only
when doing a specific operation and that might have been missed.
Post by Carlos Henrique Lima Melara
Post by Sam Hartman
I have a similar problem, but with PKCS#12 files rather than PKCS#11
libraries. GnuTLS tries to interpret them as PEM files, which obviously
goes very wrong.
It was merged upstream [2] and will be available in the next release
(8.11.0)!
Wouter, I've pulled the fix into 8.10.1-2, which was uploaded on the 10th
October, can you check if that fully resolves your issue?

Cheers,
--
Samuel Henrique <samueloph>
Sam Hartman
2024-10-30 19:50:02 UTC
Permalink
I try something like
curl --cert 'pkcs11:manufacturer=piv_II'
And I get an error:
curl: (3) URL rejected: Port number was not a decimal number between 0
and 65535

Yet I think that's a valid pkcs11 URL.
Samuel Henrique
2024-12-22 17:50:01 UTC
Permalink
Hello Sam,
Post by Sam Hartman
I try something like
curl --cert 'pkcs11:manufacturer=piv_II'
curl: (3) URL rejected: Port number was not a decimal number between 0
and 65535
Yet I think that's a valid pkcs11 URL.
Would you mind contacting upstream about this?

This now looks like a curl issue and since you are able to reproduce and
provide details, it would be great if you could contact them directly.

They are always very helpful and eager to work with bug reporters.

Cheers,
--
Samuel Henrique <samueloph>
Loading...