-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Max PKCS#11 id URI length of 100 characters? #531
Comments
See OpenSC/libp11#531 Bug: b/334151847 Change-Id: I5c458d8e59b760d13d99c4b70669adb530123507
Is anyone following this? I'd also like to know if this is intentional behavior or not? 😅 |
I reviewed the current code of both OpenSSL and libp11 for this issue, but I failed to find a cause. Was anyone able to reproduce this issue? Which version of the libraries were tested? Has anyone tested it with a PKCS#11 module other than |
Forgive me if this is silly and I'm missing something, but I think the
which results in the same:
I think this suggests that the issue happens somewhere in the parsing code, before getting to the library, right? Let me know if this is wrong, I also tried going through the underlying libp11 code without much luck, though the parsing code is fairly convoluted. Definitely interested in making sure this is not a library-side issue, the original author of our library is not on the team anymore so who knows if I missed a weird implementation quirk. |
@tdbhacks does the ID not need to be percent-encoded? As in |
Not sure TBH, but IDs shorter than 100 chars work without percent-encoding so that would be interesting |
@tdbhacks I actually got a different result when running that without
The above looks like it is failing successfully. However, when I ran |
@richardkazuomiller did you use If unsetting the env var with something like Double-check me on this:
So I think the enumeration error would show up before the URI error, and just indicates an earlier failure. |
@tdbhacks I have not added I think you're probably right that the |
Yes but on vacation. The error may be from any level just listing the URI but not saying what actually failed. One way to see PKCS11 calls and responses is to use OpenSC SPY |
Hello,
Apologies if this has been asked already, I did a quick search online but couldn't find any references to "100 characters" or other PKCS#11 URI length limits, though I might have missed a doc somewhere.
Our PKCS#11 library (https://github.com/GoogleCloudPlatform/kms-integrations) uses relatively long key IDs, and I just ran into a surprising failure while trying to generate a self-signed certificate:
"some_id_longer_than_100_characters" has been redacted, but the same behavior can also be reproduced with something simple such as 100 "a"s.
My questions:
I opened an issue in the OpenSSL repo as well, but they rightfully pointed me here. Thank you!
The text was updated successfully, but these errors were encountered: