Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid object handles refreshing #494

Open
bukka opened this issue Dec 27, 2024 · 1 comment
Open

Invalid object handles refreshing #494

bukka opened this issue Dec 27, 2024 · 1 comment

Comments

@bukka
Copy link
Contributor

bukka commented Dec 27, 2024

Describe the bug

Currently the pkcs11-provider is able to recreate a new session when it gets closed (implemented in p11prov_get_session and slog_login after calling the session_check). With the exception that it doesn't clear the errors, this works fine and the session gets recreated. The problem happens when some crypto operation (e.g. SignInit) is triggered on the key object that was created during the previous session. This object will use the object handle that no longer exist because the session is no longer existent. So the operation fails and there is no way to recover from this state (except restarting the application) so further operations fail as well.

To Reproduce
Steps to reproduce the behavior:

  1. Start pkcs11-proxy daemon
  2. Start application (e.g. nginx) using pkcs11-provider using pkcs11 proxy library connection to pkcs11-daemon
  3. Trigger some crypto operation (e.g. https request to nginx)
  4. Restart pkcs11-proxy daemon (that clears all current sessions)
  5. Send another crypto operation (this fails and any further requests fail as well due to using object handles attached to deleted session)

Expected behavior

Key objects should refresh when CKR_OBJECT_HANDLE_INVALID is returned and clear all errors if operation is successful.

Operating environment (please complete the following information):

  • OS: Ubuntu 20.04 but with custom build of OpenSSL 3.4

Token and application used (please complete the following information):

Additional context

My application uses pkcs11-provider with nginx that checks ssl errors so it is also important that all errors are clearer. The whole setup is a bit complex but I can provide more info if anyone needs to recreate it. I have actually already debug everything and have an initial fix so I'm going to create a PR shortly. If we agree on the approach I would look into some automated tests so not putting all details how to manually recreate it here yet.

@bukka
Copy link
Contributor Author

bukka commented Dec 27, 2024

Draft of the fix proposed in #495

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant