You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the pkcs11-provider is able to recreate a new session when it gets closed (implemented in p11prov_get_session and slog_login after calling the session_check). With the exception that it doesn't clear the errors, this works fine and the session gets recreated. The problem happens when some crypto operation (e.g. SignInit) is triggered on the key object that was created during the previous session. This object will use the object handle that no longer exist because the session is no longer existent. So the operation fails and there is no way to recover from this state (except restarting the application) so further operations fail as well.
To Reproduce
Steps to reproduce the behavior:
Start pkcs11-proxy daemon
Start application (e.g. nginx) using pkcs11-provider using pkcs11 proxy library connection to pkcs11-daemon
Trigger some crypto operation (e.g. https request to nginx)
Restart pkcs11-proxy daemon (that clears all current sessions)
Send another crypto operation (this fails and any further requests fail as well due to using object handles attached to deleted session)
Expected behavior
Key objects should refresh when CKR_OBJECT_HANDLE_INVALID is returned and clear all errors if operation is successful.
Operating environment (please complete the following information):
OS: Ubuntu 20.04 but with custom build of OpenSSL 3.4
Token and application used (please complete the following information):
My application uses pkcs11-provider with nginx that checks ssl errors so it is also important that all errors are clearer. The whole setup is a bit complex but I can provide more info if anyone needs to recreate it. I have actually already debug everything and have an initial fix so I'm going to create a PR shortly. If we agree on the approach I would look into some automated tests so not putting all details how to manually recreate it here yet.
The text was updated successfully, but these errors were encountered:
Describe the bug
Currently the pkcs11-provider is able to recreate a new session when it gets closed (implemented in
p11prov_get_sessionandslog_loginafter calling thesession_check). With the exception that it doesn't clear the errors, this works fine and the session gets recreated. The problem happens when some crypto operation (e.g. SignInit) is triggered on the key object that was created during the previous session. This object will use the object handle that no longer exist because the session is no longer existent. So the operation fails and there is no way to recover from this state (except restarting the application) so further operations fail as well.To Reproduce
Steps to reproduce the behavior:
Expected behavior
Key objects should refresh when
CKR_OBJECT_HANDLE_INVALIDis returned and clear all errors if operation is successful.Operating environment (please complete the following information):
Token and application used (please complete the following information):
Additional context
My application uses pkcs11-provider with nginx that checks ssl errors so it is also important that all errors are clearer. The whole setup is a bit complex but I can provide more info if anyone needs to recreate it. I have actually already debug everything and have an initial fix so I'm going to create a PR shortly. If we agree on the approach I would look into some automated tests so not putting all details how to manually recreate it here yet.
The text was updated successfully, but these errors were encountered: