[Bug 1908827] [NEW] opensc initrd hook requires dpkg-architecture

2020-12-20 Thread Judd Tracy 
Public bug reported:

When adding smartcard support to unlocking a LUKS encrypted volume in
initrd the update of initrd fails because the hook '/usr/share
/initramfs-tools/hooks/cryptopensc' uses the command dpkg-architecture
to determine the architecture of the libraries to copy into initrd.  The
package does not have a dependency(dpkg-dev) to install the package that
contains dpkg-architecture.

I would also say that there really should not be a dependency on dpkg-
dev for opensc either since it pulls in lots of development software
that is not needed for most systems.


# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-4.15.0-76-generic
/usr/share/initramfs-tools/hooks/cryptopensc: 54: 
/usr/share/initramfs-tools/hooks/cryptopensc: dpkg-architecture: not found
E: /usr/share/initramfs-tools/hooks/cryptopensc failed with return 1.
update-initramfs: failed for /boot/initrd.img-4.15.0-76-generic with 1.


Versions:
Ubuntu 18.04
opensc 0.17.0-3 amd64

** Affects: opensc (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908827

Title:
  opensc initrd hook requires dpkg-architecture

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/1908827/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1907465] Re: CRL checking of smart card causes Segmentation Fault

2020-12-09 Thread Judd Tracy 
** Tags added: amd64 bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1907465

Title:
  CRL checking of smart card causes Segmentation Fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam-pkcs11/+bug/1907465/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1907465] [NEW] CRL checking of smart card causes Segmentation Fault

2020-12-09 Thread Judd Tracy 
Public bug reported:

I was following the Ubuntu white paper for setting up smart cards
(SmartCardLogin_WhitePapaer_04.03.20.pdf) and ran into an issue with CRL
checking.

Running on 18.04 server minimal install using package version
0.6.9-2build2

I performed the following steps to install and setup:
 * Installed the packages required in the white paper
 * Added my Root and Intermediate certificates to /etc/pam_pkcs11/cacerts and 
ran pkcs11_make_hash_link
 * Installed local versions of the CRLs in /etc/pam_pkcs11/crls and ran 
pkcs11_make_hash_link
 * Copied and unziped the example config file from 
/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz to 
/etc/pam_pkcs11/pam_pkcs11.conf
 * Modified /etc/pam_pkcs11/pam_pkcs11.conf to use the subject mapper and added 
crl_auto to the cert_policy
 * Added a subject to the /etc/pam_pkcs11/subject_mapping file

When I try to login as the user I get a segmentation fault and when
running pkcs11_inspect I also get the same fault.

With debugging enabled in the pam config file it tries first to download
the CRLs of the cert and fails it then attempts to use the local crls
and that where it fails.

# pkcs11_inspect

DEBUG:cert_vfy.c:229: looking for and dedicated local crl


If is remove crl_auto from the pam config I can authenticate with the user just 
fine but there is no crl checking being done.

If I perform a strace of  pkcs11_inspect it looks like it is trying to
load a crl that does not exist and fails.  There is a recent patch
upstream that seems to address this issue.

#strace pkcs11_inspect

stat("/etc/pam_pkcs11/cacerts/37f834c3.r0", 0x7ffecea217b0) = -1 ENOENT (No 
such file or directory)
stat("/etc/pam_pkcs11/crls/37f834c3.r0", {st_mode=S_IFREG|0644, st_size=1105, 
...}) = 0
openat(AT_FDCWD, "/etc/pam_pkcs11/crls/37f834c3.r0", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=1105, ...}) = 0
read(4, "-BEGIN X509 CRL-\nMIIDBjC"..., 4096) = 1105
read(4, "", 4096)   = 0
close(4)= 0
stat("/etc/pam_pkcs11/crls/37f834c3.r1", 0x7ffecea217b0) = -1 ENOENT (No such 
file or directory)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
+++ killed by SIGSEGV (core dumped) +++


As seen in the logs it inspects crl 37f834c3.r0 but then tries to inspect 
37f834c3.r1 which does not exist.


Here is an upstream bug report
https://github.com/OpenSC/pam_pkcs11/issues/43

Here is an upstream pull request
https://github.com/OpenSC/pam_pkcs11/pull/45

#lsb_release -rd
Descripton:Ubuntu 10.04.5 LTS
Release:   18.04

#apt-cache policy pkgname
libpam-pkcs11:
  Installed: 0.6.9-2build2
  Candidate: 0.6.9-2build2
  Version table:
 *** 0.6.9-2build2 500
500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
100 /var/lib/dpkg/status

** Affects: pam-pkcs11 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1907465

Title:
  CRL checking of smart card causes Segmentation Fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam-pkcs11/+bug/1907465/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs