** Description changed:
[ Impact ]
pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
testing digests:
```
$ sudo pkcs11-tool -l -t
Using slot 0 with a present token (0x0)
Logging in to "Users".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
```
This works in Focal and Noble. The test command provides users with a
more firm indication that their smartcard is compatible/functional with
OpenSC; it is often used while troubleshooting other issues with
smartcards.
This particular error occurs because the RIPEMD160 hash function is not
included in OpenSSL's default provider in Jammy [1][2].
OpenSC 0.22 does not contain patches that update deprecated usage of
OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
PR (discussed in [5]).
It looks to me like this bug showed up in #1972753, although that issue
was resolved with a change of OpenSSH configuration. I'm opening this
bug report to deal specifically with pkcs11-tool.
A backport of [6] is sufficient to resolve the C_DigestInit failure.
[1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
[2] https://docs.openssl.org/master/man7/provider/
[3] https://github.com/OpenSC/OpenSC/issues/2308
[4] https://github.com/OpenSC/OpenSC/pull/2438
[5] https://github.com/OpenSC/OpenSC/issues/2571
[6]
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
[ Test Plan ]
Create CA & certificates for a virtual smart card as found at [1]. When
creating the CA certificate, include `-2` and answer yes for CA:
```
certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n
fake-smartcard-ca
```
Export the CA cert as PEM so that it can be added to the VM later:
```
certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem
```
Follow the instructions at [2] to create a cloud-init config drive
`seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following
user-data:
```
#cloud-config
chpasswd:
expire: false
users:
- name: ubuntu
password: password
type: text
```
Launch a qemu VM with emulated smart card:
```
sudo qemu-system-x86_64 \
-enable-kvm \
-m 1024 \
-nic user,model=virtio \
-drive file=jammy-server-cloudimg-amd64.img,media=disk,index=0,if=virtio \
-drive file=seed.img,index=1,media=cdrom \
-usb -device usb-ccid -device
ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert
\
+ -device virtio-rng-pci
-nographic
```
- Log in, install opensc, copy the certificate and import it:
+ Log in, install opensc, copy the certificate and trust it:
```
sudo mount /dev/sr0 /mnt
sudo cp /mnt/fake-smartcard-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
```
- test the card with:
+ Test the card with:
```
sudo pkcs11-tool --test --login
```
Authenticating with the card (with `-l`) is not needed to reproduce the
failure; testing should be done with `-l` as the last hunk of this patch
is only executed when using `-l`.
+
+ I've seen intermittent failures doing this in the qemu environment; this
+ is likely an issue with `ccid-card-emulated` (pcscd logs report
+ intermittent `commands.c:1571:CCID_Receive Command not supported or not
+ allowed`). I will perform verification with both the virtual environment
+ described here and a VM with a physically passed-through Yubikey.
[1]
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
[2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
[ Where problems could occur ]
* These changes only affect the pkcs11-tool binary, specifically only the
code
that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394).
Since `-t` is already broken, it's assumed that additional breakage to this
option would be low impact.
* As noted in the upstream issues, OpenSC 0.22 was not audited for
compatibility with OpenSSL 3.0, so there are possibly some remaining issues
(some fixed in [1]) that this SRU does not address.
[1] https://github.com/OpenSC/OpenSC/pull/2438
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434
Title:
pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
