** Description changed: [ Impact ] pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while testing digests: ``` $ sudo pkcs11-tool -l -t Using slot 0 with a present token (0x0) Logging in to "Users". Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): - seeding (C_SeedRandom) not supported - seems to be OK + seeding (C_SeedRandom) not supported + seems to be OK Digests: - all 4 digest functions seem to work - MD5: OK - SHA-1: OK + all 4 digest functions seem to work + MD5: OK + SHA-1: OK error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. ``` This works in Focal and Noble. The test command provides users with a more firm indication that their smartcard is compatible/functional with OpenSC; it is often used while troubleshooting other issues with smartcards. This particular error occurs because the RIPEMD160 hash function is not included in OpenSSL's default provider in Jammy [1][2]. OpenSC 0.22 does not contain patches that update deprecated usage of OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that PR (discussed in [5]). It looks to me like this bug showed up in #1972753, although that issue was resolved with a change of OpenSSH configuration. I'm opening this bug report to deal specifically with pkcs11-tool. A backport of [6] is sufficient to resolve the C_DigestInit failure. [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/ [2] https://docs.openssl.org/master/man7/provider/ [3] https://github.com/OpenSC/OpenSC/issues/2308 [4] https://github.com/OpenSC/OpenSC/pull/2438 [5] https://github.com/OpenSC/OpenSC/issues/2571 [6] https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116 [ Test Plan ] Create CA & certificates for a virtual smart card as found at [1]. When creating the CA certificate, include `-2` and answer yes for CA: + [1] https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files + ``` + sudo apt install libnss3-tools + + mkdir fake-smartcard + cd fake-smartcard + certutil -N -d sql:$PWD certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n fake-smartcard-ca + certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca + certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime -n signing-cert -c fake-smartcard-ca + certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType sslClient -n encryption-cert -c fake-smartcard-ca ``` Export the CA cert as PEM so that it can be added to the VM later: ``` certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem ``` Follow the instructions at [2] to create a cloud-init config drive `seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following user-data: + [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html + ``` + touch network-config + touch meta-data + cat >user-data <<EOF #cloud-config chpasswd: - expire: false - users: - - name: ubuntu - password: password - type: text + expire: false + users: + - default + - name: ubuntu + password: password + type: text + sudo: ALL=(ALL) NOPASSWD:ALL + groups: sudo + shell: /bin/bash + EOF + genisoimage \ + -output seed.img \ + -volid cidata -rational-rock -joliet \ + user-data meta-data network-config fake-smartcard-ca.crt ``` Launch a qemu VM with emulated smart card: ``` + wget https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img sudo qemu-system-x86_64 \ - -enable-kvm \ - -m 1024 \ - -nic user,model=virtio \ - -drive file=jammy-server-cloudimg-amd64.img,media=disk,index=0,if=virtio \ - -drive file=seed.img,index=1,media=cdrom \ - -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert \ - -device virtio-rng-pci - -nographic + -enable-kvm \ + -m 1024 \ + -nic user,model=virtio \ + -drive file=jammy-server-cloudimg-amd64.img,media=disk,index=0,if=virtio \ + -drive file=seed.img,index=1,media=cdrom \ + -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert \ + -device virtio-rng-pci \ + -nographic ``` Log in, install opensc, copy the certificate and trust it: ``` sudo mount /dev/sr0 /mnt sudo cp /mnt/fake-smartcard-ca.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates ``` Test the card with: ``` sudo pkcs11-tool --test --login ``` Authenticating with the card (with `-l`) is not needed to reproduce the failure; testing should be done with `-l` as the last hunk of this patch is only executed when using `-l`. I've seen intermittent failures doing this in the qemu environment; this is likely an issue with `ccid-card-emulated` (pcscd logs report intermittent `commands.c:1571:CCID_Receive Command not supported or not allowed`). I will perform verification with both the virtual environment described here and a VM with a physically passed-through Yubikey. - [1] https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files - [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html + Test packages are available in the following ppa: + + https://launchpad.net/~whershberger/+archive/ubuntu/opensc-00408323 + + If you install the test packages, the output you should see is: + + <> [ Where problems could occur ] - * These changes only affect the pkcs11-tool binary, specifically only the code - that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394). - Since `-t` is already broken, it's assumed that additional breakage to this - option would be low impact. + * These changes only affect the pkcs11-tool binary, specifically only the code + that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394). + Since `-t` is already broken, it's assumed that additional breakage to this + option would be low impact. - * As noted in the upstream issues, OpenSC 0.22 was not audited for - compatibility with OpenSSL 3.0, so there are possibly some remaining issues - (some fixed in [1]) that this SRU does not address. + * As noted in the upstream issues, OpenSC 0.22 was not audited for + compatibility with OpenSSL 3.0, so there are possibly some remaining issues + (some fixed in [1]) that this SRU does not address. [1] https://github.com/OpenSC/OpenSC/pull/2438
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2106434 Title: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
