** Description changed:
[ Impact ]
pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
testing digests:
```
$ sudo pkcs11-tool -l -t
Using slot 0 with a present token (0x0)
Logging in to "Users".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
```
This works in Focal and Noble. The test command provides users with a
more firm indication that their smartcard is compatible/functional with
OpenSC; it is often used while troubleshooting other issues with
smartcards.
This particular error occurs because the RIPEMD160 hash function is not
included in OpenSSL's default provider in Jammy [1][2].
OpenSC 0.22 does not contain patches that update deprecated usage of
OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
PR (discussed in [5]).
It looks to me like this bug showed up in #1972753, although that issue
was resolved with a change of OpenSSH configuration. I'm opening this
bug report to deal specifically with pkcs11-tool.
A backport of [6] is sufficient to resolve the C_DigestInit failure.
[1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
[2] https://docs.openssl.org/master/man7/provider/
[3] https://github.com/OpenSC/OpenSC/issues/2308
[4] https://github.com/OpenSC/OpenSC/pull/2438
[5] https://github.com/OpenSC/OpenSC/issues/2571
[6]
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
[ Test Plan ]
Create CA & certificates for a virtual smart card as found at [1].
Follow the instructions at [2] to create a cloud-init config drive `seed.img`
with the following user-data:
```
#cloud-config
chpasswd:
expire: false
users:
- name: ubuntu
password: password
type: text
```
Launch a qemu VM with emulated smart card:
```
sudo qemu-system-x86_64 \
-enable-kvm \
-m 1024 \
-nic user,model=virtio \
- -drive file=root.img,media=disk,index=0,if=virtio \
+ -drive file=jammy-server-cloudimg-amd64.img,media=disk,index=0,if=virtio \
-drive file=seed.img,index=1,media=cdrom \
-usb -device usb-ccid -device
ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert
\
-nographic
```
Log in, install opensc and test the card with:
```
sudo pkcs11-tool -t
```
- Authenticating with the card (with -l) is not needed to reproduce the
- failure.
+ Authenticating with the card (with `-l`) is not needed to reproduce the
+ failure; testing should be done with -l as the last hunk of this patch
+ is only executed when using `-l`.
+
+ [ Where problems could occur ]
+
+ * These changes only affect the pkcs11-tool binary, specifically only the
code
+ that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394).
+ Since `-t` is already broken, it's assumed that additional breakage to this
+ option would be low impact.
+
+ * As noted in the upstream issues, OpenSC 0.22 was not audited for
compatibility
+ with OpenSSL 3.0, so there are possibly some remaining issues (some fixed
in [3])
+ that this SRU does not address.
[1]
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
[2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
+ [3] https://github.com/OpenSC/OpenSC/pull/2438
** Description changed:
[ Impact ]
pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
testing digests:
```
$ sudo pkcs11-tool -l -t
Using slot 0 with a present token (0x0)
Logging in to "Users".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
- seeding (C_SeedRandom) not supported
- seems to be OK
+ seeding (C_SeedRandom) not supported
+ seems to be OK
Digests:
- all 4 digest functions seem to work
- MD5: OK
- SHA-1: OK
+ all 4 digest functions seem to work
+ MD5: OK
+ SHA-1: OK
error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
```
This works in Focal and Noble. The test command provides users with a
more firm indication that their smartcard is compatible/functional with
OpenSC; it is often used while troubleshooting other issues with
smartcards.
This particular error occurs because the RIPEMD160 hash function is not
included in OpenSSL's default provider in Jammy [1][2].
OpenSC 0.22 does not contain patches that update deprecated usage of
OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
PR (discussed in [5]).
It looks to me like this bug showed up in #1972753, although that issue
was resolved with a change of OpenSSH configuration. I'm opening this
bug report to deal specifically with pkcs11-tool.
A backport of [6] is sufficient to resolve the C_DigestInit failure.
[1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
[2] https://docs.openssl.org/master/man7/provider/
[3] https://github.com/OpenSC/OpenSC/issues/2308
[4] https://github.com/OpenSC/OpenSC/pull/2438
[5] https://github.com/OpenSC/OpenSC/issues/2571
[6]
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
[ Test Plan ]
Create CA & certificates for a virtual smart card as found at [1].
Follow the instructions at [2] to create a cloud-init config drive `seed.img`
with the following user-data:
```
#cloud-config
chpasswd:
- expire: false
- users:
- - name: ubuntu
- password: password
- type: text
+ expire: false
+ users:
+ - name: ubuntu
+ password: password
+ type: text
```
Launch a qemu VM with emulated smart card:
```
sudo qemu-system-x86_64 \
- -enable-kvm \
- -m 1024 \
- -nic user,model=virtio \
- -drive file=jammy-server-cloudimg-amd64.img,media=disk,index=0,if=virtio \
- -drive file=seed.img,index=1,media=cdrom \
- -usb -device usb-ccid -device
ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert
\
- -nographic
+ -enable-kvm \
+ -m 1024 \
+ -nic user,model=virtio \
+ -drive file=jammy-server-cloudimg-amd64.img,media=disk,index=0,if=virtio \
+ -drive file=seed.img,index=1,media=cdrom \
+ -usb -device usb-ccid -device
ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert
\
+ -nographic
```
Log in, install opensc and test the card with:
```
sudo pkcs11-tool -t
```
Authenticating with the card (with `-l`) is not needed to reproduce the
- failure; testing should be done with -l as the last hunk of this patch
+ failure; testing should be done with `-l` as the last hunk of this patch
is only executed when using `-l`.
[ Where problems could occur ]
- * These changes only affect the pkcs11-tool binary, specifically only the
code
- that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394).
- Since `-t` is already broken, it's assumed that additional breakage to this
- option would be low impact.
+ * These changes only affect the pkcs11-tool binary, specifically only the
code
+ that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394).
+ Since `-t` is already broken, it's assumed that additional breakage to this
+ option would be low impact.
- * As noted in the upstream issues, OpenSC 0.22 was not audited for
compatibility
- with OpenSSL 3.0, so there are possibly some remaining issues (some fixed
in [3])
- that this SRU does not address.
+ * As noted in the upstream issues, OpenSC 0.22 was not audited for
compatibility
+ with OpenSSL 3.0, so there are possibly some remaining issues (some fixed
in [3])
+ that this SRU does not address.
[1]
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
[2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
[3] https://github.com/OpenSC/OpenSC/pull/2438
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434
Title:
pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
