subject:"\[Bug 2106434\] Re\: pkcs11\-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-05-19 Thread Launchpad Bug Tracker

This bug was fixed in the package opensc - 0.22.0-1ubuntu2.1

---
opensc (0.22.0-1ubuntu2.1) jammy; urgency=medium

  * Include the openssl legacy provider in pkcs11-tool to support
RIPEMD160 in openssl 3.0 in jammy. (LP: #2106434)
- d/p/lp2106434-pkcs11-tool-load-legacy-provider-for-RIPEMD160.patch

 -- Wesley Hershberger   Mon, 07 Apr
2025 11:00:03 -0500

** Changed in: opensc (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-05-12 Thread Karl Grindley

I've also been able to verify with a physical PKI device - all seems to
be working!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-05-06 Thread Wesley Hershberger

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-05-06 Thread Wesley Hershberger

I've been unable to work around the issue described above with the QEMU
ccid-card-emulated; I'm going to mark verification complete as the test
plan was completed using a Yubikey.

### Verification Done Jammy (ccid-card-emulated) ###
$ apt-cache policy opensc
opensc:
  Installed: 0.22.0-1ubuntu2.1
  Candidate: 0.22.0-1ubuntu2.1
  Version table:
 *** 0.22.0-1ubuntu2.1 500
500 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 
Packages
100 /var/lib/dpkg/status
 0.22.0-1ubuntu2 500
500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
$ pkcs11-tool -t -l
Using slot 0 with a present token (0x0)
error: PKCS11 function C_Login failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
user1@ubuntu:/etc/apt$ pkcs11-tool -t
Using slot 0 with a present token (0x0)
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  ERR: C_GenerateRandom failed: CKR_GENERAL_ERROR (0x5)
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
Signatures: no private key found in this slot
Verify (currently only for RSA)
  No private key found for testing
Decryption (currently only for RSA)
1 errors
### Verification Done Jammy (ccid-card-emulated) ###

** Tags removed: verification-needed-jammy
** Tags added: verification-done-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-05-06 Thread Wesley Hershberger

** Description changed:

  [ Impact ]
  
  pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
  testing digests:
  
  ```
  $ sudo pkcs11-tool -l -t
  Using slot 0 with a present token (0x0)
  Logging in to "Users".
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
    seeding (C_SeedRandom) not supported
    seems to be OK
  Digests:
    all 4 digest functions seem to work
    MD5: OK
    SHA-1: OK
  error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
  Aborting.
  ```
  
  This works in Focal and Noble. The test command provides users with a
  more firm indication that their smartcard is compatible/functional with
  OpenSC; it is often used while troubleshooting other issues with
  smartcards.
  
  This particular error occurs because the RIPEMD160 hash function is not
  included in OpenSSL's default provider in Jammy [1][2].
  
  OpenSC 0.22 does not contain patches that update deprecated usage of
  OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
  PR (discussed in [5]).
  
  It looks to me like this bug showed up in #1972753, although that issue
  was resolved with a change of OpenSSH configuration. I'm opening this
  bug report to deal specifically with pkcs11-tool.
  
  A backport of [6] is sufficient to resolve the C_DigestInit failure.
  
  [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
  [2] https://docs.openssl.org/master/man7/provider/
  [3] https://github.com/OpenSC/OpenSC/issues/2308
  [4] https://github.com/OpenSC/OpenSC/pull/2438
  [5] https://github.com/OpenSC/OpenSC/issues/2571
  [6] 
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
  
  [ Test Plan ]
  
  Create CA & certificates for a virtual smart card as found at [1]. When 
creating the CA certificate, include `-2` and answer yes for CA:
  [1] 
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
  
  ```
- sudo apt install libnss3-tools qemu-system-x86-64
+ sudo apt install libnss3-tools qemu-system-x86-64 genisoimage
  
  mkdir fake-smartcard
  cd fake-smartcard
  certutil -N -d sql:$PWD
  certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n 
fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime 
-n signing-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType 
sslClient -n encryption-cert -c fake-smartcard-ca
  ```
  
  Export the CA cert as PEM so that it can be added to the VM later:
  ```
  certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
  openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem
  ```
  
  Follow the instructions at [2] to create a cloud-init config drive 
`seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following 
user-data:
  [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
  
  ```
  touch network-config
  touch meta-data
  cat >user-data

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-05-06 Thread Wesley Hershberger

** Description changed:

  [ Impact ]
  
  pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
  testing digests:
  
  ```
  $ sudo pkcs11-tool -l -t
  Using slot 0 with a present token (0x0)
  Logging in to "Users".
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
    seeding (C_SeedRandom) not supported
    seems to be OK
  Digests:
    all 4 digest functions seem to work
    MD5: OK
    SHA-1: OK
  error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
  Aborting.
  ```
  
  This works in Focal and Noble. The test command provides users with a
  more firm indication that their smartcard is compatible/functional with
  OpenSC; it is often used while troubleshooting other issues with
  smartcards.
  
  This particular error occurs because the RIPEMD160 hash function is not
  included in OpenSSL's default provider in Jammy [1][2].
  
  OpenSC 0.22 does not contain patches that update deprecated usage of
  OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
  PR (discussed in [5]).
  
  It looks to me like this bug showed up in #1972753, although that issue
  was resolved with a change of OpenSSH configuration. I'm opening this
  bug report to deal specifically with pkcs11-tool.
  
  A backport of [6] is sufficient to resolve the C_DigestInit failure.
  
  [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
  [2] https://docs.openssl.org/master/man7/provider/
  [3] https://github.com/OpenSC/OpenSC/issues/2308
  [4] https://github.com/OpenSC/OpenSC/pull/2438
  [5] https://github.com/OpenSC/OpenSC/issues/2571
  [6] 
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
  
  [ Test Plan ]
  
  Create CA & certificates for a virtual smart card as found at [1]. When 
creating the CA certificate, include `-2` and answer yes for CA:
  [1] 
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
  
  ```
- sudo apt install libnss3-tools
+ sudo apt install libnss3-tools qemu-system-x86-64
  
  mkdir fake-smartcard
  cd fake-smartcard
  certutil -N -d sql:$PWD
  certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n 
fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime 
-n signing-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType 
sslClient -n encryption-cert -c fake-smartcard-ca
  ```
  
  Export the CA cert as PEM so that it can be added to the VM later:
  ```
  certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
  openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem
  ```
  
  Follow the instructions at [2] to create a cloud-init config drive 
`seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following 
user-data:
  [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
  
  ```
  touch network-config
  touch meta-data
  cat >user-data

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-30 Thread Wesley Hershberger

The autopkgtests look like an infra issue rather than a test failure.

VM verification coming soon...

### Verification Done Jammy (Yubikey) ###
$ apt-cache policy opensc
opensc:
  Installed: 0.22.0-1ubuntu2.1
  Candidate: 0.22.0-1ubuntu2.1
  Version table:
 *** 0.22.0-1ubuntu2.1 500
500 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 
Packages
100 /var/lib/dpkg/status
 0.22.0-1ubuntu2+test0 500
500 
https://ppa.launchpadcontent.net/whershberger/opensc-00408323/ubuntu jammy/main 
amd64 Packages
 0.22.0-1ubuntu2+esm1 510
510 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security/main amd64 
Packages
 0.22.0-1ubuntu2 500
500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
ubuntu@jammy-desktop:~$ sudo pkcs11-tool --test --login
Using slot 0 with a present token (0x0)
Logging in to "Users".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (PIV AUTH key)
  all 4 signature functions seem to work
  testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
Verify (currently only for RSA)
  testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
Decryption (currently only for RSA)
  testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
No errors
ubuntu@jammy-desktop:~$ pkcs11-tool --list-objects --login
# ...omitted
ubuntu@jammy-desktop:~$ pkcs11-tool --read-object --id 1 --type pubkey > 
pubkey.der
Using slot 0 with a present token (0x0)
ubuntu@jammy-desktop:~$ openssl rsa -inform der -outform pem -in pubkey.der 
-pubin > pubkey.pem
writing RSA key
ubuntu@jammy-desktop:~$ dd if=/dev/urandom of=data.bin count=1 bs=64
1+0 records in
1+0 records out
64 bytes copied, 0,000181666 s, 352 kB/s
ubuntu@jammy-desktop:~$ pkcs11-tool --id 1 --sign --mechanism RSA-PKCS 
--input-file data.bin --output-file data.sig
Using slot 0 with a present token (0x0)
Logging in to "Users".
Please enter User PIN:
Using signature algorithm RSA-PKCS
ubuntu@jammy-desktop:~$ openssl pkeyutl -verify -pubin -inkey pubkey.pem -in 
data.bin -sigfile data.sig
Signature Verified Successfully
### Verification Done Jammy (Yubikey) ###

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-30 Thread Andreas Hasenack

Hello Wesley, or anyone else affected,

Accepted opensc into jammy-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/opensc/0.22.0-1ubuntu2.1 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: opensc (Ubuntu Jammy)
   Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-24 Thread Wesley Hershberger

Thanks for the review; I'll get the branch right in future :)

I've added a section with a quick sign+verify; happy to add additional
workflows if that isn't sufficient.

** Description changed:

  [ Impact ]
  
  pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
  testing digests:
  
  ```
  $ sudo pkcs11-tool -l -t
  Using slot 0 with a present token (0x0)
  Logging in to "Users".
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
    seeding (C_SeedRandom) not supported
    seems to be OK
  Digests:
    all 4 digest functions seem to work
    MD5: OK
    SHA-1: OK
  error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
  Aborting.
  ```
  
  This works in Focal and Noble. The test command provides users with a
  more firm indication that their smartcard is compatible/functional with
  OpenSC; it is often used while troubleshooting other issues with
  smartcards.
  
  This particular error occurs because the RIPEMD160 hash function is not
  included in OpenSSL's default provider in Jammy [1][2].
  
  OpenSC 0.22 does not contain patches that update deprecated usage of
  OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
  PR (discussed in [5]).
  
  It looks to me like this bug showed up in #1972753, although that issue
  was resolved with a change of OpenSSH configuration. I'm opening this
  bug report to deal specifically with pkcs11-tool.
  
  A backport of [6] is sufficient to resolve the C_DigestInit failure.
  
  [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
  [2] https://docs.openssl.org/master/man7/provider/
  [3] https://github.com/OpenSC/OpenSC/issues/2308
  [4] https://github.com/OpenSC/OpenSC/pull/2438
  [5] https://github.com/OpenSC/OpenSC/issues/2571
  [6] 
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
  
  [ Test Plan ]
  
  Create CA & certificates for a virtual smart card as found at [1]. When 
creating the CA certificate, include `-2` and answer yes for CA:
  [1] 
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
  
  ```
  sudo apt install libnss3-tools
  
  mkdir fake-smartcard
  cd fake-smartcard
  certutil -N -d sql:$PWD
  certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n 
fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime 
-n signing-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType 
sslClient -n encryption-cert -c fake-smartcard-ca
  ```
  
  Export the CA cert as PEM so that it can be added to the VM later:
  ```
  certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
  openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem
  ```
  
  Follow the instructions at [2] to create a cloud-init config drive 
`seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following 
user-data:
  [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
  
  ```
  touch network-config
  touch meta-data
  cat >user-data

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-23 Thread Nick Rosbrook

> Ah, also, we usually use debdiffs instead of merge requests to get
things into Ubuntu.

I don't think that's true as a general statement anymore. Lots of people
prefer the git-ubuntu workflow. The target of the MP should have been
ubuntu/jammy-devel though, as you point out.

Anyways, I have reviewed the upload in jammy unapproved, and I think it
looks ready to be accepted into proposed. The patch is minimal and well-
documented with appropriate dep3 headers, the SRU template looks good
including a good test plan, and the version etc. look correct.

The only small request I would make (even though looking at the patch it
seems clear this only affects the -t code path) is that the test plan is
expanded slightly to include some other common usage of pkcs11-tool,
e.g. pkcs11-tool --sign or so.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-18 Thread Matthew Ruffell

** Changed in: opensc (Ubuntu)
 Assignee: Wesley Hershberger (whershberger) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-18 Thread Matthew Ruffell

** Description changed:

  [ Impact ]
  
  pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
  testing digests:
  
  ```
  $ sudo pkcs11-tool -l -t
  Using slot 0 with a present token (0x0)
  Logging in to "Users".
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
    seeding (C_SeedRandom) not supported
    seems to be OK
  Digests:
    all 4 digest functions seem to work
    MD5: OK
    SHA-1: OK
  error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
  Aborting.
  ```
  
  This works in Focal and Noble. The test command provides users with a
  more firm indication that their smartcard is compatible/functional with
  OpenSC; it is often used while troubleshooting other issues with
  smartcards.
  
  This particular error occurs because the RIPEMD160 hash function is not
  included in OpenSSL's default provider in Jammy [1][2].
  
  OpenSC 0.22 does not contain patches that update deprecated usage of
  OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
  PR (discussed in [5]).
  
  It looks to me like this bug showed up in #1972753, although that issue
  was resolved with a change of OpenSSH configuration. I'm opening this
  bug report to deal specifically with pkcs11-tool.
  
  A backport of [6] is sufficient to resolve the C_DigestInit failure.
  
  [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
  [2] https://docs.openssl.org/master/man7/provider/
  [3] https://github.com/OpenSC/OpenSC/issues/2308
  [4] https://github.com/OpenSC/OpenSC/pull/2438
  [5] https://github.com/OpenSC/OpenSC/issues/2571
  [6] 
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
  
  [ Test Plan ]
  
  Create CA & certificates for a virtual smart card as found at [1]. When 
creating the CA certificate, include `-2` and answer yes for CA:
  [1] 
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
  
  ```
  sudo apt install libnss3-tools
  
  mkdir fake-smartcard
  cd fake-smartcard
  certutil -N -d sql:$PWD
  certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n 
fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime 
-n signing-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType 
sslClient -n encryption-cert -c fake-smartcard-ca
  ```
  
  Export the CA cert as PEM so that it can be added to the VM later:
  ```
  certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
  openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem
  ```
  
  Follow the instructions at [2] to create a cloud-init config drive 
`seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following 
user-data:
  [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
  
  ```
  touch network-config
  touch meta-data
  cat >user-data 
  
  [ Where problems could occur ]
  
   * These changes only affect the pkcs11-tool binary, specifically only the 
code
     that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394).
     Since `-t` is already broken, it's assumed that additional breakage to this
     option would be low impact.
  
   * As noted in the upstream issues, OpenSC 0.22 was not audited for
     compatibility with Op

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-18 Thread Matthew Ruffell

Hi Wesley,

This has been sponsored to jammy.

Some feedback:

This is all very good for your first SRU.

Attached is the final debdiff that I sponsored, so you can study it.

Notes:
- We want to try keep patch file names for what their original commit name was,
so I renamed the patch back to
lp2106434-pkcs11-tool-load-legacy-provider-for-RIPEMD160.patch
- I refreshed the patch with "quilt refresh".
- I added commit information to the patch, and added a note about your backport
to the Subject tag.
- I used the shortened https://bugs.launchpad.net/bugs/2106434 for Bug-Ubuntu.
- I changed your debian/changelog entry to better describe what the change
actually does, I hope you don't mind.

* Include the openssl legacy provider in pkcs11-tool to support
RIPEMD160 in openssl 3.0 in jammy. (LP: #2106434)
- d/p/lp2106434-pkcs11-tool-load-legacy-provider-for-RIPEMD160.patch

I also moved the patch to the final line of the changelog entry.

The version was correct, all good there.

You can see I edited your SRU template a bit, namely in the testcase section.
I usually think its better to just give all the necessary commands to test
things, since if someone decides to run through things, they can just run them
instead of digging through pages of documentation.

Your testcase was really good though. I eventually got cloud-init working with
a new user-data and could reproduce the problem, great job.

The test packages work great too.

It built successfully in -updates, -proposed with all arches enabled, and
the autopkgtests all pass.

So sponsored, well done!

** Patch added: "Final debdiff for opensc on jammy"

https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+attachment/5872322/+files/lp2106434_jammy.debdiff

--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions

--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-16 Thread Matthew Ruffell

Ah, also, we usually use debdiffs instead of merge requests to get
things into Ubuntu.

The branch you targeted, ubuntu/devel is currently targeting plucky /
questing, and not jammy.

Instead, you can make a debdiff with:

$ debdiff opensc_0.22.0-1ubuntu2.dsc opensc_0.22.0-1ubuntu2.1.dsc > my-
debdiff.debdiff

and you can upload it to the bug for sponsoring in the future.

To apply a debdiff, you can:

$ debdiff-apply opensc_0.22.0-1ubuntu2.dsc my-debdiff.debdiff

Hope that helps.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-16 Thread Matthew Ruffell

** Description changed:

  [ Impact ]
  
  pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
  testing digests:
  
  ```
  $ sudo pkcs11-tool -l -t
  Using slot 0 with a present token (0x0)
  Logging in to "Users".
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
    seeding (C_SeedRandom) not supported
    seems to be OK
  Digests:
    all 4 digest functions seem to work
    MD5: OK
    SHA-1: OK
  error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
  Aborting.
  ```
  
  This works in Focal and Noble. The test command provides users with a
  more firm indication that their smartcard is compatible/functional with
  OpenSC; it is often used while troubleshooting other issues with
  smartcards.
  
  This particular error occurs because the RIPEMD160 hash function is not
  included in OpenSSL's default provider in Jammy [1][2].
  
  OpenSC 0.22 does not contain patches that update deprecated usage of
  OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
  PR (discussed in [5]).
  
  It looks to me like this bug showed up in #1972753, although that issue
  was resolved with a change of OpenSSH configuration. I'm opening this
  bug report to deal specifically with pkcs11-tool.
  
  A backport of [6] is sufficient to resolve the C_DigestInit failure.
  
  [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
  [2] https://docs.openssl.org/master/man7/provider/
  [3] https://github.com/OpenSC/OpenSC/issues/2308
  [4] https://github.com/OpenSC/OpenSC/pull/2438
  [5] https://github.com/OpenSC/OpenSC/issues/2571
  [6] 
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
  
  [ Test Plan ]
  
  Create CA & certificates for a virtual smart card as found at [1]. When 
creating the CA certificate, include `-2` and answer yes for CA:
  [1] 
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
  
  ```
  sudo apt install libnss3-tools
  
  mkdir fake-smartcard
  cd fake-smartcard
  certutil -N -d sql:$PWD
  certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n 
fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime 
-n signing-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType 
sslClient -n encryption-cert -c fake-smartcard-ca
  ```
  
  Export the CA cert as PEM so that it can be added to the VM later:
  ```
  certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
  openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem
  ```
  
  Follow the instructions at [2] to create a cloud-init config drive 
`seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following 
user-data:
  [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
  
  ```
  touch network-config
  touch meta-data
  cat >user-data 
+ $ sudo pkcs11-tool --test 
+ Using slot 0 with a present token

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-16 Thread Matthew Ruffell

** Description changed:

  [ Impact ]
  
  pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
  testing digests:
  
  ```
  $ sudo pkcs11-tool -l -t
  Using slot 0 with a present token (0x0)
  Logging in to "Users".
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
    seeding (C_SeedRandom) not supported
    seems to be OK
  Digests:
    all 4 digest functions seem to work
    MD5: OK
    SHA-1: OK
  error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
  Aborting.
  ```
  
  This works in Focal and Noble. The test command provides users with a
  more firm indication that their smartcard is compatible/functional with
  OpenSC; it is often used while troubleshooting other issues with
  smartcards.
  
  This particular error occurs because the RIPEMD160 hash function is not
  included in OpenSSL's default provider in Jammy [1][2].
  
  OpenSC 0.22 does not contain patches that update deprecated usage of
  OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
  PR (discussed in [5]).
  
  It looks to me like this bug showed up in #1972753, although that issue
  was resolved with a change of OpenSSH configuration. I'm opening this
  bug report to deal specifically with pkcs11-tool.
  
  A backport of [6] is sufficient to resolve the C_DigestInit failure.
  
  [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
  [2] https://docs.openssl.org/master/man7/provider/
  [3] https://github.com/OpenSC/OpenSC/issues/2308
  [4] https://github.com/OpenSC/OpenSC/pull/2438
  [5] https://github.com/OpenSC/OpenSC/issues/2571
  [6] 
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
  
  [ Test Plan ]
  
  Create CA & certificates for a virtual smart card as found at [1]. When 
creating the CA certificate, include `-2` and answer yes for CA:
  [1] 
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
  
  ```
  sudo apt install libnss3-tools
  
  mkdir fake-smartcard
  cd fake-smartcard
  certutil -N -d sql:$PWD
  certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n 
fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime 
-n signing-cert -c fake-smartcard-ca
  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType 
sslClient -n encryption-cert -c fake-smartcard-ca
  ```
  
  Export the CA cert as PEM so that it can be added to the VM later:
  ```
  certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
  openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem
  ```
  
  Follow the instructions at [2] to create a cloud-init config drive 
`seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following 
user-data:
  [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
  
  ```
  touch network-config
  touch meta-data
  cat >user-data 
  
  [ Where problems could occur ]
  
   * These changes only affect the pkcs11-tool binary, specifically only the 
code
     that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394).
     Since `-t` is already broken, it's assumed that additional breakage to this
     option would be low impact.
  
   * As noted in the upstream issues, OpenSC 0.22 was not audited for
     compatibility with OpenSSL 3.0, so there are poss

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-16 Thread Matthew Ruffell

** Description changed:

  [ Impact ]
  
  pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
  testing digests:
  
  ```
  $ sudo pkcs11-tool -l -t
  Using slot 0 with a present token (0x0)
  Logging in to "Users".
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
-   seeding (C_SeedRandom) not supported
-   seems to be OK
+   seeding (C_SeedRandom) not supported
+   seems to be OK
  Digests:
-   all 4 digest functions seem to work
-   MD5: OK
-   SHA-1: OK
+   all 4 digest functions seem to work
+   MD5: OK
+   SHA-1: OK
  error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
  Aborting.
  ```
  
  This works in Focal and Noble. The test command provides users with a
  more firm indication that their smartcard is compatible/functional with
  OpenSC; it is often used while troubleshooting other issues with
  smartcards.
  
  This particular error occurs because the RIPEMD160 hash function is not
  included in OpenSSL's default provider in Jammy [1][2].
  
  OpenSC 0.22 does not contain patches that update deprecated usage of
  OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
  PR (discussed in [5]).
  
  It looks to me like this bug showed up in #1972753, although that issue
  was resolved with a change of OpenSSH configuration. I'm opening this
  bug report to deal specifically with pkcs11-tool.
  
  A backport of [6] is sufficient to resolve the C_DigestInit failure.
  
  [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
  [2] https://docs.openssl.org/master/man7/provider/
  [3] https://github.com/OpenSC/OpenSC/issues/2308
  [4] https://github.com/OpenSC/OpenSC/pull/2438
  [5] https://github.com/OpenSC/OpenSC/issues/2571
  [6] 
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
  
  [ Test Plan ]
  
  Create CA & certificates for a virtual smart card as found at [1]. When 
creating the CA certificate, include `-2` and answer yes for CA:
+ [1] 
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
+ 
  ```
+ sudo apt install libnss3-tools
+ 
+ mkdir fake-smartcard
+ cd fake-smartcard
+ certutil -N -d sql:$PWD
  certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n 
fake-smartcard-ca
+ certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca
+ certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime 
-n signing-cert -c fake-smartcard-ca
+ certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType 
sslClient -n encryption-cert -c fake-smartcard-ca
  ```
  
  Export the CA cert as PEM so that it can be added to the VM later:
  ```
  certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
  openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem
  ```
  
  Follow the instructions at [2] to create a cloud-init config drive 
`seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following 
user-data:
+ [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
+ 
  ```
+ touch network-config
+ touch meta-data
+ cat >user-data

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-16 Thread Matthew Ruffell

** Changed in: opensc (Ubuntu Jammy)
   Importance: Undecided => Medium

** Changed in: opensc (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-09 Thread Wesley Hershberger

** Merge proposal linked:
   
https://code.launchpad.net/~whershberger/ubuntu/+source/opensc/+git/opensc/+merge/484178

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-09 Thread Wesley Hershberger

** Description changed:

  [ Impact ]
  
  pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
  testing digests:
  
  ```
  $ sudo pkcs11-tool -l -t
  Using slot 0 with a present token (0x0)
  Logging in to "Users".
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
  Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
  error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
  Aborting.
  ```
  
  This works in Focal and Noble. The test command provides users with a
  more firm indication that their smartcard is compatible/functional with
  OpenSC; it is often used while troubleshooting other issues with
  smartcards.
  
  This particular error occurs because the RIPEMD160 hash function is not
  included in OpenSSL's default provider in Jammy [1][2].
  
  OpenSC 0.22 does not contain patches that update deprecated usage of
  OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
  PR (discussed in [5]).
  
  It looks to me like this bug showed up in #1972753, although that issue
  was resolved with a change of OpenSSH configuration. I'm opening this
  bug report to deal specifically with pkcs11-tool.
  
  A backport of [6] is sufficient to resolve the C_DigestInit failure.
  
  [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
  [2] https://docs.openssl.org/master/man7/provider/
  [3] https://github.com/OpenSC/OpenSC/issues/2308
  [4] https://github.com/OpenSC/OpenSC/pull/2438
  [5] https://github.com/OpenSC/OpenSC/issues/2571
  [6] 
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
  
  [ Test Plan ]
  
  Create CA & certificates for a virtual smart card as found at [1]. When 
creating the CA certificate, include `-2` and answer yes for CA:
  ```
  certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n 
fake-smartcard-ca
  ```
  
  Export the CA cert as PEM so that it can be added to the VM later:
  ```
  certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
  openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem
  ```
  
  Follow the instructions at [2] to create a cloud-init config drive 
`seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following 
user-data:
  ```
  #cloud-config
  chpasswd:
expire: false
users:
  - name: ubuntu
password: password
type: text
  ```
  
  Launch a qemu VM with emulated smart card:
  ```
  sudo qemu-system-x86_64 \
-enable-kvm \
-m 1024 \
-nic user,model=virtio \
-drive file=jammy-server-cloudimg-amd64.img,media=disk,index=0,if=virtio \
-drive file=seed.img,index=1,media=cdrom \
-usb -device usb-ccid -device 
ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert
 \
+   -device virtio-rng-pci
-nographic
  ```
  
- Log in, install opensc, copy the certificate and import it:
+ Log in, install opensc, copy the certificate and trust it:
  ```
  sudo mount /dev/sr0 /mnt
  sudo cp /mnt/fake-smartcard-ca.crt /usr/local/share/ca-certificates/
  sudo update-ca-certificates
  ```
  
- test the card with:
+ Test the card with:
  ```
  sudo pkcs11-tool --test --login
  ```
  
  Authenticating with the card (with `-l`) is not needed to reproduce the
  failure; testing should be done with `-l` as the last hunk of this patch
  is only executed when using `-l`.
+ 
+ I've seen intermittent failures doing this in the qemu environment; this
+ is likely an issue with `ccid-card-emulated` (pcscd logs report
+ intermittent `commands.c:1571:CCID_Receive Command not supported or not
+ allowed`). I will perform verification with both the virtual environment
+ described here and a VM with a physically passed-through Yubikey.
  
  [1] 
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
  [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
  
  [ Where problems could occur ]
  
   * These changes only affect the pkcs11-tool binary, specifically only the 
code
 that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394).
 Since `-t` is already broken, it's assumed that additional breakage to this
 option would be low impact.
  
   * As noted in the upstream issues, OpenSC 0.22 was not audited for
 compatibility with OpenSSL 3.0, so there are possibly some remaining issues
 (some fixed in [1]) that this SRU does not address.
  
  [1] https://github.com/OpenSC/OpenSC/pull/2438

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106434

Title:
  pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-09 Thread Wesley Hershberger

** Description changed:

  [ Impact ]
  
  pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
  testing digests:
  
  ```
  $ sudo pkcs11-tool -l -t
  Using slot 0 with a present token (0x0)
  Logging in to "Users".
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
-   seeding (C_SeedRandom) not supported
-   seems to be OK
+   seeding (C_SeedRandom) not supported
+   seems to be OK
  Digests:
-   all 4 digest functions seem to work
-   MD5: OK
-   SHA-1: OK
+   all 4 digest functions seem to work
+   MD5: OK
+   SHA-1: OK
  error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
  Aborting.
  ```
  
  This works in Focal and Noble. The test command provides users with a
  more firm indication that their smartcard is compatible/functional with
  OpenSC; it is often used while troubleshooting other issues with
  smartcards.
  
  This particular error occurs because the RIPEMD160 hash function is not
  included in OpenSSL's default provider in Jammy [1][2].
  
  OpenSC 0.22 does not contain patches that update deprecated usage of
  OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
  PR (discussed in [5]).
  
  It looks to me like this bug showed up in #1972753, although that issue
  was resolved with a change of OpenSSH configuration. I'm opening this
  bug report to deal specifically with pkcs11-tool.
  
  A backport of [6] is sufficient to resolve the C_DigestInit failure.
  
  [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
  [2] https://docs.openssl.org/master/man7/provider/
  [3] https://github.com/OpenSC/OpenSC/issues/2308
  [4] https://github.com/OpenSC/OpenSC/pull/2438
  [5] https://github.com/OpenSC/OpenSC/issues/2571
  [6] 
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
  
  [ Test Plan ]
  
- Create CA & certificates for a virtual smart card as found at [1].
+ Create CA & certificates for a virtual smart card as found at [1]. When 
creating the CA certificate, include `-2` and answer yes for CA:
+ ```
+ certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n 
fake-smartcard-ca
+ ```
  
- Follow the instructions at [2] to create a cloud-init config drive `seed.img` 
with the following user-data:
+ Export the CA cert as PEM so that it can be added to the VM later:
+ ```
+ certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
+ openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem
+ ```
+ 
+ Follow the instructions at [2] to create a cloud-init config drive 
`seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following 
user-data:
  ```
  #cloud-config
  chpasswd:
-   expire: false
-   users:
- - name: ubuntu
-   password: password
-   type: text
+   expire: false
+   users:
+ - name: ubuntu
+   password: password
+   type: text
  ```
  
  Launch a qemu VM with emulated smart card:
  ```
  sudo qemu-system-x86_64 \
-   -enable-kvm \
-   -m 1024 \
-   -nic user,model=virtio \
-   -drive file=jammy-server-cloudimg-amd64.img,media=disk,index=0,if=virtio \
-   -drive file=seed.img,index=1,media=cdrom \
-   -usb -device usb-ccid -device 
ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert
 \
-   -nographic
+   -enable-kvm \
+   -m 1024 \
+   -nic user,model=virtio \
+   -drive file=jammy-server-cloudimg-amd64.img,media=disk,index=0,if=virtio \
+   -drive file=seed.img,index=1,media=cdrom \
+   -usb -device usb-ccid -device 
ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert
 \
+   -nographic
  ```
  
- Log in, install opensc and test the card with:
+ Log in, install opensc, copy the certificate and import it:
  ```
- sudo pkcs11-tool -t
+ sudo mount /dev/sr0 /mnt
+ sudo cp /mnt/fake-smartcard-ca.crt /usr/local/share/ca-certificates/
+ sudo update-ca-certificates
+ ```
+ 
+ test the card with:
+ ```
+ sudo pkcs11-tool --test --login
  ```
  
  Authenticating with the card (with `-l`) is not needed to reproduce the
  failure; testing should be done with `-l` as the last hunk of this patch
  is only executed when using `-l`.
  
+ [1] 
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
+ [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
+ 
  [ Where problems could occur ]
  
-  * These changes only affect the pkcs11-tool binary, specifically only the 
code
-    that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394).
-    Since `-t` is already broken, it's assumed that additional breakage to this
-    option would be low impact.
+  * These changes only affect the pkcs11-tool binary, specifically only the 
code
+that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394).
+Since `-t` is already broken, it's assumed that additional breakage to this
+option would be

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

2025-04-08 Thread Wesley Hershberger

** Description changed:

  [ Impact ]
  
  pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
  testing digests:
  
  ```
  $ sudo pkcs11-tool -l -t
  Using slot 0 with a present token (0x0)
  Logging in to "Users".
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
  Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
  error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
  Aborting.
  ```
  
  This works in Focal and Noble. The test command provides users with a
  more firm indication that their smartcard is compatible/functional with
  OpenSC; it is often used while troubleshooting other issues with
  smartcards.
  
  This particular error occurs because the RIPEMD160 hash function is not
  included in OpenSSL's default provider in Jammy [1][2].
  
  OpenSC 0.22 does not contain patches that update deprecated usage of
  OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
  PR (discussed in [5]).
  
  It looks to me like this bug showed up in #1972753, although that issue
  was resolved with a change of OpenSSH configuration. I'm opening this
  bug report to deal specifically with pkcs11-tool.
  
  A backport of [6] is sufficient to resolve the C_DigestInit failure.
  
  [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/
  [2] https://docs.openssl.org/master/man7/provider/
  [3] https://github.com/OpenSC/OpenSC/issues/2308
  [4] https://github.com/OpenSC/OpenSC/pull/2438
  [5] https://github.com/OpenSC/OpenSC/issues/2571
  [6] 
https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116
  
  [ Test Plan ]
  
  Create CA & certificates for a virtual smart card as found at [1].
  
  Follow the instructions at [2] to create a cloud-init config drive `seed.img` 
with the following user-data:
  ```
  #cloud-config
  chpasswd:
expire: false
users:
  - name: ubuntu
password: password
type: text
  ```
  
  Launch a qemu VM with emulated smart card:
  ```
  sudo qemu-system-x86_64 \
-enable-kvm \
-m 1024 \
-nic user,model=virtio \
-   -drive file=root.img,media=disk,index=0,if=virtio \
+   -drive file=jammy-server-cloudimg-amd64.img,media=disk,index=0,if=virtio \
-drive file=seed.img,index=1,media=cdrom \
-usb -device usb-ccid -device 
ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert
 \
-nographic
  ```
  
  Log in, install opensc and test the card with:
  ```
  sudo pkcs11-tool -t
  ```
  
- Authenticating with the card (with -l) is not needed to reproduce the
- failure.
+ Authenticating with the card (with `-l`) is not needed to reproduce the
+ failure; testing should be done with -l as the last hunk of this patch
+ is only executed when using `-l`.
+ 
+ [ Where problems could occur ]
+ 
+  * These changes only affect the pkcs11-tool binary, specifically only the 
code
+that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394).
+Since `-t` is already broken, it's assumed that additional breakage to this
+option would be low impact.
+ 
+  * As noted in the upstream issues, OpenSC 0.22 was not audited for 
compatibility
+with OpenSSL 3.0, so there are possibly some remaining issues (some fixed 
in [3])
+that this SRU does not address.
  
  [1] 
https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files
  [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html
+ [3] https://github.com/OpenSC/OpenSC/pull/2438

** Description changed:

  [ Impact ]
  
  pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while
  testing digests:
  
  ```
  $ sudo pkcs11-tool -l -t
  Using slot 0 with a present token (0x0)
  Logging in to "Users".
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
-   seeding (C_SeedRandom) not supported
-   seems to be OK
+   seeding (C_SeedRandom) not supported
+   seems to be OK
  Digests:
-   all 4 digest functions seem to work
-   MD5: OK
-   SHA-1: OK
+   all 4 digest functions seem to work
+   MD5: OK
+   SHA-1: OK
  error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5)
  Aborting.
  ```
  
  This works in Focal and Noble. The test command provides users with a
  more firm indication that their smartcard is compatible/functional with
  OpenSC; it is often used while troubleshooting other issues with
  smartcards.
  
  This particular error occurs because the RIPEMD160 hash function is not
  included in OpenSSL's default provider in Jammy [1][2].
  
  OpenSC 0.22 does not contain patches that update deprecated usage of
  OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that
  PR (discussed in [5]).
  
  It looks to me like this bug showed up in #1972753, although that issue
  was resolved with a change of OpenSSH configuration. I'm opening

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

[Bug 2106434] Re: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR

22 matches

Site Navigation

Mail list logo

Footer information