Public bug reported: [ Impact ]
pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while testing digests: ``` $ sudo pkcs11-tool -l -t Using slot 0 with a present token (0x0) Logging in to "Users". Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. ``` This works in Focal and Noble. The test command provides users with a more firm indication that their smartcard is compatible/functional with OpenSC; it is often used while troubleshooting other issues with smartcards. This particular error occurs because the RIPEMD160 hash function is not included in OpenSSL's default provider in Jammy [1][2]. OpenSC 0.22 does not contain patches that update deprecated usage of OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that PR (discussed in [5]). It looks to me like this bug showed up in #1972753, although that issue was resolved with a change of OpenSSH configuration. I'm opening this bug report to deal specifically with pkcs11-tool. A backport of [6] is sufficient to resolve the C_DigestInit failure. [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/ [2] https://docs.openssl.org/master/man7/provider/ [3] https://github.com/OpenSC/OpenSC/issues/2308 [4] https://github.com/OpenSC/OpenSC/pull/2438 [5] https://github.com/OpenSC/OpenSC/issues/2571 [6] https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116 [ Test Plan ] Create CA & certificates for a virtual smart card as found at [1]. Follow the instructions at [2] to create a cloud-init config drive `seed.img` with the following user-data: ``` #cloud-config chpasswd: expire: false users: - name: ubuntu password: password type: text ``` Launch a qemu VM with emulated smart card: ``` sudo qemu-system-x86_64 \ -enable-kvm \ -m 1024 \ -nic user,model=virtio \ -drive file=root.img,media=disk,index=0,if=virtio \ -drive file=seed.img,index=1,media=cdrom \ -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert \ -nographic ``` Log in, install opensc and test the card with: ``` sudo pkcs11-tool -t ``` Authenticating with the card (with -l) is not needed to reproduce the failure. [1] https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html ** Affects: opensc (Ubuntu) Importance: Undecided Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: opensc (Ubuntu Jammy) Importance: Undecided Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Tags: sts ** Tags added: sts ** Also affects: opensc (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: opensc (Ubuntu Jammy) Status: New => In Progress ** Changed in: opensc (Ubuntu Jammy) Assignee: (unassigned) => Wesley Hershberger (whershberger) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2106434 Title: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
