Thanks for the review; I'll get the branch right in future :) I've added a section with a quick sign+verify; happy to add additional workflows if that isn't sufficient.
** Description changed: [ Impact ] pkcs11-tool in Jammy (opensc=0.22.0-1ubuntu2) fails with `-t` while testing digests: ``` $ sudo pkcs11-tool -l -t Using slot 0 with a present token (0x0) Logging in to "Users". Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. ``` This works in Focal and Noble. The test command provides users with a more firm indication that their smartcard is compatible/functional with OpenSC; it is often used while troubleshooting other issues with smartcards. This particular error occurs because the RIPEMD160 hash function is not included in OpenSSL's default provider in Jammy [1][2]. OpenSC 0.22 does not contain patches that update deprecated usage of OpenSSL 3; they were merged for 0.23 [3][4]. This bug was fixed in that PR (discussed in [5]). It looks to me like this bug showed up in #1972753, although that issue was resolved with a change of OpenSSH configuration. I'm opening this bug report to deal specifically with pkcs11-tool. A backport of [6] is sufficient to resolve the C_DigestInit failure. [1] https://docs.openssl.org/master/man7/EVP_MD-RIPEMD160/ [2] https://docs.openssl.org/master/man7/provider/ [3] https://github.com/OpenSC/OpenSC/issues/2308 [4] https://github.com/OpenSC/OpenSC/pull/2438 [5] https://github.com/OpenSC/OpenSC/issues/2571 [6] https://github.com/OpenSC/OpenSC/commit/c3dcab8b237d42961c0dc12ab2105f3df9073116 [ Test Plan ] Create CA & certificates for a virtual smart card as found at [1]. When creating the CA certificate, include `-2` and answer yes for CA: [1] https://www.qemu.org/docs/master/system/devices/ccid.html#using-ccid-card-emulated-with-certificates-stored-in-files ``` sudo apt install libnss3-tools mkdir fake-smartcard cd fake-smartcard certutil -N -d sql:$PWD certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n fake-smartcard-ca certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime -n signing-cert -c fake-smartcard-ca certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType sslClient -n encryption-cert -c fake-smartcard-ca ``` Export the CA cert as PEM so that it can be added to the VM later: ``` certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem ``` Follow the instructions at [2] to create a cloud-init config drive `seed.img`. Add `fake-smartcard-ca.crt` to `seed.img` and use the following user-data: [2] https://cloudinit.readthedocs.io/en/latest/howto/launch_qemu.html ``` touch network-config touch meta-data cat >user-data <<EOF #cloud-config users: - default - name: user1 plain_text_passwd: password shell: /bin/bash lock_passwd: false ssh_pwauth: True chpasswd: { expire: False } sudo: ALL=(ALL) NOPASSWD:ALL groups: users, admin EOF genisoimage \ -output seed.img \ -volid cidata -rational-rock -joliet \ user-data meta-data network-config fake-smartcard-ca.crt ``` Launch a qemu VM with emulated smart card: ``` wget https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img qemu-system-x86_64 \ -enable-kvm \ -m 1024 \ -nic user,model=virtio \ -drive file=jammy-server-cloudimg-amd64.img,media=disk,index=0,if=virtio \ -drive file=seed.img,index=1,media=cdrom \ -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert \ -device virtio-rng-pci \ -nographic ``` Log in, install opensc, copy the certificate and trust it: ``` sudo mount /dev/sr0 /mnt sudo cp /mnt/fake-smartcard-ca.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates ``` Test the card with: ``` sudo pkcs11-tool --test --login ``` Authenticating with the card (with `-l`) is not needed to reproduce the failure; testing should be done with `-l` as the last hunk of this patch is only executed when using `-l`. I've seen intermittent failures doing this in the qemu environment; this is likely an issue with `ccid-card-emulated` (pcscd logs report intermittent `commands.c:1571:CCID_Receive Command not supported or not allowed`). I will perform verification with both the virtual environment described here and a VM with a physically passed-through Yubikey. - $ sudo pkcs11-tool --test + $ sudo pkcs11-tool --test Using slot 0 with a present token (0x0) C_SeedRandom() and C_GenerateRandom(): - seeding (C_SeedRandom) not supported - ERR: C_GenerateRandom failed: CKR_GENERAL_ERROR (0x5) + seeding (C_SeedRandom) not supported + ERR: C_GenerateRandom failed: CKR_GENERAL_ERROR (0x5) Digests: - all 4 digest functions seem to work - MD5: OK - SHA-1: OK + all 4 digest functions seem to work + MD5: OK + SHA-1: OK error: PKCS11 function C_DigestInit failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. Test packages are available in the following ppa: https://launchpad.net/~whershberger/+archive/ubuntu/opensc-00408323 If you install the test packages, the output you should see is: - $ sudo pkcs11-tool --test + $ sudo pkcs11-tool --test Using slot 0 with a present token (0x0) C_SeedRandom() and C_GenerateRandom(): - seeding (C_SeedRandom) not supported - ERR: C_GenerateRandom failed: CKR_GENERAL_ERROR (0x5) + seeding (C_SeedRandom) not supported + ERR: C_GenerateRandom failed: CKR_GENERAL_ERROR (0x5) Digests: - all 4 digest functions seem to work - MD5: OK - SHA-1: OK - RIPEMD160: OK + all 4 digest functions seem to work + MD5: OK + SHA-1: OK + RIPEMD160: OK Signatures (currently only for RSA) Signatures: no private key found in this slot Verify (currently only for RSA) - No private key found for testing + No private key found for testing Decryption (currently only for RSA) 1 errors + + As an additional test, sign some data on the card & verify: + ``` + pkcs11-tool --list-objects --login + pkcs11-tool --read-object --id 1 --type pubkey > pubkey.der + openssl rsa -inform der -outform pem -in pubkey.der -pubin > pubkey.pem + dd if=/dev/urandom of=data.bin count=1 bs=64 + pkcs11-tool --id 1 --sign --mechanism RSA-PKCS --input-file data.bin --output-file data.sig + openssl pkeyutl -verify -pubin -inkey pubkey.pem -in data.bin -sigfile data.sig + ``` + + The expected result from openssl is: + ``` + Signature Verified Successfully + ``` [ Where problems could occur ] * These changes only affect the pkcs11-tool binary, specifically only the code that is invoked with `-t` (see p11_test() defined on pkcs11-tool.c#6394). Since `-t` is already broken, it's assumed that additional breakage to this option would be low impact. * As noted in the upstream issues, OpenSC 0.22 was not audited for compatibility with OpenSSL 3.0, so there are possibly some remaining issues (some fixed in [1]) that this SRU does not address. [1] https://github.com/OpenSC/OpenSC/pull/2438 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2106434 Title: pkcs11-tool 0.22.0 fails in C_DigestInit with CKR_GENERAL_ERROR To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/2106434/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
