** Description changed: - [ Impact ] + [Impact] TLDR; users cannot authenticate properly. p11_child handles (pre-)authentication in two steps. - In the first step, it locates a PKCS#11 token that could contain certificates for authentication. + In the first step, it locates a card with a PKCS#11 token that could contain certificates for authentication. In the second step, it checks if there are actually valid, usable certificate(s) on it. - During both steps, filtering is performed based on arguments given to - p11_child. If a mismatch occurs during the first step, it simply skips - the module/slot/token and goes onto the next one. However if a mismatch + If a mismatch occurs during the first step, it simply skips the + module/slot/token and goes onto the next one. However if a mismatch occurs in the second step, this is considered a failure; it does not - return to the first step to see if a different token contains the right + return to the first step to see if a different card contains the right certificates (or to wait for it, if --wait_for_card is given). To address this, the code needs to be refactored so that the certificate search happens inside the loop that searches/waits for tokens. - [ Test Plan ] + [Test Plan] - Follow instructions from beginning from here - https://canonical-se-wiki.readthedocs-hosted.com/en/latest/content/whershberger/virtual-smartcard/ - (until launch vm) + Install some dependencies first: - add cert to host nssdb - certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t TC,TC,TC -n fake-smartcard-noble-ca + sudo apt install -y libnss3-tools qemu-system-x86 genisoimage - # launch qemu - sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic user,model=virtio -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off -drive file=root.img,media=disk,index=0,if=virtio -drive file=seed.img,index=1,media=cdrom -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$HOME/.pki/nssdb,cert1=fake-smartcard-ca,cert2=fake-smartcard-ca,cert3=fake-smartcard-ca -usb -device virtio-rng-pci -nographic + Create an NSS certificate database and create a CA cert: - apt-get update && apt-get upgrade - sudo apt-get install pcscd pcsc-tools libnss3-tools opensc realmd sssd gnutls-bin + mkdir fake-smartcard + cd fake-smartcard + # Will as for a password + certutil -N -d sql:$PWD + # Will ask for the password entered in the previous step + # Answer yes to both questions and leave path length as default + certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n fake-smartcard-ca - # initialize new certificate nss database in vm - mkdir -p $HOME/.pki/nssdb - certutil -d $HOME/.pki/nssdb -N + Export the CA cert as PEM so that it can be added to the VM later: - certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t - TC,TC,TC -n fake-smartcard-noble-ca + certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca + openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem - # check db if you see certs - certutil -d sql:$HOME/.pki/nssdb -L + Create user-data file - sudo pcsc_scan - PC/SC device scanner - V 1.7.1 (c) 2001-2022, Ludovic Rousseau <[email protected]> - Using reader plug'n play mechanism - Scanning present readers... - 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00 + cat <<EOF > user-data + #cloud-config + users: + - default + - name: user1 + plain_text_passwd: password + shell: /bin/bash + lock_passwd: false + ssh_pwauth: True + chpasswd: { expire: False } + sudo: ALL=(ALL) NOPASSWD:ALL + groups: users, admin + EOF - Tue Jul 15 20:47:59 2025 - Reader 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00 - Event number: 0 - Card state: Card inserted, - ATR: 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34 - ... + Create a cloud-init config drive for the VM to store user-data and the + CA cert: - Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): - 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34 - Republic Slovenia e-Gov, Ministry of Public Administration - SIGOV-CA, Slovenian Governmental Certification Authority - Giesecke & Devrient (PIV Endpoint) G&D Sm@rtCafe Expert v3.2 + touch network-config + touch meta-data + genisoimage \ + -output seed.img \ + -volid cidata -rational-rock -joliet \ + user-data meta-data network-config fake-smartcard-ca.crt - scp cac-card cert to vm - and save to vm's nssdb. + Download a cloud image for the required Ubuntu version: - sudo su - mkdir /etc/sssd/pki - cd pki - touch cat fake-smartcard-ca.crt >> /etc/sssd/pki/sssd_auth_ca_db.pem - cat fake-smartcard-ca.crt >> /etc/sssd/pki/sssd_auth_ca_db.pem + version=resolute|questing|plucky|noble + wget https://cloud-images.ubuntu.com/${version}/current/${version}-server-cloudimg-amd64.img - # call out to p11_child directly - sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem + Create and expand a separate file for the root device (useful for + retesting without having to download the cloud image again) - [p11_child[4329]] [main] (0x0400): p11_child started. - [p11_child[4329]] [main] (0x2000): Running in [pre-auth] mode. - [p11_child[4329]] [do_card] (0x4000): Login NOT required. - [p11_child[4329]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card Noble CA] - [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. - [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. - [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC ID Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. - [p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] - [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. - [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. - [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. - [p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] - [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. - [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. - [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. - [p11_child[4329]] [do_card] (0x4000): No certificate found. + cp ${version}-server-cloudimg-amd64.img root.img + qemu-img resize root.img +10G - # shutdown vm, make empty cert and relaunch - sudo shutdown now + Launch VM: - # make an empty cert and add it to nssdb - certutil -S -s "CN=''" -n CACert -x -t "CT,C,C" -v 120 -m 1234 -d sql:$PWD - certutil -R -s "CN='\?', O=Canonical , L=COS, ST=CO, C=US" -o mycert.req -d sql:$PWD - certutil -d sql:$PWD -L - certutil -C -m 2345 -i mycert.req -o invalid.crt -c CACert -d sql:$PWD - openssl x509 -in invalid.crt -noout -text + sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic user,model=virtio \ + -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off \ + -drive file=root.img,media=disk,index=0,if=virtio \ + -drive file=seed.img,index=1,media=cdrom -usb -device usb-ccid \ + -device ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=fake-smartcard-ca,cert2=fake-smartcard-ca,cert3=fake-smartcard-ca -usb \ + -device virtio-rng-pci -nographic - certutil -A -d sql:$PWD -i invalid.crt -t TC,TC,TC -n invalid-fake- - smartcard-ca + Login with user1/password and run: - sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic user,model=virtio - -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off -drive - file=root.img,media=disk,index=0,if=virtio -drive - file=seed.img,index=1,media=cdrom -usb -device usb-ccid -device ccid- - card-emulated,backend=certificates,db=sql:$PWD,cert1=fake-invalid- - smartcard-ca,cert2=fake-invalid-smartcard-ca,cert3=fake-invalid- - smartcard-ca -usb -device virtio-rng-pci -nographic + sudo apt update + sudo apt install -y pcscd pcsc-tools libnss3-tools opensc realmd sssd gnutls-bin softhsm2 + sudo mount /dev/sr0 /mnt - sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 - --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem + Finally run this command: - # installing coolkey gives access to cac-card - sudo apt-get install opensc coolkey + sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db + /mnt/fake-smartcard-ca.crt --token_name nothere - whereis opensc-pkcs11.so - /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so + This will look for a non existing token. Without the patch it will only + look at the opensc-pkcs11 module and stop. - ~$: sudo modutil -dbdir sql:$HOME/.pki/nssdb/ -add "CAC Module" -libfile - /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so + [p11_child[3916]] [do_card] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA (null) - no label given- 0003. + [p11_child[3916]] [do_card] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA (null) - no label given- 0002. + [p11_child[3916]] [do_card] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA (null) - no label given- 0001. + [p11_child[3916]] [do_card] (0x4000): No certificate found. + 0 - WARNING: Performing this operation while the browser is running could cause - corruption of your security databases. If the browser is currently running, - you should exit browser before continuing this operation. Type - 'q <enter>' to abort, or <enter> to continue: + Apply the patch and rerun the previous command. The output should finish + like this: - Module "CAC Module" added to database. + [p11_child[4696]] [do_slot] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so nothere Fake Smart Card CA (null) - no label given- 0003. + [p11_child[4696]] [do_slot] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so nothere Fake Smart Card CA (null) - no label given- 0002. + [p11_child[4696]] [do_slot] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so nothere Fake Smart Card CA (null) - no label given- 0001. + [p11_child[4696]] [do_slot] (0x4000): No certificate found. + [p11_child[4696]] [do_card] (0x4000): common name: [softhsm2]. + [p11_child[4696]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so]. + [p11_child[4696]] [do_card] (0x4000): Description [SoftHSM slot ID 0x0] Manufacturer [SoftHSM project] flags [1] removable [false] token present [true]. - sudo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 \ - --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' \ - --token_name CACard --key_id 0001 --pin 1234 + Now it will also check the softhsm2 module: - # we'll create the empty cert, add to db and run p11_child - audo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' --token_name CACard --key_id 0001 --pin 1234 - [p11_child[2183]] [main] (0x0400): p11_child started. - [p11_child[2183]] [main] (0x2000): Running in [pre-auth] mode. - [p11_child[2183]] [main] (0x2000): Running with effective IDs: [0][0]. - [p11_child[2183]] [main] (0x2000): Running with real IDs [0][0]. - [p11_child[2183]] [do_card] (0x4000): Module List: - [p11_child[2183]] [do_card] (0x4000): common name: [opensc-pkcs11]. - [p11_child[2183]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. - [p11_child[2183]] [do_card] (0x4000): Description [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...] Manufacturer [QEMU] flags [7] removable [true] token present [true]. - [p11_child[2183]] [do_card] (0x4000): Token label [Fake Smart Card CA]. - [p11_child[2183]] [do_card] (0x4000): Found [Fake Smart Card CA] in slot [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...][0] of module [0][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. - [p11_child[2183]] [do_card] (0x4000): Login NOT required. - [p11_child[2183]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card CA] - [p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. - [p11_child[2183]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card CA] - [p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. - [p11_child[2183]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card CA] - [p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. - [p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0003. - [p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0002. - [p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0001. - [p11_child[2183]] [do_card] (0x4000): No certificate found. - 0 - * Previous code stops here - #Then after upgrade we have a cert. - sudo apt-get install --only-upgrade sssd + [Where Problems Could Occur] - apt-cache policy sssd - sssd: - Installed: 2.10.1-2ubuntu5.1testpkg1 - Candidate: 2.10.1-2ubuntu5.1testpkg1 - Version table: - *** 2.10.1-2ubuntu5.1testpkg1 500 + The worst case scenario would be that a workin system fails to + authenticate. I don't think that is likely as we are just reworking the + failure path. What will happen is that non-working setups will start + working now if a second valid authentication token is found. - user1@ubuntu:~$ sudo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' --token_name CACard --key_id 0001 --pin 1234 - [p11_child[2800]] [main] (0x0400): p11_child started. - [p11_child[2800]] [main] (0x2000): Running in [pre-auth] mode. - [p11_child[2800]] [main] (0x2000): Running with effective IDs: [0][0]. - [p11_child[2800]] [main] (0x2000): Running with real IDs [0][0]. - [p11_child[2800]] [do_card] (0x4000): Module List: - [p11_child[2800]] [do_card] (0x4000): common name: [opensc-pkcs11]. - [p11_child[2800]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. - [p11_child[2800]] [do_card] (0x4000): Description [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...] Manufacturer [QEMU] flags [7] removable [true] token present [true]. - [p11_child[2800]] [do_card] (0x4000): Token label [Fake Smart Card CA]. - [p11_child[2800]] [do_slot] (0x4000): Found [Fake Smart Card CA] in slot [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...][0] of module [0][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. - [p11_child[2800]] [do_slot] (0x4000): Login NOT required. - [p11_child[2800]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card CA] - [p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. - [p11_child[2800]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card CA] - [p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. - [p11_child[2800]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card CA] - [p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. - [p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0003. - [p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0002. - [p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0001. - [p11_child[2800]] [do_slot] (0x4000): No certificate found. - [p11_child[2800]] [do_card] (0x4000): common name: [softhsm2]. - [p11_child[2800]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so]. - [p11_child[2800]] [do_card] (0x4000): Description [SoftHSM slot ID 0x0] Manufacturer [SoftHSM project] flags [1] removable [false] token present [true]. - 0 - # We continue the search for certs even if we didn't find a valid certificate. + [Other Info] - [ Where Problems Could Occur] + Backported from a couple of upsteam patches - Most problems would occur during the authentication phase of when sssd - talks to certificates to get tokens on the smart cards. + https://github.com/SSSD/sssd/commit/1b3d5d829c0201aa03621ff80f077787557508b4 + https://github.com/SSSD/sssd/commit/782a6dd54967e7c2dd3013f7e68134ee8751ab88 - A regression would likely look like denying a valid user authentication - to Active Directory when using smart cards to authenticate a user. + From this issue: - Working around this regression calling out to p11_child directly and get better logging as to the error occuring. sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem - Try with a vm passing in a fake created certificate like shown here - https://canonical-se-wiki.readthedocs-hosted.com/en/latest/content/whershberger/virtual-smartcard/ where we emulate the smart card via qemu passed in on the command line. - - Another regression would be if parsing of the tokens failed during - certificate look up. - - A regression would look like a failure to properly parse the - certificate. - - I do not know of a valid work around if parsing in the code from sssd is - failing. My suggestion would be to first file a new launchpad bug and - seek help from previous related posts. - - Someone has already identified an issue upstream. - https://github.com/SSSD/sssd/issues/7912 - - The fundamental problem stems from opensc pkcs11 not from sssd itself, - but a 3rd party library. - - https://issues.redhat.com/browse/RHEL-47261 - https://github.com/OpenSC/OpenSC/issues/3241 - - [ Other Info ] - - Backport from upstream. - Continue searching other PKCS#11 tokens if certificates are not found https://github.com/SSSD/sssd/issues/5905 - https://github.com/SSSD/sssd/commit/782a6dd54967e7c2dd3013f7e68134ee8751ab88 - - Testing sssd repository - https://launchpad.net/~hypothetical-lemon/+archive/ubuntu/lp2110521-sssd-port/ + The first patch might appear to be too large but mostly is just + transposing code from inside a function to an external function.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2110521 Title: Continue searching other PKCS#11 tokens if certificates are not found To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2110521/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
