[UBUNTU 22.04] opencryptoki 3.17.0 is missing the strength.conf config file
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ubuntu on IBM z Systems |
Fix Released
|
Medium
|
Skipper Bug Screeners | ||
| opencryptoki (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
| Jammy |
Fix Released
|
Medium
|
Unassigned | ||
| Kinetic |
Fix Released
|
Medium
|
Unassigned | ||
| Lunar |
Fix Released
|
Medium
|
Unassigned | ||
| Mantic |
Fix Released
|
Medium
|
Unassigned | ||
Bug Description
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* A end to end scenario, that covers the following stack:
Java program using crypto
/ \
ICA-token soft-token ...
|
s390x_
can be based on a Java application that does
AES encryption in ECB mode with a randomly generated key (DRBG-SHA-512)
and exploiting JCA / IBMPKCS11Impl
with opencryptoki managing clear keys,
either with a soft-token or an ICA token.
* The pkcsconf tool is here used to manage (initialize and re-label)
the tokens before used by the Java application.
* For the detailed steps and the Java application itself,
please see https:/
[ Where problems could occur ]
* The strength.conf file might have wrong content
* or is at a wrong file-system location
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In all these cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* The strength.conf file allows users to configure openCryptoki
cryptographic key strength determination based on key attributes.
And this file is required by openCryptoki.
The strength configuration file has to be owned by 'root:@pkcs_group',
have mode 0640, and be parsable. Otherwise, openCryptoki will return
'CKR_
to syslog detailing the reason why the strength configuration could
not be used. (more see 'strength.conf' in man5)
* To simplify the packaging d/opencryptoki.
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencrypto
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-
* simple-tpm-pk11 (for libopencryptoki
* tpm-tools (for libopencryptoki
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https:/
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_
Terminal output
===============
# cat /var/log/
04/27/2023 14:01:34 15928 [usr/lib/
04/27/2023 14:01:34 15928 [usr/lib/
04/27/2023 14:01:34 15928 [usr/lib/
04/27/2023 14:01:34 15928 [usr/lib/
04/27/2023 14:01:34 15928 [usr/lib/
04/27/2023 14:01:34 15928 [usr/lib/
Contact Information = <email address hidden>
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_
5.) Run step 4 again
6.) ls -l /var/log/
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for <email address hidden>:
-Attach ltrace and strace of userspace application.
== Comment: <email address hidden> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <email address hidden> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <email address hidden> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <email address hidden> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640.
| tags: | added: architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin--- |
| Changed in ubuntu: | |
| assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
| affects: | ubuntu → linux (Ubuntu) |
| affects: | linux (Ubuntu) → opencryptoki (Ubuntu) |
| Changed in ubuntu-z-systems: | |
| assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
| Changed in opencryptoki (Ubuntu): | |
| importance: | Undecided → Medium |
| Changed in ubuntu-z-systems: | |
| importance: | Undecided → Medium |
| Frank Heimes (fheimes) wrote | #1 |
| Changed in opencryptoki (Ubuntu Lunar): | |
| importance: | Undecided → Medium |
| Changed in opencryptoki (Ubuntu Kinetic): | |
| importance: | Undecided → Medium |
| Changed in opencryptoki (Ubuntu Jammy): | |
| importance: | Undecided → Medium |
| Changed in opencryptoki (Ubuntu Mantic): | |
| status: | New → In Progress |
| Changed in ubuntu-z-systems: | |
| status: | New → In Progress |
| description: | updated |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in opencryptoki (Ubuntu Mantic): | |
| status: | In Progress → Fix Released |
| description: | updated |
| Changed in opencryptoki (Ubuntu Lunar): | |
| status: | New → In Progress |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| Steve Langasek (vorlon) wrote Please test proposed package | #3 |
| Changed in opencryptoki (Ubuntu Lunar): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed verification-needed-lunar |
| Frank Heimes (fheimes) wrote | #4 |
| tags: |
added: verification-done-lunar removed: verification-needed-lunar |
| Andreas Hasenack (ahasenack) wrote | #5 |
| Launchpad Janitor (janitor) wrote | #6 |
| Changed in opencryptoki (Ubuntu Lunar): | |
| status: | Fix Committed → Fix Released |
| Andreas Hasenack (ahasenack) wrote Update Released | #7 |
| Changed in opencryptoki (Ubuntu Jammy): | |
| status: | New → In Progress |
| Changed in opencryptoki (Ubuntu Kinetic): | |
| status: | New → In Progress |
| Steve Langasek (vorlon) wrote Please test proposed package | #8 |
| Changed in opencryptoki (Ubuntu Kinetic): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed-kinetic |
| tags: |
added: targetmilestone-inin2204 removed: targetmilestone-inin--- |
| Frank Heimes (fheimes) wrote | #9 |
| tags: |
added: verification-done-kinetic removed: verification-needed-kinetic |
| Steve Langasek (vorlon) wrote Proposed package upload rejected | #10 |
| Launchpad Janitor (janitor) wrote | #11 |
| Changed in opencryptoki (Ubuntu Kinetic): | |
| status: | Fix Committed → Fix Released |
| Steve Langasek (vorlon) wrote Please test proposed package | #12 |
| Changed in opencryptoki (Ubuntu Jammy): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed-jammy |
| Frank Heimes (fheimes) wrote | #13 |
| tags: |
added: verification-done verification-done-jammy removed: verification-needed verification-needed-jammy |
| Changed in ubuntu-z-systems: | |
| status: | In Progress → Fix Committed |
| Launchpad Janitor (janitor) wrote | #14 |
| Changed in opencryptoki (Ubuntu Jammy): | |
| status: | Fix Committed → Fix Released |
| Changed in ubuntu-z-systems: | |
| status: | Fix Committed → Fix Released |
| Changed in opencryptoki (Ubuntu Mantic): | |
| assignee: | Skipper Bug Screeners (skipper-screen-team) → nobody |
| bugproxy (bugproxy) wrote Comment bridged from LTC Bugzilla | #15 |
The release-cycles of Ubuntu 22.04/jammy and opencryptoki weren't very well aligned (during jammy development), and it was decided to take a snapshot of opencryptoki 3.17 "+ commits up to b40982e" as of date 20220202 (which is encoded in the DEB package version as '3.17.0+
This can be a bit confusing (since I believe this package is closer to 3.18 than to 3.17) - and we usually avoid creating such snapshot packages, but in this case we wanted to have several new features incl. for 22.04/LTS.
I checked that the strength.conf is not part of the package (but the -example is).
But we can included it and thus ensure that the file permissions are 640.
I'm going to incl. everything that is generated under /etc/opencryptoki to the package and explicitly set strength.conf to 640 for all opencryptoki packages for jammy (which is 3.17+) and newer (up to mantic).