opencryptoki: p11sak fails to find pkcs11 lib 'libopencryptoki.so'

I've created some test build of fixed packages here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088

This bug was fixed in the package opencryptoki - 3.20.0+dfsg-0ubuntu2

---------------
opencryptoki (3.20.0+dfsg-0ubuntu2) mantic; urgency=medium

  * d/rules, d/triggers, d/libopencryptoki0.install: keep tmp/etc/ld.so.conf.d
    content, add opencryptoki conf file to /etc/ld.so.conf.d/
    and add trigger for ldconfig to allow tools like
    p11sak to find libopencryptoki shared object file. (LP: #2022088)
  * d/control, d/compat: Bump dh compat level to 13 to remove dh-exec
    dependency and remove executable flags from d/*.install*, d/*.links*.
  * d/rules: remove the explicit dh_missing call, and rely instead on dh
    to call it and erroring out on missing files.
  * d/opencryptoki.install: install entire content of etc/opencryptoki build
    folder to esp. catch all existing conf files and on top make the arch-
    specific file 'opencryptoki.install.s390x' obsolete. (LP: #2018911)
  * d/opencryptoki.postinst: change strength.conf file permissions to 640
    which is checked/forced by the code. (LP: #2018908)

 -- Frank Heimes <email address hidden> Wed, 31 May 2023 21:28:48 +0200

I am not happy with this implementation and will not approve it for an SRU.

- ld.so.conf is for configuring shared library paths. But Debian policy says shared libraries in packages should be in one of /lib, /usr/lib, /lib/$(multiarch), or /usr/lib/$(multiarch). If these objects should be on the shared library path, then they should be shipped in these directories with no need for changing the global shared library path.

- and the path is global, so now every library lookup has two other directories it's looking in. The speed impact on program start is negligible, but it also can result in unexpected behavior due to hidden conflicts between files in the two directories. If the shared libraries are shipped in the expected /usr/lib/$arch path, then the package manager would detect conflicts between two packages trying to ship the same library name, instead of letting the user install the same library name in two directories and giving unexpected behavior at runtime.

- but p11sak isn't using libopencryptoki.so as a shared library *anyway*, it's using it as a plugin. Plugins shouldn't be on the system library path. I don't know why a tool that comes from the opencryptoki source package allows overriding loading of the library shipping from the same source package, but anyway you can get the same net result, without polluting the global library path, by setting default_pkcs11lib to libopencryptoki.so.0 instead of libopencryptoki.so. This should be reasonably stable and not result in maintenance burden, because the libopencryptoki ABI is defined by PKCS11 itself so an ABI change resulting in an SONAME change is highly unlikely!

marking incomplete for the moment.

Thx @vorlon for taking the time and having a look at this and for sharing your concerns, but also your recommendations.
When I started to have a look at this, I also wondered why p11sak is pointing to .so (instead of .so.x, which would just have solved it) and that ldd showed that it's not directly used as shared library (like you also pointed out).
But I am usually a bit reluctant (maybe here too reluctant) to change the upstream code (for maintainability reasons) and noticed the idea about 'ld.so.conf.d/opencryptoki-${DEB_HOST_GNU_CPU}.conf' in make and followed this.
While I've cross-read the Debian Policy (ch. 8) for several reasons, I must have obviously missed your bullet #1, and I was not really aware about the potential conflict you mentioned in #2, so thanks for raising this.
As I understand now it's in this case (and according to the Debian Policy) the right way to directly touch p11sak.c and adjust default_pkcs11lib instead.
I'll rework this SRU accordingly and create an appropriate quilt patch.

Attaching an updated change for SRU-ing to lunar, like discussed in comment #4 / #5 - and minimized changes to reduce any potential regression risk.

And I've started to build test packages at:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
(lunar first, others will follow in case the lunar changes are acceptable)

Just an aside, and this will not block the SRU process, but enforcing strength.conf to not be world-readable looks unnecessarily brittle. AFAICS one does not configure cryptographic secrets in this file.

Hello Frank, or anyone else affected,

Accepted opencryptoki into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.20.0+dfsg-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

The updated opencryptoki package for lunar (currently in -proposed) was successfully verified - see:
https://launchpadlibrarian.net/674272012/SRU_validation_23.04.txt
Hence I'm adjusting the tag accordingly.

This bug was fixed in the package opencryptoki - 3.20.0+dfsg-0ubuntu1.1

---------------
opencryptoki (3.20.0+dfsg-0ubuntu1.1) lunar; urgency=medium

  * Add d/p/lp-2022088-fix-p11sak-failure-to-find-libopencryptoki.so.patch
    to fix the failure that p11sak is not able to find libopencryptoki as
    plugin, by adjusting 'default_pkcs11lib'. (LP: #2022088)
  * d/opencryptoki.install: install full set of etc/opencryptoki build
    folder to esp. catch all generated conf files and on top make the arch-
    specific file 'opencryptoki.install.s390x' obsolete. (LP: #2018911)
  * d/opencryptoki.postinst: change strength.conf file permissions to 640
    which is checked/forced by the opencryptoki code. (LP: #2018908)

 -- Frank Heimes <email address hidden> Mon, 12 Jun 2023 12:28:36 +0200

The verification of the Stable Release Update for opencryptoki has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Removing focal as affected series, since p11sak does not exist in v3.13 that we have in focal.
(On top all references to libopencryptoki in the code already point to libopencryptoki.so.0:
usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c: char *evar_default = "libopencryptoki.so.0";
usr/sbin/pkcsep11_session/pkcsep11_session.c: char *evar_default = "libopencryptoki.so.0";
usr/sbin/pkcsconf/pkcsconf.c: dllPtr = dlopen("libopencryptoki.so.0", RTLD_NOW);
usr/sbin/pkcscca/pkcscca.c: char *loc2_lib = "libopencryptoki.so.0"; )

(I'm removing focal rather than setting it to invalid, since focal was not explicitly mentioned by the bug reporter.)

Hello Frank, or anyone else affected,

Accepted opencryptoki into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.18.0+dfsg-0ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

The upload in the queue for jammy has some surprising changes:

--- opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/libopencryptoki0.links 2022-02-15 08:02:48.000000000 +0000
+++ opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/libopencryptoki0.links 2022-02-15 08:02:48.000000000 +0000
@@ -1,4 +1,7 @@
 #! /usr/bin/dh-exec
-usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_sw.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_sw.so
+/usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_sw.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_sw.so
 usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_tpm.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_tpm.so
 usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_cca.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_cca.so
+usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_ep11.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_ep11.so
+usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_ica.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_ica.so
+usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_icsf.so.0 usr/lib/${DEB_HOST_MULTIARCH}/libpkcs11_icsf.so

Why would you have a leading / for some of the link targets and not others?

Probably the first line of this diff should be reverted. It does match what was in the .s390x file before which is probably where this came from. But since the leading / is optional in dh_link syntax, I think it's better to leave the line as it was and consistent with the rest of the file.

opencryptoki/3.18.0+dfsg-0ubuntu2.1 from kinetic-proposed was successfully verified, see
https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2018908/comments/17

updating the tags accordingly...

@vorlon, a new upload should have been there and the one that you had a look at should be in 'reject' (I asked for that in IRC).
So the libopencryptoki0.links modification is mentioned in this upload (still in unapproved):
https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=opencryptoki
since I was not happy with the changelog myself and updated it quite a bit to:
"
   * Add d/p/lp-2022088-fix-p11sak-failure-to-find-libopencryptoki.so.patch
     to fix the failure that p11sak is not able to find libopencryptoki as
     plugin, by adjusting 'default_pkcs11lib'. (LP: #2022088)
   * d/opencryptoki.install: install full set of etc/opencryptoki build
     folder to esp. catch all generated conf files and on top make the arch-
     specific file 'opencryptoki.install.s390x' obsolete. (LP: #2018911)
   * d/libopencryptoki0.links{.s390x} Merge files, since the content of the
     s390x version of this file applies in all cases.
   * Assign pkcs11 group to p11sak_defined_attrs.conf and strength.conf
     in debian/opencryptoki.postinst rather than in Makefile.am and add
     d/p/lp-1982842-move-pkcs11-group-assigment-from-makefile-to-postinst.patch
     to solve "invalid group ‘pkcs11’" issues during build.
   * d/opencryptoki.postinst: change strength.conf file permissions to 640
     which is checked/forced by the opencryptoki code. (LP: #2018908)
"

And yes I've noticed that one of the lines in the links file starts with an obsolete slash,
but it was already in (in the s390x version - I haven't checked when it came in though, guess it was a typo or c&p issue).
I indeed copied the universally valid libopencryptoki0.links.s390x over to libopencryptoki0.links, hence it stayed.
(Having it all consistent and w/o slashes would be indeed nicer.)

If we want it consistent, please reject an I will re-upload with this little change ...

Sorry for the slow turnaround here. But yes, please reupload leaving debian/libopencryptoki0.links consistent.

An upload of opencryptoki to jammy-proposed has been rejected from the upload queue for the following reason: "to be reuploaded with fixed debian/libopencryptoki0.links file".

No problem at all @vorlon, I also would like to see packages in the best shape possible (sometimes still learning here and there regarding packaging).

I just re-uploaded - and with that, changed the status from Incomplete to In Progress again.

This bug was fixed in the package opencryptoki - 3.18.0+dfsg-0ubuntu2.1

---------------
opencryptoki (3.18.0+dfsg-0ubuntu2.1) kinetic; urgency=medium

  * Add d/p/lp-2022088-fix-p11sak-failure-to-find-libopencryptoki.so.patch
    to fix the failure that p11sak is not able to find libopencryptoki as
    plugin, by adjusting 'default_pkcs11lib'. (LP: #2022088)
  * d/opencryptoki.install: install full set of etc/opencryptoki build
    folder to esp. catch all generated conf files and on top make the arch-
    specific file 'opencryptoki.install.s390x' obsolete. (LP: #2018911)
  * d/opencryptoki.postinst: change strength.conf file permissions to 640
    which is checked/forced by the opencryptoki code. (LP: #2018908)

 -- Frank Heimes <email address hidden> Thu, 29 Jun 2023 09:39:27 +0200

Hello Frank, or anyone else affected,

Accepted opencryptoki into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.17.0+dfsg+20220202.b40982e-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

The opencryptoki/3.17.0+dfsg+20220202.b40982e-0ubuntu1.2 package from jammy-proposed was successfully verified, please see:
https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2018908/comments/21
Updating the tags accordingly...

This bug was fixed in the package opencryptoki - 3.17.0+dfsg+20220202.b40982e-0ubuntu1.2

---------------
opencryptoki (3.17.0+dfsg+20220202.b40982e-0ubuntu1.2) jammy; urgency=medium

  * Add d/p/lp-2022088-fix-p11sak-failure-to-find-libopencryptoki.so.patch
    to fix the failure that p11sak is not able to find libopencryptoki as
    plugin, by adjusting 'default_pkcs11lib'. (LP: #2022088)
  * d/opencryptoki.install: install full set of etc/opencryptoki build
    folder to esp. catch all generated conf files and on top make the arch-
    specific file 'opencryptoki.install.s390x' obsolete. (LP: #2018911)
  * d/libopencryptoki0.links{.s390x} Merge files, since the content of the
    s390x version of this file applies in all cases,
    and remove leading slash in path for consistency reasons.
  * Assign pkcs11 group to p11sak_defined_attrs.conf and strength.conf
    in debian/opencryptoki.postinst rather than in Makefile.am and add
    d/p/lp-1982842-move-pkcs11-group-assigment-from-makefile-to-postinst.patch
    to solve "invalid group ‘pkcs11’" issues during build.
  * d/opencryptoki.postinst: change strength.conf file permissions to 640
    which is checked/forced by the opencryptoki code. (LP: #2018908)

 -- Frank Heimes <email address hidden> Fri, 30 Jun 2023 10:11:32 +0200