PKCS#11 signing does not work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
opensc (Ubuntu) |
Fix Released
|
High
|
Steve Langasek | ||
Karmic |
Fix Released
|
High
|
Steve Langasek | ||
Lucid |
Fix Released
|
High
|
Steve Langasek |
Bug Description
Binary package hint: opensc
Hello,
we are using OpenSC to authenticate our users and allow access to our Intranet. On Jaunty this worked fine
but under Karmic it is e.g. not possible to sign data using our smartcards.
Here the output of my testscript under Karmic:
--8<---8<---
# dpkg -l opensc libopensc2 libccid pcscd libpcsclite1 linux-image-generic
# dpkg -l opensc libopensc2 libccid pcscd libpcsclite1 linux-image-generic
Gewünscht=
| Status=
Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?
||/ Name Version Beschreibung
+++-===
ii libccid 1.3.10-1 PC/SC driver for USB CCID smart card readers
ii libopensc2 0.11.8-1ubuntu1 SmartCard library with support for PKCS#15 compatibl
ii libpcsclite1 1.5.3-1ubuntu1 Middleware to access a smart card using PC/SC (libra
ii linux-image-generi 2.6.31.16.29 Generic Linux kernel image
ii opensc 0.11.8-1ubuntu1 SmartCard utilities with support for PKCS#15 compati
ii pcscd 1.5.3-1ubuntu1 Middleware to access a smart card using PC/SC (daemo
# opensc-tool -l
Readers known about:
Nr. Driver Name
0 pcsc SCM SCR 335 (21120738300434) 00 00
# pkcs11-tool -l -t
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (Private Key)
error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
----8<----8<-----
The same script under Jaunty runs without errors:
----8<----8<-----
# ./smartcard-test.sh
# dpkg -l opensc libopensc2 libccid pcscd libpcsclite1 linux-image-generic
Gewünscht=
| Status=
Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?
||/ Name Version Beschreibung
+++-===
ii libccid 1.3.8-1 PC/SC driver for USB CCID smart card readers
ii libopensc2 0.11.4-5ubuntu1 SmartCard library with support for PKCS#15 compatibl
ii libpcsclite1 1.4.102-1ubuntu2 Middleware to access a smart card using PC/SC (libra
ii linux-image-generi 2.6.28.17.22 Generic Linux kernel image
ii opensc 0.11.4-5ubuntu1 SmartCard utilities with support for PKCS#15 compati
ii pcscd 1.4.102-1ubuntu2 Middleware to access a smart card using PC/SC (daemo
# opensc-tool -l
Readers known about:
Nr. Driver Name
0 pcsc SCM SCR 335 00 00
# pkcs11-tool -l -t
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
not implemented
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (Private Key)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-
Verify (currently only for RSA):
testing key 0 (Private Key)
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-
Key unwrap (RSA)
testing key 0 (Private Key)
DES-CBC: OK
DES-EDE3-CBC: OK
BF-CBC: OK
CAST5-CFB: OK
Decryption (RSA)
testing key 0 (Private Key)
RSA-PKCS: OK
Testing card detection
Please press return to continue, x to exit: x
Testing card detection using C_WaitForSlotEvent
Please press return to continue, x to exit: x
No errors
----8<----8<-----
The debug output from opensc (debug-level 99) is attached.
Kind regards,
Dominik Fischer
SRU JUSTIFICATION: breaks backwards-
TEST CASE:
must be verified by someone in possession of the starcos hardware.
1. initialize a starcos smartcard with opensc in jaunty.
2. verify that 'sudo pkcs11-tool -l -t' works.
2. upgrade to karmic. verify that 'sudo pkcs11-tool -l -t' now fails.
3. install libopensc2 and opensc from karmic-proposed.
4. verify that 'sudo pkcs11-tool -l -t' again works.
5. downgrade to the karmic version of libopensc2 and opensc, and initialize a (new?) card.
6. verify that 'sudo pkcs11-tool -l -t' works.
7. install libopensc2 and opensc from karmic-proposed.
8. verify that 'sudo pkcs11-tool -l -t' still works.
REGRESSION POTENTIAL:
Although we can confirm that cards initialized with opensc << 0.11.5 aren't usable with karmic and therefore have zero chance of regression, it's OTOH possible (though unlikely) that this change will inadvertently break compatibility with starcos cards that users have already initialized with karmic and are using successfully. It does not seem likely that we will have other starcos smartcard users who can test this possibility for us, so we are dependent on Dominik to test against this potential regression for us if he's willing.
Related branches
Changed in opensc (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in opensc (Ubuntu Lucid): | |
importance: | High → Medium |
Changed in opensc (Ubuntu Karmic): | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in opensc (Ubuntu Lucid): | |
status: | Confirmed → New |
tags: | added: regression-potential |
Changed in opensc (Ubuntu Karmic): | |
milestone: | none → karmic-updates |
Changed in opensc (Ubuntu Karmic): | |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
tags: |
added: regression-release removed: regression-potential |
Changed in opensc (Ubuntu Lucid): | |
status: | New → Confirmed |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
importance: | Medium → High |
Changed in opensc (Ubuntu Lucid): | |
assignee: | Canonical Foundations Team (canonical-foundations) → Steve Langasek (vorlon) |
Changed in opensc (Ubuntu Karmic): | |
assignee: | Canonical Foundations Team (canonical-foundations) → Steve Langasek (vorlon) |
description: | updated |
Changed in opensc (Ubuntu Karmic): | |
status: | Confirmed → In Progress |
Changed in opensc (Ubuntu Lucid): | |
status: | Confirmed → In Progress |
tags: |
added: verification-done removed: verification-needed |
To exclude the kernel as the possible cause, I've installed a kernel package (2.6.31-14) from karmic on a jaunty system. The test runs without error.
So: the kernel don't cause this problem.
Regards,
Dominik