| 2023-05-08 16:59:45 |
bugproxy |
bug |
|
|
added bug |
| 2023-05-08 16:59:47 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin--- |
|
| 2023-05-08 16:59:48 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
| 2023-05-08 16:59:56 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
| 2023-06-02 11:45:14 |
Frank Heimes |
affects |
linux (Ubuntu) |
opencryptoki (Ubuntu) |
|
| 2023-06-02 11:45:44 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
| 2023-06-02 11:46:01 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
| 2023-06-02 11:49:54 |
Frank Heimes |
opencryptoki (Ubuntu): importance |
Undecided |
Medium |
|
| 2023-06-02 11:49:56 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
Medium |
|
| 2023-06-04 21:35:56 |
Frank Heimes |
nominated for series |
|
Ubuntu Mantic |
|
| 2023-06-04 21:35:56 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Mantic) |
|
| 2023-06-04 21:35:56 |
Frank Heimes |
nominated for series |
|
Ubuntu Lunar |
|
| 2023-06-04 21:35:56 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Lunar) |
|
| 2023-06-04 21:35:56 |
Frank Heimes |
nominated for series |
|
Ubuntu Kinetic |
|
| 2023-06-04 21:35:56 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Kinetic) |
|
| 2023-06-04 21:35:56 |
Frank Heimes |
nominated for series |
|
Ubuntu Jammy |
|
| 2023-06-04 21:35:56 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Jammy) |
|
| 2023-06-04 21:36:03 |
Frank Heimes |
opencryptoki (Ubuntu Lunar): importance |
Undecided |
Medium |
|
| 2023-06-04 21:36:05 |
Frank Heimes |
opencryptoki (Ubuntu Kinetic): importance |
Undecided |
Medium |
|
| 2023-06-04 21:36:08 |
Frank Heimes |
opencryptoki (Ubuntu Jammy): importance |
Undecided |
Medium |
|
| 2023-06-04 21:36:20 |
Frank Heimes |
opencryptoki (Ubuntu Mantic): status |
New |
In Progress |
|
| 2023-06-04 21:36:26 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
| 2023-06-04 22:01:35 |
Frank Heimes |
description |
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* Install affected Ubuntu Server release onto your LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
[ Where problems could occur ]
* The strength.conf file might have wrong content.
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In both cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
|
| 2023-06-05 00:13:25 |
Launchpad Janitor |
opencryptoki (Ubuntu Mantic): status |
In Progress |
Fix Released |
|
| 2023-06-05 08:32:43 |
Frank Heimes |
description |
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* Install affected Ubuntu Server release onto your LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
[ Where problems could occur ]
* The strength.conf file might have wrong content.
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In both cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* Install affected Ubuntu Server release onto your LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
[ Where problems could occur ]
* The strength.conf file might have wrong content.
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In both cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
|
| 2023-06-05 15:20:06 |
Frank Heimes |
opencryptoki (Ubuntu Lunar): status |
New |
In Progress |
|
| 2023-06-07 03:46:19 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Frank Heimes |
| 2023-06-07 17:02:21 |
Frank Heimes |
description |
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* Install affected Ubuntu Server release onto your LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
[ Where problems could occur ]
* The strength.conf file might have wrong content.
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In both cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
SRU Justification:
==================
[Impact ]
* OpenCryptoki implements the PKCS#11 standard (a public-key crypto
standard), as released by RSA Labs.
It provides an interface to an/the underlying crypto token infrastructure,
and that infrastructure can be an implementation in sw or in hw or mixed.
Crypto tokens are special tokens where the secret is a crypto key.
* The OpenCryptoki package contains several tools and daemons to work
with such crypto tokens, like pkcsslotd, pkcsconf or p11sak
(all with their own man pages).
* Now the pkcsconf utility allows to display and configure the state
of the pkcsslotd daemon and the tokens managed by it.
* A simple way to use the pkcsconf tool is to call it with '-t'
for displaying the token info.
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have not only a the policy.conf file in place
but also the strength.conf file.
* In fact it makes sense to have all conf files packages
that are generated in the /etc/opencryptoki/ build folder
even if some are optional.
(https://github.com/opencryptoki/opencryptoki/blob/master/doc/system_resources)
* Now without the strength.conf file in place,
newer opencryptoki version will no longer work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
(this error message here is a generic one,
in combination with the logs it showed that a missing
strength.conf was the root cause - see Test plan below)
[ Test Plan ]
* Install affected Ubuntu Server release onto your
LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
* Optional:
Have a policy in place, and provoke Policy messages.
(see https://www.ibm.com/docs/en/linuxonibm/pdf/l317oc01.pdf
page 126)
[ Where problems could occur ]
* The strength.conf file might have wrong content
or is misconfigured (this is shown in the log).
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
(see also LP#2018908)
* In both cases pkcsconf will still not work,
even if the file is in place.
[ Other Info ]
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
|
| 2023-06-12 14:30:53 |
Frank Heimes |
description |
SRU Justification:
==================
[Impact ]
* OpenCryptoki implements the PKCS#11 standard (a public-key crypto
standard), as released by RSA Labs.
It provides an interface to an/the underlying crypto token infrastructure,
and that infrastructure can be an implementation in sw or in hw or mixed.
Crypto tokens are special tokens where the secret is a crypto key.
* The OpenCryptoki package contains several tools and daemons to work
with such crypto tokens, like pkcsslotd, pkcsconf or p11sak
(all with their own man pages).
* Now the pkcsconf utility allows to display and configure the state
of the pkcsslotd daemon and the tokens managed by it.
* A simple way to use the pkcsconf tool is to call it with '-t'
for displaying the token info.
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have not only a the policy.conf file in place
but also the strength.conf file.
* In fact it makes sense to have all conf files packages
that are generated in the /etc/opencryptoki/ build folder
even if some are optional.
(https://github.com/opencryptoki/opencryptoki/blob/master/doc/system_resources)
* Now without the strength.conf file in place,
newer opencryptoki version will no longer work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
(this error message here is a generic one,
in combination with the logs it showed that a missing
strength.conf was the root cause - see Test plan below)
[ Test Plan ]
* Install affected Ubuntu Server release onto your
LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
* Optional:
Have a policy in place, and provoke Policy messages.
(see https://www.ibm.com/docs/en/linuxonibm/pdf/l317oc01.pdf
page 126)
[ Where problems could occur ]
* The strength.conf file might have wrong content
or is misconfigured (this is shown in the log).
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
(see also LP#2018908)
* In both cases pkcsconf will still not work,
even if the file is in place.
[ Other Info ]
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* Install affected Ubuntu Server release onto your LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
[ Where problems could occur ]
* The strength.conf file might have wrong content
* or is at a wrong file-system location
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In all these cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
|
| 2023-06-12 15:37:09 |
Frank Heimes |
description |
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* Install affected Ubuntu Server release onto your LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
[ Where problems could occur ]
* The strength.conf file might have wrong content
* or is at a wrong file-system location
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In all these cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* Install affected Ubuntu Server release onto your LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
[ Where problems could occur ]
* The strength.conf file might have wrong content
* or is at a wrong file-system location
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In all these cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* The strength.conf file allows users to configure openCryptoki
cryptographic key strength determination based on key attributes.
And this file is required by openCryptoki.
The strength configuration file has to be owned by 'root:@pkcs_group',
have mode 0640, and be parsable. Otherwise, openCryptoki will return
'CKR_FUNCTION_FAILED' on 'C_Initialize' and log a corresponding message
to syslog detailing the reason why the strength configuration could
not be used. (more see 'strength.conf' in man5)
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
|
| 2023-06-16 20:40:17 |
Steve Langasek |
description |
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* Install affected Ubuntu Server release onto your LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
[ Where problems could occur ]
* The strength.conf file might have wrong content
* or is at a wrong file-system location
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In all these cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* The strength.conf file allows users to configure openCryptoki
cryptographic key strength determination based on key attributes.
And this file is required by openCryptoki.
The strength configuration file has to be owned by 'root:@pkcs_group',
have mode 0640, and be parsable. Otherwise, openCryptoki will return
'CKR_FUNCTION_FAILED' on 'C_Initialize' and log a corresponding message
to syslog detailing the reason why the strength configuration could
not be used. (more see 'strength.conf' in man5)
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* Install affected Ubuntu Server release onto your s390x LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
[ Where problems could occur ]
* The strength.conf file might have wrong content
* or is at a wrong file-system location
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In all these cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* The strength.conf file allows users to configure openCryptoki
cryptographic key strength determination based on key attributes.
And this file is required by openCryptoki.
The strength configuration file has to be owned by 'root:@pkcs_group',
have mode 0640, and be parsable. Otherwise, openCryptoki will return
'CKR_FUNCTION_FAILED' on 'C_Initialize' and log a corresponding message
to syslog detailing the reason why the strength configuration could
not be used. (more see 'strength.conf' in man5)
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
|
| 2023-06-21 14:11:22 |
Frank Heimes |
description |
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* Install affected Ubuntu Server release onto your s390x LPAR, VM guest or KVM guest
* Install opencryptoki via:
sudo apt install -y opencryptoki
* run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
* Optional:
export OPENCRYPTOKI_TRACE_LEVEL=4
run step 4 again
ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
[ Where problems could occur ]
* The strength.conf file might have wrong content
* or is at a wrong file-system location
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In all these cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* The strength.conf file allows users to configure openCryptoki
cryptographic key strength determination based on key attributes.
And this file is required by openCryptoki.
The strength configuration file has to be owned by 'root:@pkcs_group',
have mode 0640, and be parsable. Otherwise, openCryptoki will return
'CKR_FUNCTION_FAILED' on 'C_Initialize' and log a corresponding message
to syslog detailing the reason why the strength configuration could
not be used. (more see 'strength.conf' in man5)
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without the strength.conf file such newer opencryptoki version will not work.
* And an error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* A end to end scenario, that covers the following stack:
Java program using crypto
|
JCA (with IBM Java 8)
|
IBMPKCS11Impl
|
OpenCryptoki
/ \
ICA-token soft-token ...
|
s390x_clear-key_crypto-hw
can be based on a Java application that does
AES encryption in ECB mode with a randomly generated key (DRBG-SHA-512)
and exploiting JCA / IBMPKCS11Impl
with opencryptoki managing clear keys,
either with a soft-token or an ICA token.
* The pkcsconf tool is here used to manage (initialize and re-label)
the tokens before used by the Java application.
* For the detailed steps and the Java application itself,
please see https://launchpadlibrarian.net/673367325/example.txt
[ Where problems could occur ]
* The strength.conf file might have wrong content
* or is at a wrong file-system location
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In all these cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* The strength.conf file allows users to configure openCryptoki
cryptographic key strength determination based on key attributes.
And this file is required by openCryptoki.
The strength configuration file has to be owned by 'root:@pkcs_group',
have mode 0640, and be parsable. Otherwise, openCryptoki will return
'CKR_FUNCTION_FAILED' on 'C_Initialize' and log a corresponding message
to syslog detailing the reason why the strength configuration could
not be used. (more see 'strength.conf' in man5)
* To simplify the packaging d/opencryptoki.install now installs the
entire content of the etc/opencryptoki build folder,
especially to catch all conf files.
This eventually also makes the arch-specific file
d/opencryptoki.install.s390x obsolete.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.rund@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <ifranzki@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <Christian.Rund@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifranzki@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640. |
|
| 2023-06-23 22:25:41 |
Steve Langasek |
opencryptoki (Ubuntu Lunar): status |
In Progress |
Fix Committed |
|
| 2023-06-23 22:25:42 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2023-06-23 22:25:50 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
| 2023-06-23 22:25:53 |
Steve Langasek |
tags |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin--- |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin--- verification-needed verification-needed-lunar |
|
| 2023-06-27 12:58:15 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin--- verification-needed verification-needed-lunar |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin--- verification-done-lunar verification-needed |
|
| 2023-07-06 16:55:47 |
Launchpad Janitor |
opencryptoki (Ubuntu Lunar): status |
Fix Committed |
Fix Released |
|
| 2023-07-06 16:55:55 |
Andreas Hasenack |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2023-07-07 09:53:45 |
Frank Heimes |
opencryptoki (Ubuntu Jammy): status |
New |
In Progress |
|
| 2023-07-07 09:53:48 |
Frank Heimes |
opencryptoki (Ubuntu Kinetic): status |
New |
In Progress |
|
| 2023-07-07 20:02:33 |
Steve Langasek |
opencryptoki (Ubuntu Kinetic): status |
In Progress |
Fix Committed |
|
| 2023-07-07 20:02:35 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2023-07-07 20:02:40 |
Steve Langasek |
tags |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin--- verification-done-lunar verification-needed |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin--- verification-done-lunar verification-needed verification-needed-kinetic |
|
| 2023-07-10 09:10:35 |
bugproxy |
tags |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin--- verification-done-lunar verification-needed verification-needed-kinetic |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin2204 verification-done-lunar verification-needed verification-needed-kinetic |
|
| 2023-07-10 13:16:29 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin2204 verification-done-lunar verification-needed verification-needed-kinetic |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin2204 verification-done-kinetic verification-done-lunar verification-needed |
|
| 2023-07-20 11:42:16 |
Launchpad Janitor |
opencryptoki (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
| 2023-07-21 20:04:13 |
Steve Langasek |
opencryptoki (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2023-07-21 20:04:18 |
Steve Langasek |
tags |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin2204 verification-done-kinetic verification-done-lunar verification-needed |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin2204 verification-done-kinetic verification-done-lunar verification-needed verification-needed-jammy |
|
| 2023-07-24 12:26:16 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin2204 verification-done-kinetic verification-done-lunar verification-needed verification-needed-jammy |
architecture-s39064 bugnameltc-202380 severity-medium targetmilestone-inin2204 verification-done verification-done-jammy verification-done-kinetic verification-done-lunar |
|
| 2023-07-24 12:26:22 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
| 2023-08-03 09:53:10 |
Launchpad Janitor |
opencryptoki (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2023-08-03 10:20:25 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|
| 2023-08-03 10:20:48 |
Frank Heimes |
opencryptoki (Ubuntu Mantic): assignee |
Skipper Bug Screeners (skipper-screen-team) |
|
|
