---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized
Contact Information = <email address hidden>
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for <email address hidden>:
-Attach ltrace and strace of userspace application.
== Comment: <email address hidden> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <email address hidden> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <email address hidden> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <email address hidden> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640.
---Problem Description--- dfsg+20220202. b40982e- 0ubuntu1. 1 s390x
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc directory.
Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_ TRACE_LEVEL= 4', then running pkcsconf -t. A log file is written to the /var/log/ opencryptoki directory. Mind to unset the trace var again.
Terminal output opencryptoki/ trace.15928 common/ trace.c: 210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 **** api/api_ interface. c:2875 api] INFO: C_Initialize api/policy. c:1666 api] ERROR: Failed to open /etc/opencrypto ki/strength. conf: No such file or directory api/api_ interface. c:3092 api] ERROR: Policy loading failed! rc=0x5 api/api_ interface. c:1656 api] INFO: C_Finalize api/api_ interface. c:1658 api] ERROR: API not initialized
===============
# cat /var/log/
04/27/2023 14:01:34 15928 [usr/lib/
04/27/2023 14:01:34 15928 [usr/lib/
04/27/2023 14:01:34 15928 [usr/lib/
04/27/2023 14:01:34 15928 [usr/lib/
04/27/2023 14:01:34 15928 [usr/lib/
04/27/2023 14:01:34 15928 [usr/lib/
Contact Information = <email address hidden>
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce--- TRACE_LEVEL= 4 opencryptoki
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_
5.) Run step 4 again
6.) ls -l /var/log/
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for <email address hidden>:
-Attach ltrace and strace of userspace application.
== Comment: <email address hidden> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength- example. conf and policy- example. conf.
With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.
Please keep in mind, the provided strength. conf/strength- example. conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy- example. conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.
== Comment: <email address hidden> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.
== Comment: <email address hidden> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <email address hidden> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640.