2023-06-01 17:04:49 |
Frank Heimes |
bug |
|
|
added bug |
2023-06-01 17:05:05 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2023-06-01 17:05:10 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
2023-06-01 17:23:41 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2023-06-02 09:07:05 |
Frank Heimes |
opencryptoki (Ubuntu): status |
New |
In Progress |
|
2023-06-02 09:07:07 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
2023-06-02 09:38:05 |
Frank Heimes |
description |
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
SRU Justification:
==================
[ Impact ]
* Certain tools incl. in the opencryptoki package, like for example p11sak
are not able to find all needed shared objects.
* Hence they end up with an error like this:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker
that should be placed into /etc/ld.so.conf.d
but wasn't as of today.
[ Test Plan ]
* Pretty straight forward test - install the packages
'opencryptoki' and 'libopencryptoki0' (the latter is pulled in automatically),
but do not install 'libopencryptoki-dev'.
* Without any further action try to execute pkcs11, like
p11sak list-key all --slot 1
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Also the format of the conf file could be wrong or broken, so that
the dynamic linker is not able to read it and execute accordingly,
but this was checked during testing (incl. potential log msgs).
* Due to the modifications some files might need to be generated now
but are not properly packaged - but the build process would show this
('list-missing').
* Successful test builds were done for all Ubuntu releases down to focal
and are available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
* The test packages were not only tested by me (bug owner),
but also by IBM (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/12)
[ Other Info ]
* In addition the package was lifted to compat level 13,
since it makes several things easier and avoid having install and link
files executable.
This was not done for focal, since by default (means w/o backport packages)
only compat 12 is supported.
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
|
2023-06-02 09:40:59 |
Frank Heimes |
description |
SRU Justification:
==================
[ Impact ]
* Certain tools incl. in the opencryptoki package, like for example p11sak
are not able to find all needed shared objects.
* Hence they end up with an error like this:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker
that should be placed into /etc/ld.so.conf.d
but wasn't as of today.
[ Test Plan ]
* Pretty straight forward test - install the packages
'opencryptoki' and 'libopencryptoki0' (the latter is pulled in automatically),
but do not install 'libopencryptoki-dev'.
* Without any further action try to execute pkcs11, like
p11sak list-key all --slot 1
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Also the format of the conf file could be wrong or broken, so that
the dynamic linker is not able to read it and execute accordingly,
but this was checked during testing (incl. potential log msgs).
* Due to the modifications some files might need to be generated now
but are not properly packaged - but the build process would show this
('list-missing').
* Successful test builds were done for all Ubuntu releases down to focal
and are available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
* The test packages were not only tested by me (bug owner),
but also by IBM (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/12)
[ Other Info ]
* In addition the package was lifted to compat level 13,
since it makes several things easier and avoid having install and link
files executable.
This was not done for focal, since by default (means w/o backport packages)
only compat 12 is supported.
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
SRU Justification:
==================
[ Impact ]
* Certain tools incl. in the opencryptoki package, like for example p11sak
are not able to find all needed shared objects.
* Hence they end up with an error like this:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker
that should be placed into /etc/ld.so.conf.d
but wasn't as of today.
[ Test Plan ]
* Pretty straight forward test - install the packages
'opencryptoki' and 'libopencryptoki0' (the latter is pulled in automatically),
but do not install 'libopencryptoki-dev'.
* Without any further action try to execute pkcs11, like
p11sak list-key all --slot 1
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Also the format of the conf file could be wrong or broken, so that
the dynamic linker is not able to read it and execute accordingly,
but this was checked during testing (incl. potential log msgs).
* Due to the modifications some files might need to be generated now
but are not properly packaged - but the build process would show this
('list-missing').
* Successful test builds were done for all Ubuntu releases down to focal
and are available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
* The test packages were not only tested by me (bug owner) (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/8)
but also by IBM (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/12)
* The testing is listed at LP#2003669, since the discussion about this
issue started based on the LP#2003669 validation.
[ Other Info ]
* In addition the package was lifted to compat level 13,
since it makes several things easier and avoid having install and link
files executable.
This was not done for focal, since by default (means w/o backport packages)
only compat 12 is supported.
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
|
2023-06-02 09:44:20 |
Frank Heimes |
nominated for series |
|
Ubuntu Kinetic |
|
2023-06-02 09:44:20 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Kinetic) |
|
2023-06-02 09:44:20 |
Frank Heimes |
nominated for series |
|
Ubuntu Focal |
|
2023-06-02 09:44:20 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Focal) |
|
2023-06-02 09:44:20 |
Frank Heimes |
nominated for series |
|
Ubuntu Mantic |
|
2023-06-02 09:44:20 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Mantic) |
|
2023-06-02 09:44:20 |
Frank Heimes |
nominated for series |
|
Ubuntu Jammy |
|
2023-06-02 09:44:20 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Jammy) |
|
2023-06-02 09:44:20 |
Frank Heimes |
nominated for series |
|
Ubuntu Lunar |
|
2023-06-02 09:44:20 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Lunar) |
|
2023-06-05 00:13:25 |
Launchpad Janitor |
opencryptoki (Ubuntu Mantic): status |
In Progress |
Fix Released |
|
2023-06-05 08:32:29 |
Frank Heimes |
description |
SRU Justification:
==================
[ Impact ]
* Certain tools incl. in the opencryptoki package, like for example p11sak
are not able to find all needed shared objects.
* Hence they end up with an error like this:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker
that should be placed into /etc/ld.so.conf.d
but wasn't as of today.
[ Test Plan ]
* Pretty straight forward test - install the packages
'opencryptoki' and 'libopencryptoki0' (the latter is pulled in automatically),
but do not install 'libopencryptoki-dev'.
* Without any further action try to execute pkcs11, like
p11sak list-key all --slot 1
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Also the format of the conf file could be wrong or broken, so that
the dynamic linker is not able to read it and execute accordingly,
but this was checked during testing (incl. potential log msgs).
* Due to the modifications some files might need to be generated now
but are not properly packaged - but the build process would show this
('list-missing').
* Successful test builds were done for all Ubuntu releases down to focal
and are available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
* The test packages were not only tested by me (bug owner) (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/8)
but also by IBM (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/12)
* The testing is listed at LP#2003669, since the discussion about this
issue started based on the LP#2003669 validation.
[ Other Info ]
* In addition the package was lifted to compat level 13,
since it makes several things easier and avoid having install and link
files executable.
This was not done for focal, since by default (means w/o backport packages)
only compat 12 is supported.
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
SRU Justification:
==================
[ Impact ]
* Certain tools incl. in the opencryptoki package, like for example p11sak
are not able to find all needed shared objects.
* Hence they end up with an error like this:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker
that should be placed into /etc/ld.so.conf.d
but wasn't as of today.
[ Test Plan ]
* Pretty straight forward test - install the packages
'opencryptoki' and 'libopencryptoki0' (the latter is pulled in automatically),
but do not install 'libopencryptoki-dev'.
* Without any further action try to execute pkcs11, like
p11sak list-key all --slot 1
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Also the format of the conf file could be wrong or broken, so that
the dynamic linker is not able to read it and execute accordingly,
but this was checked during testing (incl. potential log msgs).
* Due to the modifications some files might need to be generated now
but are not properly packaged - but the build process would show this
('list-missing').
* Successful test builds were done for all Ubuntu releases down to focal
and are available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
* The test packages were not only tested by me (bug owner) (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/8)
but also by IBM (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/12)
* The testing is listed at LP#2003669, since the discussion about this
issue started based on the LP#2003669 validation.
[ Other Info ]
* In addition the package was lifted to compat level 13,
since it makes several things easier and avoid having install and link
files executable.
This was not done for focal, since by default (means w/o backport packages)
only compat 12 is supported.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
|
2023-06-05 15:20:12 |
Frank Heimes |
opencryptoki (Ubuntu Lunar): status |
New |
In Progress |
|
2023-06-07 16:36:16 |
Frank Heimes |
description |
SRU Justification:
==================
[ Impact ]
* Certain tools incl. in the opencryptoki package, like for example p11sak
are not able to find all needed shared objects.
* Hence they end up with an error like this:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker
that should be placed into /etc/ld.so.conf.d
but wasn't as of today.
[ Test Plan ]
* Pretty straight forward test - install the packages
'opencryptoki' and 'libopencryptoki0' (the latter is pulled in automatically),
but do not install 'libopencryptoki-dev'.
* Without any further action try to execute pkcs11, like
p11sak list-key all --slot 1
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Also the format of the conf file could be wrong or broken, so that
the dynamic linker is not able to read it and execute accordingly,
but this was checked during testing (incl. potential log msgs).
* Due to the modifications some files might need to be generated now
but are not properly packaged - but the build process would show this
('list-missing').
* Successful test builds were done for all Ubuntu releases down to focal
and are available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
* The test packages were not only tested by me (bug owner) (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/8)
but also by IBM (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/12)
* The testing is listed at LP#2003669, since the discussion about this
issue started based on the LP#2003669 validation.
[ Other Info ]
* In addition the package was lifted to compat level 13,
since it makes several things easier and avoid having install and link
files executable.
This was not done for focal, since by default (means w/o backport packages)
only compat 12 is supported.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
SRU Justification:
==================
[ Impact ]
* OpenCryptoki implements the PKCS#11 standard (a public-key crypto standard),
as released by RSA Labs.
It provides an interface to an/the underlying crypto token infrastructure,
and that infrastructure can be an implementation in sw or in hw or mixed.
Crypto tokens are special tokens where the secret is a crypto key.
* The OpenCryptoki package contains several tools and daemons to work
with such crypto tokens, like pkcsslotd, pkcsconf or p11sak
(all with their own man pages).
* Now p11sak is a tools that allows to manipulate tokens
(and their keys) in a token repository
Tt can generate, list and remove them.
* The simplest way to use p11sak is to list (token) keys,
but even this fails here, because p11sak is not able to find
all needed shared objects, esp. 'libopencryptoki.so'.
* Hence an error like this happens:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker
that should be placed into /etc/ld.so.conf.d
but wasn't as of today.
[ Test Plan ]
* Have an Ubuntu (server) system setup.
* Install packages 'opencryptoki' and 'libopencryptoki0'
(the latter is pulled in automatically),
but do not install 'libopencryptoki-dev'.
* For an initial test, one can just call p11sak right a way,
with it's list-key argument for slot 1, like:
p11sak list-key all --slot 1
to verify if the shard object can be found or not.
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
* Further test could also incl. the generation and removal of a key.
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Also the format of the conf file could be wrong or broken, so that
the dynamic linker is not able to read it and execute accordingly,
but this was checked during testing (incl. potential log msgs).
* Due to the modifications some files might need to be generated now
but are not properly packaged - but the build process would show this
('list-missing').
* Successful test builds were done for all Ubuntu releases down to focal
and are available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
* The test packages were not only tested by me (bug owner) (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/8)
but also by IBM (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/12)
* The testing is listed at LP#2003669, since the discussion about this
issue started based on the LP#2003669 validation.
[ Other Info ]
* In addition the package was lifted to compat level 13,
since it makes several things easier and avoid having install and link
files executable.
This was not done for focal, since by default (means w/o backport packages)
only compat 12 is supported.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
|
2023-06-09 18:58:26 |
Steve Langasek |
opencryptoki (Ubuntu Lunar): status |
In Progress |
Incomplete |
|
2023-06-12 12:35:44 |
Frank Heimes |
attachment added |
|
debdiff_opencryptoki_3.20.0+dfsg-0ubuntu1_to_3.20.0+dfsg-0ubuntu1.1.diff https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2022088/+attachment/5679320/+files/debdiff_opencryptoki_3.20.0+dfsg-0ubuntu1_to_3.20.0+dfsg-0ubuntu1.1.diff |
|
2023-06-12 12:40:26 |
Frank Heimes |
description |
SRU Justification:
==================
[ Impact ]
* OpenCryptoki implements the PKCS#11 standard (a public-key crypto standard),
as released by RSA Labs.
It provides an interface to an/the underlying crypto token infrastructure,
and that infrastructure can be an implementation in sw or in hw or mixed.
Crypto tokens are special tokens where the secret is a crypto key.
* The OpenCryptoki package contains several tools and daemons to work
with such crypto tokens, like pkcsslotd, pkcsconf or p11sak
(all with their own man pages).
* Now p11sak is a tools that allows to manipulate tokens
(and their keys) in a token repository
Tt can generate, list and remove them.
* The simplest way to use p11sak is to list (token) keys,
but even this fails here, because p11sak is not able to find
all needed shared objects, esp. 'libopencryptoki.so'.
* Hence an error like this happens:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker
that should be placed into /etc/ld.so.conf.d
but wasn't as of today.
[ Test Plan ]
* Have an Ubuntu (server) system setup.
* Install packages 'opencryptoki' and 'libopencryptoki0'
(the latter is pulled in automatically),
but do not install 'libopencryptoki-dev'.
* For an initial test, one can just call p11sak right a way,
with it's list-key argument for slot 1, like:
p11sak list-key all --slot 1
to verify if the shard object can be found or not.
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
* Further test could also incl. the generation and removal of a key.
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Also the format of the conf file could be wrong or broken, so that
the dynamic linker is not able to read it and execute accordingly,
but this was checked during testing (incl. potential log msgs).
* Due to the modifications some files might need to be generated now
but are not properly packaged - but the build process would show this
('list-missing').
* Successful test builds were done for all Ubuntu releases down to focal
and are available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
* The test packages were not only tested by me (bug owner) (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/8)
but also by IBM (https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2003669/comments/12)
* The testing is listed at LP#2003669, since the discussion about this
issue started based on the LP#2003669 validation.
[ Other Info ]
* In addition the package was lifted to compat level 13,
since it makes several things easier and avoid having install and link
files executable.
This was not done for focal, since by default (means w/o backport packages)
only compat 12 is supported.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
SRU Justification:
==================
[ Impact ]
* OpenCryptoki implements the PKCS#11 standard (a public-key crypto standard),
as released by RSA Labs.
It provides an interface to an/the underlying crypto token infrastructure,
and that infrastructure can be an implementation in sw or in hw or mixed.
Crypto tokens are special tokens where the secret is a crypto key.
* The OpenCryptoki package contains several tools and daemons to work
with such crypto tokens, like pkcsslotd, pkcsconf or p11sak
(all with their own man pages).
* Now p11sak is a tools that allows to manipulate tokens
(and their keys) in a token repository
Tt can generate, list and remove them.
* The simplest way to use p11sak is to list (token) keys,
but even this fails here, because p11sak is not able to find
all needed shared objects, esp. 'libopencryptoki.so'.
* Hence an error like this happens:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker, but this
is not the right way to do so in a Debian-based environment,
instead 'default_pkcs11lib' (in the p11sak code)
should be directly adjusted (see comments #4 to #7 below).
[ Test Plan ]
* Have an Ubuntu (server) system setup.
* Install packages 'opencryptoki' and 'libopencryptoki0'
(the latter is pulled in automatically),
but do not install 'libopencryptoki-dev'.
* For an initial test, one can just call p11sak right a way,
with it's list-key argument for slot 1, like:
p11sak list-key all --slot 1
to verify if the shard object can be found or not.
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
* Further test could also incl. the generation and removal of a key.
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Successful test build are created at:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
[ Other Info ]
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
|
2023-06-12 15:29:30 |
Frank Heimes |
opencryptoki (Ubuntu Lunar): status |
Incomplete |
In Progress |
|
2023-06-21 14:39:29 |
Frank Heimes |
description |
SRU Justification:
==================
[ Impact ]
* OpenCryptoki implements the PKCS#11 standard (a public-key crypto standard),
as released by RSA Labs.
It provides an interface to an/the underlying crypto token infrastructure,
and that infrastructure can be an implementation in sw or in hw or mixed.
Crypto tokens are special tokens where the secret is a crypto key.
* The OpenCryptoki package contains several tools and daemons to work
with such crypto tokens, like pkcsslotd, pkcsconf or p11sak
(all with their own man pages).
* Now p11sak is a tools that allows to manipulate tokens
(and their keys) in a token repository
Tt can generate, list and remove them.
* The simplest way to use p11sak is to list (token) keys,
but even this fails here, because p11sak is not able to find
all needed shared objects, esp. 'libopencryptoki.so'.
* Hence an error like this happens:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker, but this
is not the right way to do so in a Debian-based environment,
instead 'default_pkcs11lib' (in the p11sak code)
should be directly adjusted (see comments #4 to #7 below).
[ Test Plan ]
* Have an Ubuntu (server) system setup.
* Install packages 'opencryptoki' and 'libopencryptoki0'
(the latter is pulled in automatically),
but do not install 'libopencryptoki-dev'.
* For an initial test, one can just call p11sak right a way,
with it's list-key argument for slot 1, like:
p11sak list-key all --slot 1
to verify if the shard object can be found or not.
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
* Further test could also incl. the generation and removal of a key.
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Successful test build are created at:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
[ Other Info ]
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
SRU Justification:
==================
[ Impact ]
* OpenCryptoki implements the PKCS#11 standard (a public-key crypto standard),
as released by RSA Labs.
It provides an interface to an/the underlying crypto token infrastructure,
and that infrastructure can be an implementation in sw or in hw or mixed.
Crypto tokens are special tokens where the secret is a crypto key.
* The OpenCryptoki package contains several tools and daemons to work
with such crypto tokens, like pkcsslotd, pkcsconf or p11sak
(all with their own man pages).
* Now p11sak is a tools that allows to manipulate tokens
(and their keys) in a token repository
Tt can generate, list and remove them.
* The simplest way to use p11sak is to list (token) keys,
but even this fails here, because p11sak is not able to find
all needed shared objects, esp. 'libopencryptoki.so'.
* Hence an error like this happens:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker, but this
is not the right way to do so in a Debian-based environment,
instead 'default_pkcs11lib' (in the p11sak code)
should be directly adjusted (see comments #4 to #7 below).
[ Test Plan ]
* Have an Ubuntu (server) system setup.
* Install packages 'opencryptoki' and 'libopencryptoki0'
(the latter is pulled in automatically),
but do not install 'libopencryptoki-dev'.
* For an initial test, one can just call p11sak right a way,
with it's list-key argument for slot 1, like:
p11sak list-key all --slot 1
to verify if the shard object can be found or not.
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptoki.so'
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
* For a more extended (end to end) use case, one could reuse:
https://launchpadlibrarian.net/673367325/example.txt
(from LP#2018908 and LP#2018911)
and could add after line(s):
ubuntu@zbox:~$ pkcsconf -I -c 1
Enter the SO PIN:
Enter a unique token label: mysofttok
ubuntu@zbox:~$
the setting of a user PIN, like:
ubuntu@zbox:~$ pkcsconf -u -c 1
Enter the SO PIN:
Enter the new user PIN:
Re-enter the new user PIN:
ubuntu@zbox:~$
which would then allow to list and generate keys, like:
ubuntu@zbox:~$ sudo p11sak list-key all --slot 1
Please enter user PIN:
| P M R L S E D G V W U X A N * | KEY TYPE | LABEL
|---------------------------------------------+-------------+-------------
ubuntu@zbox:~$ p11sak gen-key aes 256 --slot 1 --pin 11111111 --label myicatok --attr X
Generate symmetric key AES with keylen=256 and label="myicatok"
Symmetric key generation successful!
ubuntu@zbox:~$ sudo p11sak list-key all --slot 1
Please enter user PIN:
| P M R L S E D G V W U X A N * | KEY TYPE | LABEL
|---------------------------------------------+-------------+-------------
| 0 1 0 1 0 1 1 1 1 1 1 1 0 0 0 | AES 256 | "myicatok"
ubuntu@zbox:~$
* Note: It's not mandatory to extend the sample (in example.txt)
for entering the User PIN for the ICA Token,
since logins are there only required when using token specific objects.
In that scenario, the program can run without a user PIN.
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Successful test build are created at:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
[ Other Info ]
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2018911
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptoki.so':
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'
The 'opencryptoki-$(target_cpu).conf' file needs to be placed in '/etc/ld.so.conf.d/',
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-$(target_cpu).conf' contains lines like this:
/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll
'opencryptoki-$(target_cpu).conf' needs to be properly placed into '/etc/ld.so.conf.d/',
and ldconfig called (via d/triggers). |
|
2023-06-23 22:25:58 |
Steve Langasek |
opencryptoki (Ubuntu Lunar): status |
In Progress |
Fix Committed |
|
2023-06-23 22:25:59 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-06-23 22:26:00 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2023-06-23 22:26:06 |
Steve Langasek |
tags |
s390x |
s390x verification-needed verification-needed-lunar |
|
2023-06-27 12:59:19 |
Frank Heimes |
tags |
s390x verification-needed verification-needed-lunar |
s390x verification-done-lunar verification-needed |
|
2023-07-06 16:55:47 |
Launchpad Janitor |
opencryptoki (Ubuntu Lunar): status |
Fix Committed |
Fix Released |
|
2023-07-06 16:55:58 |
Andreas Hasenack |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-07-07 09:51:28 |
Frank Heimes |
bug task deleted |
opencryptoki (Ubuntu Focal) |
|
|
2023-07-07 09:52:48 |
Frank Heimes |
opencryptoki (Ubuntu Kinetic): status |
New |
In Progress |
|
2023-07-07 09:52:51 |
Frank Heimes |
opencryptoki (Ubuntu Jammy): status |
New |
In Progress |
|
2023-07-07 20:02:43 |
Steve Langasek |
opencryptoki (Ubuntu Kinetic): status |
In Progress |
Fix Committed |
|
2023-07-07 20:02:45 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-07-07 20:02:49 |
Steve Langasek |
tags |
s390x verification-done-lunar verification-needed |
s390x verification-done-lunar verification-needed verification-needed-kinetic |
|
2023-07-07 20:10:25 |
Steve Langasek |
opencryptoki (Ubuntu Jammy): status |
In Progress |
Incomplete |
|
2023-07-10 13:16:57 |
Frank Heimes |
tags |
s390x verification-done-lunar verification-needed verification-needed-kinetic |
s390x verification-done-kinetic verification-done-lunar verification-needed |
|
2023-07-15 10:12:22 |
Frank Heimes |
opencryptoki (Ubuntu Jammy): status |
Incomplete |
In Progress |
|
2023-07-19 07:22:51 |
Frank Heimes |
opencryptoki (Ubuntu Mantic): assignee |
Frank Heimes (fheimes) |
|
|
2023-07-20 11:42:16 |
Launchpad Janitor |
opencryptoki (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
2023-07-21 20:04:21 |
Steve Langasek |
opencryptoki (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2023-07-21 20:04:26 |
Steve Langasek |
tags |
s390x verification-done-kinetic verification-done-lunar verification-needed |
s390x verification-done-kinetic verification-done-lunar verification-needed verification-needed-jammy |
|
2023-07-24 12:25:48 |
Frank Heimes |
tags |
s390x verification-done-kinetic verification-done-lunar verification-needed verification-needed-jammy |
s390x verification-done verification-done-jammy verification-done-kinetic verification-done-lunar |
|
2023-07-24 12:26:43 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
2023-08-03 09:53:10 |
Launchpad Janitor |
opencryptoki (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-08-03 10:19:43 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|