opencryptoki: p11sak fails to find pkcs11 lib 'libopencryptoki.so'
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
opencryptoki (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned | ||
Lunar |
Fix Released
|
Undecided
|
Unassigned | ||
Mantic |
Fix Released
|
High
|
Unassigned |
Bug Description
SRU Justification:
==================
[ Impact ]
* OpenCryptoki implements the PKCS#11 standard (a public-key crypto standard),
as released by RSA Labs.
It provides an interface to an/the underlying crypto token infrastructure,
and that infrastructure can be an implementation in sw or in hw or mixed.
Crypto tokens are special tokens where the secret is a crypto key.
* The OpenCryptoki package contains several tools and daemons to work
with such crypto tokens, like pkcsslotd, pkcsconf or p11sak
(all with their own man pages).
* Now p11sak is a tools that allows to manipulate tokens
(and their keys) in a token repository
Tt can generate, list and remove them.
* The simplest way to use p11sak is to list (token) keys,
but even this fails here, because p11sak is not able to find
all needed shared objects, esp. 'libopencryptok
* Hence an error like this happens:
p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptok
* It is (and was) possible to point to the right shared objects
with the help of the PKCSLIB environment variable.
* This is however a bit inconvenient, and the upstream package
comes with a conf file for the dynamic linker, but this
is not the right way to do so in a Debian-based environment,
instead 'default_pkcs11lib' (in the p11sak code)
should be directly adjusted (see comments #4 to #7 below).
[ Test Plan ]
* Have an Ubuntu (server) system setup.
* Install packages 'opencryptoki' and 'libopencryptoki0'
(the latter is pulled in automatically),
but do not install 'libopencryptok
* For an initial test, one can just call p11sak right a way,
with it's list-key argument for slot 1, like:
p11sak list-key all --slot 1
to verify if the shard object can be found or not.
* Without the fix one will face this error:
$ p11sak list-key all --slot 1
Error: failed to open pkcs11 lib 'libopencryptok
* With the updated package one will notice that p11sak will ask for the pin:
$ p11sak list-key all --slot 1
Please enter user PIN:
* For a more extended (end to end) use case, one could reuse:
https:/
(from LP#2018908 and LP#2018911)
and could add after line(s):
ubuntu@zbox:~$ pkcsconf -I -c 1
Enter the SO PIN:
Enter a unique token label: mysofttok
ubuntu@zbox:~$
the setting of a user PIN, like:
ubuntu@zbox:~$ pkcsconf -u -c 1
Enter the SO PIN:
Enter the new user PIN:
Re-enter the new user PIN:
ubuntu@zbox:~$
which would then allow to list and generate keys, like:
ubuntu@zbox:~$ sudo p11sak list-key all --slot 1
Please enter user PIN:
| P M R L S E D G V W U X A N * | KEY TYPE | LABEL
|--
ubuntu@zbox:~$ p11sak gen-key aes 256 --slot 1 --pin 11111111 --label myicatok --attr X
Generate symmetric key AES with keylen=256 and label="myicatok"
Symmetric key generation successful!
ubuntu@zbox:~$ sudo p11sak list-key all --slot 1
Please enter user PIN:
| P M R L S E D G V W U X A N * | KEY TYPE | LABEL
|--
| 0 1 0 1 0 1 1 1 1 1 1 1 0 0 0 | AES 256 | "myicatok"
ubuntu@zbox:~$
* Note: It's not mandatory to extend the sample (in example.txt)
for entering the User PIN for the ICA Token,
since logins are there only required when using token specific objects.
In that scenario, the program can run without a user PIN.
[ Where problems could occur ]
* There are no internal code changes, only modifications in the packaging.
* An issue could occur if the former way that worked is now broken
(means using the PKCSLIB environment variable), but this still works.
* Successful test build are created at:
https:/
[ Other Info ]
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-
* simple-tpm-pk11 (for libopencryptoki
* tpm-tools (for libopencryptoki
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https:/
__________
After having the opencryptoki and libopencryptoki0 installed
dlopen with libopencryptoki.so is not able to find 'libopencryptok
# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptok
The 'opencryptoki-
hat is generated by make, but was up to now explicitly removed before installing (in d/rules).
'opencryptoki-
/usr/lib/
/usr/lib/
'opencryptoki-
and ldconfig called (via d/triggers).
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
Changed in opencryptoki (Ubuntu): | |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | New → In Progress |
description: | updated |
description: | updated |
description: | updated |
Changed in opencryptoki (Ubuntu Lunar): | |
status: | New → In Progress |
description: | updated |
Changed in opencryptoki (Ubuntu Lunar): | |
status: | Incomplete → In Progress |
description: | updated |
Changed in opencryptoki (Ubuntu Mantic): | |
assignee: | Frank Heimes (fheimes) → nobody |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
I've created some test build of fixed packages here: /launchpad. net/~fheimes/ +archive/ ubuntu/ lp2022088
https:/