Ubuntu
opencryptoki package

fails to load modules for pkcs11 backends

Bug #926305 reported by David Smith
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openCryptoki
Fix Released
Unknown
opencryptoki (Ubuntu)
Fix Released
Undecided
Stéphane Graber

Bug Description

After installing opencryptoki, one should be able to query the available backend modules with the command "pkcsconf -i". On the current version in precise (2.3.1+dfsg-3), this is failing with the following error:

C_GetSlotCount returned 0 slots. Check that your tokens are installed correctly.

The expected output is:

PKCS#11 Info
 Version 2.11
 Manufacturer: IBM
 Flags: 0x0
 Library Description: Meta PKCS11 LIBRARY 
 Library Version 2.3

I'm not sure what the root cause is, but strace on the pkcsconf program shows it is looking in the default search path for the backend libraries (for e.g. the TPM and the soft-token backend). They are installed in /usr/lib/opencryptoki/stdll which is not in the default shlib search path and was never in the past when this worked. I suspect something changed in the package that introduced this bug.

Testing / workaround instructions:
1. stop opencryptoki
2. run pkcs11_startup to generate /var/lib/opencryptoki/pk_config_data
3. edit /var/lib/opencryptoki/pk_config_data specifying the fully qualified path to the backend libraries.
4. start opencryptoki
5. run pkcsconf -i

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in opencryptoki (Ubuntu):
status: New → Confirmed
Etienne Goyer (etienne-goyer-outlands)
tags: added: css-sponsored-p rls-mgr-p-tracking
Revision history for this message
Etienne Goyer (etienne-goyer-outlands) wrote :

Actually, just to be entirely clear, after installing the opencryptoki package, if you run "pkcsconf -i", it does not return the error. You need to run pkcs11_startup first. Then, it fails with the C_GetSlotCount error described above.

Revision history for this message
Steve Atwell (satwell) wrote :

I think I found the problem.

In the lucid version of libopencryptoki0, there's an /etc/ld.so.conf.d/opencryptoki-x86_64.conf that includes /usr/lib/opencryptoki/stdll. That's how the lucid version was able to find the backend modules.

This was removed in 2.3.1+dfsg-1. From the changelog:

  * debian/rules:
   - Do no install /etc/ld.so.conf.d/opencryptoki-i486.conf
   - Creating instead soft-links in /usr/lib

The rules file does in fact create symlinks in /usr/lib. However, it creates symlinks for *.so.*, but pkcs11_startup creates configuration files that reference *.so. (Note the missing version in the filenames.)

A simple fix would be to make symlinks for *.so* in /usr/lib.

Stéphane Graber (stgraber)
Changed in opencryptoki (Ubuntu):
assignee: nobody → Stéphane Graber (stgraber)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 2.3.1+dfsg-3ubuntu1

---------------
opencryptoki (2.3.1+dfsg-3ubuntu1) precise; urgency=low

  * Use *.so* instead of *.so.* in libopencryptoki0.install to also
    install the symlinks. (LP: #926305)
 -- Stephane Graber <email address hidden> Tue, 13 Mar 2012 11:29:13 -0400

Changed in opencryptoki (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Etienne Goyer (etienne-goyer-outlands) wrote :

Stéphane, it seems like this is not fixed yet.

ubuntu@precise-thinkcentre:~$ dpkg -l | grep opencryptoki
ii libopencryptoki0 2.3.1+dfsg-3ubuntu2 PKCS#11 implementation (library)
ii opencryptoki 2.3.1+dfsg-3ubuntu2 PKCS#11 implementation (daemon)
ubuntu@precise-thinkcentre:~$ sudo pkcsconf -i
C_GetSlotCount returned 0 slots. Check that your tokens are installed correctly.
ubuntu@precise-thinkcentre:~$ tail -2 /var/log/syslog
Mar 20 13:12:11 precise-thinkcentre openCryptokiModule[3894]: DL_Load: dlopen() failed for [libpkcs11_tpm.so]; dlerror = [libpkcs11_tpm.so: cannot open shared object file: No such file or directory]
Mar 20 13:12:11 precise-thinkcentre openCryptokiModule[3894]: DL_Load: dlopen() failed for [libpkcs11_sw.so]; dlerror = [libpkcs11_sw.so: cannot open shared object file: No such file or directory]
ubuntu@precise-thinkcentre:~$ cat /var/lib/opencryptoki/pk_config_data
TRUE|0|Linux 3.2.0-18-generic Linux (TPM)|Linux 3.2.0-18-generic|TRUE|FALSE|TRUE|0|0|1|1|NONE|libpkcs11_tpm.so|ST_Initialize
TRUE|0|Linux 3.2.0-18-generic Linux (Soft)|Linux 3.2.0-18-generic|TRUE|FALSE|FALSE|0|0|1|1|NONE|libpkcs11_sw.so|ST_Initialize

Bug Watch Updater (bug-watch-updater)
Changed in opencryptoki:
status: Unknown → New
Revision history for this message
David Smith (dds) wrote :

FYI I am taking over maintenance of opencryptoki in Debian (http://bugs.debian.org/543925). Thomas Bushnell, BSG will sponsor an upload that contains a fix for this bug. The solution is to make pk_config_data contain fully qualified paths to the backend library files. I will ping this bug again when the package is uploaded in sid.

Bug Watch Updater (bug-watch-updater)
Changed in opencryptoki:
status: New → Incomplete
Bug Watch Updater (bug-watch-updater)
Changed in opencryptoki:
status: Incomplete → New
Bug Watch Updater (bug-watch-updater)
Changed in opencryptoki:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.