SmartCard-HSM card does not list RSA 2048 public keys

Bug #1311921 reported by Gert van Dijk on 2014-04-23
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
opensc (Debian)
Fix Released
Unknown
opensc (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned

Bug Description

[Impact]

OpenSC 0.13.0 does not list RSA public keys which are of 2048 bits in size on a SmartCard-HSM smart card.

Although the keys are listed after on-card key generation, only the private key is listed later. This issue does not appear for keys of 1024 bits in size on the same card.

[Test Case]
Steps to reproduce:

1. Generate the RSA key of 2048 bits in size in case none of this type is present:

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen --key-type rsa:2048 --id 10
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
  label: Private Key
  ID: 10
  Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label: Private Key
  ID: 10
  Usage: encrypt, verify, wrap

2. The public key cannot be listed/obained:

2a. using pkcs11-tool, reading the public key fails.

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --id 10 --read-object --type pubkey
Using slot 1 with a present token (0x1)
error: object not found

2b. listing the objects using pcks15-tool will only list the private key object.

$ pkcs15-tool -D
Using reader with a card: Alcor Micro AU9540 00 00
PKCS#15 Card [SmartCard-HSM]:
[...]

PIN [UserPIN]
[...]

PIN [SOPIN]
[...]

Private RSA Key [Private Key]
[...]
        ID : 10
[...]

Fix is committed upstream in https://github.com/OpenSC/OpenSC/commit/99af6cd8ee78776f50bc016fc230541072c60afb

Applying fix mentioned above on top of opensc (0.13.0-3ubuntu4) fixes the issue for me, without regenerating keys.

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --id 10 --read-object --type pubkey | hexdump
Using slot 1 with a present token (0x1)
0000000 8230 0a01 8202 0101 9000 5007 f88a 3370
0000010 a1c3 65e0 8d90 0b3b 0f40 d776 2d84 80be
[...]

[Regression Potential]
This fix is already in Utopic. It is an upstream cherry-pick

Gert van Dijk (gertvdijk) wrote :

Attaching debdiff of proposed fix in bug description.

The attachment "opensc_0.13.0-3ubuntu4_0.13.0-3ubuntu4ppa1~trusty.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in opensc (Ubuntu):
status: New → Confirmed
Changed in opensc (Ubuntu Trusty):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff, ACK.

I've uploaded a fixed package to utopic, and I've uploaded a package to trusty for processing by the Ubuntu SRU team.

Thanks!

Changed in opensc (Ubuntu Utopic):
status: Confirmed → Fix Committed
Changed in opensc (Ubuntu Trusty):
status: Confirmed → In Progress
Marc Deslauriers (mdeslaur) wrote :

Opened debian bug and sent patch.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opensc - 0.13.0-3ubuntu5

---------------
opensc (0.13.0-3ubuntu5) utopic; urgency=low

  * debian/patches/0003-fix-sc-hsm-rsa2048.patch:
    Add upstream fix to show generated RSA public keys of 2048 bits.
    Cherry-picking commit:
    - 99af6cd sc-hsm: Fixed a bug that prevents a newly generated 2048 [...]
    (LP: #1311921)
 -- Gert van Dijk <email address hidden> Thu, 24 Apr 2014 00:21:53 +0200

Changed in opensc (Ubuntu Utopic):
status: Fix Committed → Fix Released
Changed in opensc (Debian):
status: Unknown → New

Hello Gert, or anyone else affected,

Accepted opensc into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/opensc/0.13.0-3ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

description: updated
Changed in opensc (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Jasper van Gelder (j-vangelder) wrote :

I can confirm this bug. The package with version 0.13.0-3ubuntu4.1 0 fixes indeed the issue for me as described in the bug description.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opensc - 0.13.0-3ubuntu4.1

---------------
opensc (0.13.0-3ubuntu4.1) trusty; urgency=low

  * debian/patches/0003-fix-sc-hsm-rsa2048.patch:
    Add upstream fix to show generated RSA public keys of 2048 bits.
    Cherry-picking commit:
    - 99af6cd sc-hsm: Fixed a bug that prevents a newly generated 2048 [...]
    (LP: #1311921)
 -- Gert van Dijk <email address hidden> Thu, 24 Apr 2014 00:21:53 +0200

Changed in opensc (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for opensc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Changed in opensc (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.