[Bug 2110521] Re: Continue searching other PKCS#11 tokens if certificates are not found
Simon Chopin
2110521 at bugs.launchpad.net
Fri Sep 26 09:01:37 UTC 2025
Please resubscribe ubuntu-sponsor once that build failure has been
addressed.
Just a couple things on Matthew's review that strike me:
> I recommend version schemes like:
Take the current package version: 2.10.1-2ubuntu4, then:
sssd - 2.10.1-2ubuntu4+<case number or lp bug number>vDATEb1
Don't use the existing package version but rather use your *target* version, and use ~ before your suffix.
I'll usually use ~ppa1, as there is tooling out there that will help enforce this.
Using the target version is important, because version numbering is often something that people trip up on in SRUs.
> Lastly, you can also do a "quilt refresh" on your patches so they match the
source code, and no ambiguous fuzz needs to happen in the future. Note it
does change from git to the quilt format, but thats okay.
Please don't. Gratuitous refreshes make diffs extremely noisy, making it
harder for reviewers to focus on the content that actually matters.
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2110521
Title:
Continue searching other PKCS#11 tokens if certificates are not found
Status in sssd package in Ubuntu:
In Progress
Status in sssd source package in Jammy:
Won't Fix
Status in sssd source package in Noble:
In Progress
Status in sssd source package in Plucky:
In Progress
Status in sssd source package in Questing:
In Progress
Bug description:
[ Impact ]
TLDR; users cannot authenticate properly.
p11_child handles (pre-)authentication in two steps.
In the first step, it locates a PKCS#11 token that could contain certificates for authentication.
In the second step, it checks if there are actually valid, usable certificate(s) on it.
During both steps, filtering is performed based on arguments given to
p11_child. If a mismatch occurs during the first step, it simply skips
the module/slot/token and goes onto the next one. However if a
mismatch occurs in the second step, this is considered a failure; it
does not return to the first step to see if a different token contains
the right certificates (or to wait for it, if --wait_for_card is
given).
To address this, the code needs to be refactored so that the
certificate search happens inside the loop that searches/waits for
tokens.
[ Test Plan ]
Follow instructions from beginning from here
https://canonical-se-wiki.readthedocs-hosted.com/en/latest/content/whershberger/virtual-smartcard/
(until launch vm)
add cert to host nssdb
certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t TC,TC,TC -n fake-smartcard-noble-ca
# launch qemu
sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic user,model=virtio -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off -drive file=root.img,media=disk,index=0,if=virtio -drive file=seed.img,index=1,media=cdrom -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$HOME/.pki/nssdb,cert1=fake-smartcard-ca,cert2=fake-smartcard-ca,cert3=fake-smartcard-ca -usb -device virtio-rng-pci -nographic
apt-get update && apt-get upgrade
sudo apt-get install pcscd pcsc-tools libnss3-tools opensc realmd sssd gnutls-bin
# initialize new certificate nss database in vm
mkdir -p $HOME/.pki/nssdb
certutil -d $HOME/.pki/nssdb -N
certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t
TC,TC,TC -n fake-smartcard-noble-ca
# check db if you see certs
certutil -d sql:$HOME/.pki/nssdb -L
sudo pcsc_scan
PC/SC device scanner
V 1.7.1 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau at free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00
Tue Jul 15 20:47:59 2025
Reader 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00
Event number: 0
Card state: Card inserted,
ATR: 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34
...
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34
Republic Slovenia e-Gov, Ministry of Public Administration
SIGOV-CA, Slovenian Governmental Certification Authority
Giesecke & Devrient (PIV Endpoint) G&D Sm at rtCafe Expert v3.2
scp cac-card cert to vm
and save to vm's nssdb.
sudo su
mkdir /etc/sssd/pki
cd pki
touch cat fake-smartcard-ca.crt >> /etc/sssd/pki/sssd_auth_ca_db.pem
cat fake-smartcard-ca.crt >> /etc/sssd/pki/sssd_auth_ca_db.pem
# call out to p11_child directly
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem
[p11_child[4329]] [main] (0x0400): p11_child started.
[p11_child[4329]] [main] (0x2000): Running in [pre-auth] mode.
[p11_child[4329]] [do_card] (0x4000): Login NOT required.
[p11_child[4329]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card Noble CA]
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0].
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate].
[p11_child[4329]] [read_certs] (0x0040): Certificate [CAC ID Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping.
[p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA]
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0].
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate].
[p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping.
[p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA]
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0].
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate].
[p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping.
[p11_child[4329]] [do_card] (0x4000): No certificate found.
# shutdown vm, make empty cert and relaunch
sudo shutdown now
# make an empty cert and add it to nssdb
certutil -S -s "CN=''" -n CACert -x -t "CT,C,C" -v 120 -m 1234 -d sql:$PWD
certutil -R -s "CN='\?', O=Canonical , L=COS, ST=CO, C=US" -o mycert.req -d sql:$PWD
certutil -d sql:$PWD -L
certutil -C -m 2345 -i mycert.req -o invalid.crt -c CACert -d sql:$PWD
openssl x509 -in invalid.crt -noout -text
certutil -A -d sql:$PWD -i invalid.crt -t TC,TC,TC -n invalid-fake-
smartcard-ca
sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic
user,model=virtio -chardev
socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off -drive
file=root.img,media=disk,index=0,if=virtio -drive
file=seed.img,index=1,media=cdrom -usb -device usb-ccid -device ccid-
card-emulated,backend=certificates,db=sql:$PWD,cert1=fake-invalid-
smartcard-ca,cert2=fake-invalid-smartcard-ca,cert3=fake-invalid-
smartcard-ca -usb -device virtio-rng-pci -nographic
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
--ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem
# installing coolkey gives access to cac-card
sudo apt-get install opensc coolkey
whereis opensc-pkcs11.so
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
~$: sudo modutil -dbdir sql:$HOME/.pki/nssdb/ -add "CAC Module"
-libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Module "CAC Module" added to database.
sudo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 \
--ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' \
--token_name CACard --key_id 0001 --pin 1234
# we'll create the empty cert, add to db and run p11_child
audo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' --token_name CACard --key_id 0001 --pin 1234
[p11_child[2183]] [main] (0x0400): p11_child started.
[p11_child[2183]] [main] (0x2000): Running in [pre-auth] mode.
[p11_child[2183]] [main] (0x2000): Running with effective IDs: [0][0].
[p11_child[2183]] [main] (0x2000): Running with real IDs [0][0].
[p11_child[2183]] [do_card] (0x4000): Module List:
[p11_child[2183]] [do_card] (0x4000): common name: [opensc-pkcs11].
[p11_child[2183]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
[p11_child[2183]] [do_card] (0x4000): Description [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...] Manufacturer [QEMU] flags [7] removable [true] token present [true].
[p11_child[2183]] [do_card] (0x4000): Token label [Fake Smart Card CA].
[p11_child[2183]] [do_card] (0x4000): Found [Fake Smart Card CA] in slot [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...][0] of module [0][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
[p11_child[2183]] [do_card] (0x4000): Login NOT required.
[p11_child[2183]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card CA]
[p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2183]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card CA]
[p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2183]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card CA]
[p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0003.
[p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0002.
[p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0001.
[p11_child[2183]] [do_card] (0x4000): No certificate found.
0
* Previous code stops here
#Then after upgrade we have a cert.
sudo apt-get install --only-upgrade sssd
apt-cache policy sssd
sssd:
Installed: 2.10.1-2ubuntu5.1testpkg1
Candidate: 2.10.1-2ubuntu5.1testpkg1
Version table:
*** 2.10.1-2ubuntu5.1testpkg1 500
user1 at ubuntu:~$ sudo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' --token_name CACard --key_id 0001 --pin 1234
[p11_child[2800]] [main] (0x0400): p11_child started.
[p11_child[2800]] [main] (0x2000): Running in [pre-auth] mode.
[p11_child[2800]] [main] (0x2000): Running with effective IDs: [0][0].
[p11_child[2800]] [main] (0x2000): Running with real IDs [0][0].
[p11_child[2800]] [do_card] (0x4000): Module List:
[p11_child[2800]] [do_card] (0x4000): common name: [opensc-pkcs11].
[p11_child[2800]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
[p11_child[2800]] [do_card] (0x4000): Description [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...] Manufacturer [QEMU] flags [7] removable [true] token present [true].
[p11_child[2800]] [do_card] (0x4000): Token label [Fake Smart Card CA].
[p11_child[2800]] [do_slot] (0x4000): Found [Fake Smart Card CA] in slot [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...][0] of module [0][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
[p11_child[2800]] [do_slot] (0x4000): Login NOT required.
[p11_child[2800]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card CA]
[p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2800]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card CA]
[p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2800]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card CA]
[p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0003.
[p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0002.
[p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0001.
[p11_child[2800]] [do_slot] (0x4000): No certificate found.
[p11_child[2800]] [do_card] (0x4000): common name: [softhsm2].
[p11_child[2800]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so].
[p11_child[2800]] [do_card] (0x4000): Description [SoftHSM slot ID 0x0] Manufacturer [SoftHSM project] flags [1] removable [false] token present [true].
0
# We continue the search for certs even if we didn't find a valid certificate.
[ Where Problems Could Occur]
Most problems would occur during the authentication phase of when sssd
talks to certificates to get tokens on the smart cards.
A regression would likely look like denying a valid user
authentication to Active Directory when using smart cards to
authenticate a user.
Working around this regression calling out to p11_child directly and get better logging as to the error occuring. sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem
Try with a vm passing in a fake created certificate like shown here
https://canonical-se-wiki.readthedocs-hosted.com/en/latest/content/whershberger/virtual-smartcard/ where we emulate the smart card via qemu passed in on the command line.
Another regression would be if parsing of the tokens failed during
certificate look up.
A regression would look like a failure to properly parse the
certificate.
I do not know of a valid work around if parsing in the code from sssd
is failing. My suggestion would be to first file a new launchpad bug
and seek help from previous related posts.
Someone has already identified an issue upstream.
https://github.com/SSSD/sssd/issues/7912
The fundamental problem stems from opensc pkcs11 not from sssd itself,
but a 3rd party library.
https://issues.redhat.com/browse/RHEL-47261
https://github.com/OpenSC/OpenSC/issues/3241
[ Other Info ]
Backport from upstream.
Continue searching other PKCS#11 tokens if certificates are not found
https://github.com/SSSD/sssd/issues/5905
https://github.com/SSSD/sssd/commit/782a6dd54967e7c2dd3013f7e68134ee8751ab88
Testing sssd repository
https://launchpad.net/~hypothetical-lemon/+archive/ubuntu/lp2110521-sssd-port/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2110521/+subscriptions
More information about the Ubuntu-sponsors
mailing list