[Bug 2110521] Re: Continue searching other PKCS#11 tokens if certificates are not found

Mon Feb 16 14:12:27 UTC 2026

** Changed in: sssd (Ubuntu Resolute)
    Milestone: questing-updates => ubuntu-26.04

** Changed in: sssd (Ubuntu Resolute)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2110521

Title:
  Continue searching other PKCS#11 tokens if certificates are not found

Status in sssd package in Ubuntu:
  Fix Committed
Status in sssd source package in Jammy:
  Won't Fix
Status in sssd source package in Noble:
  In Progress
Status in sssd source package in Plucky:
  Won't Fix
Status in sssd source package in Questing:
  In Progress
Status in sssd source package in Resolute:
  Fix Committed

Bug description:
  [Impact]

  TLDR; users cannot authenticate properly.

  p11_child handles (pre-)authentication in two steps.
  In the first step, it locates a card with a PKCS#11 token that could contain certificates for authentication.
  In the second step, it checks if there are actually valid, usable certificate(s) on it.

  If a mismatch occurs during the first step, it simply skips the
  module/slot/token and goes onto the next one. However if a mismatch
  occurs in the second step, this is considered a failure; it does not
  return to the first step to see if a different card contains the right
  certificates (or to wait for it, if --wait_for_card is given).

  To address this, the code needs to be refactored so that the
  certificate search happens inside the loop that searches/waits for
  tokens.

  [Test Plan]

  Install some dependencies first:

  sudo apt install -y libnss3-tools qemu-system-x86 genisoimage

  Create an NSS certificate database and create a CA cert:

  mkdir fake-smartcard
  cd fake-smartcard
  # Will as for a password
  certutil -N -d sql:$PWD
  # Will ask for the password entered in the previous step
  # Answer yes to both questions and leave path length as default
  certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n fake-smartcard-ca

  Export the CA cert as PEM so that it can be added to the VM later:

  certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
  openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem

  Create user-data file

  cat <<EOF > user-data
  #cloud-config
  users:
    - default
    - name: user1
      plain_text_passwd: password
      shell: /bin/bash
      lock_passwd: false
      ssh_pwauth: True
      chpasswd: { expire: False }
      sudo: ALL=(ALL) NOPASSWD:ALL
      groups: users, admin
  EOF

  Create a cloud-init config drive for the VM to store user-data and the
  CA cert:

  touch network-config
  touch meta-data
  genisoimage \
      -output seed.img \
      -volid cidata -rational-rock -joliet \
      user-data meta-data network-config fake-smartcard-ca.crt

  Download a cloud image for the required Ubuntu version:

  version=resolute|questing|plucky|noble
  wget https://cloud-images.ubuntu.com/${version}/current/${version}-server-cloudimg-amd64.img

  Create and expand a separate file for the root device (useful for
  retesting without having to download the cloud image again)

  cp ${version}-server-cloudimg-amd64.img root.img
  qemu-img resize root.img +10G

  Launch VM:

  sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic user,model=virtio \
       -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off \
       -drive file=root.img,media=disk,index=0,if=virtio \
       -drive file=seed.img,index=1,media=cdrom -usb -device usb-ccid \
       -device ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=fake-smartcard-ca,cert2=fake-smartcard-ca,cert3=fake-smartcard-ca -usb \
       -device virtio-rng-pci -nographic

  Login with user1/password and run:

  sudo apt update
  sudo apt install -y pcscd pcsc-tools libnss3-tools opensc realmd sssd gnutls-bin softhsm2
  sudo mount /dev/sr0 /mnt

  Finally run this command:

  sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db
  /mnt/fake-smartcard-ca.crt --token_name nothere

  This will look for a non existing token. Without the patch it will
  only look at the opensc-pkcs11 module and stop.

  [p11_child[3916]] [do_card] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA (null) - no label given- 0003.
  [p11_child[3916]] [do_card] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA (null) - no label given- 0002.
  [p11_child[3916]] [do_card] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA (null) - no label given- 0001.
  [p11_child[3916]] [do_card] (0x4000): No certificate found.
  0

  Apply the patch and rerun the previous command. The output should
  finish like this:

  [p11_child[4696]] [do_slot] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so nothere Fake Smart Card CA (null) - no label given- 0003.
  [p11_child[4696]] [do_slot] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so nothere Fake Smart Card CA (null) - no label given- 0002.
  [p11_child[4696]] [do_slot] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so nothere Fake Smart Card CA (null) - no label given- 0001.
  [p11_child[4696]] [do_slot] (0x4000): No certificate found.
  [p11_child[4696]] [do_card] (0x4000): common name: [softhsm2].
  [p11_child[4696]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so].
  [p11_child[4696]] [do_card] (0x4000): Description [SoftHSM slot ID 0x0] Manufacturer [SoftHSM project] flags [1] removable [false] token present [true].

  Now it will also check the softhsm2 module:

  [Where Problems Could Occur]

  The worst case scenario would be that a workin system fails to
  authenticate. I don't think that is likely as we are just reworking
  the failure path. What will happen is that non-working setups will
  start working now if a second valid authentication token is found.

  [Other Info]

  Backported from a couple of upsteam patches

  https://github.com/SSSD/sssd/commit/1b3d5d829c0201aa03621ff80f077787557508b4
  https://github.com/SSSD/sssd/commit/782a6dd54967e7c2dd3013f7e68134ee8751ab88

  From this issue:

  https://github.com/SSSD/sssd/issues/5905

  The first patch might appear to be too large but mostly is just
  transposing code from inside a function to an external function.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2110521/+subscriptions