[Bug 2110521] Re: Continue searching other PKCS#11 tokens if certificates are not found

Dave Jones 2110521 at bugs.launchpad.net
Mon Feb 16 14:18:28 UTC 2026 

Corrected milestone for resolute task and updated status to fix
committed.

Unfortunately Launchpad's automated update of the status didn't work as
the version that went into proposed then got superseded by a new merge,
which incorporated this fix but tweaked the changelog entry so the bug
number doesn't match the "LP: #" pattern (which is standard practice
when performing a merge, but happened sufficiently quickly here that
this bug didn't get updated first).

Note for the next sponsor: check if sssd 2.12.0-1ubuntu1 (bug ref, LP:
#2130705) has been published and if so update the resolute task here to
"Fix Released". At that point, the SRUs should be able to proceed.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2110521

Title:
  Continue searching other PKCS#11 tokens if certificates are not found

Status in sssd package in Ubuntu:
  Fix Committed
Status in sssd source package in Jammy:
  Won't Fix
Status in sssd source package in Noble:
  In Progress
Status in sssd source package in Plucky:
  Won't Fix
Status in sssd source package in Questing:
  In Progress
Status in sssd source package in Resolute:
  Fix Committed

Bug description:
  [Impact]

  TLDR; users cannot authenticate properly.

  p11_child handles (pre-)authentication in two steps.
  In the first step, it locates a card with a PKCS#11 token that could contain certificates for authentication.
  In the second step, it checks if there are actually valid, usable certificate(s) on it.

  If a mismatch occurs during the first step, it simply skips the
  module/slot/token and goes onto the next one. However if a mismatch
  occurs in the second step, this is considered a failure; it does not
  return to the first step to see if a different card contains the right
  certificates (or to wait for it, if --wait_for_card is given).

  To address this, the code needs to be refactored so that the
  certificate search happens inside the loop that searches/waits for
  tokens.

  [Test Plan]

  Install some dependencies first:

  sudo apt install -y libnss3-tools qemu-system-x86 genisoimage

  Create an NSS certificate database and create a CA cert:

  mkdir fake-smartcard
  cd fake-smartcard
  # Will as for a password
  certutil -N -d sql:$PWD
  # Will ask for the password entered in the previous step
  # Answer yes to both questions and leave path length as default
  certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -2 -t TC,TC,TC -n fake-smartcard-ca

  Export the CA cert as PEM so that it can be added to the VM later:

  certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
  openssl x509 -in fake-smartcard-ca.cer -out fake-smartcard-ca.crt -outform pem

  Create user-data file

  cat <<EOF > user-data
  #cloud-config
  users:
    - default
    - name: user1
      plain_text_passwd: password
      shell: /bin/bash
      lock_passwd: false
      ssh_pwauth: True
      chpasswd: { expire: False }
      sudo: ALL=(ALL) NOPASSWD:ALL
      groups: users, admin
  EOF

  Create a cloud-init config drive for the VM to store user-data and the
  CA cert:

  touch network-config
  touch meta-data
  genisoimage \
      -output seed.img \
      -volid cidata -rational-rock -joliet \
      user-data meta-data network-config fake-smartcard-ca.crt

  Download a cloud image for the required Ubuntu version:

  version=resolute|questing|plucky|noble
  wget https://cloud-images.ubuntu.com/${version}/current/${version}-server-cloudimg-amd64.img

  Create and expand a separate file for the root device (useful for
  retesting without having to download the cloud image again)

  cp ${version}-server-cloudimg-amd64.img root.img
  qemu-img resize root.img +10G

  Launch VM:

  sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic user,model=virtio \
       -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off \
       -drive file=root.img,media=disk,index=0,if=virtio \
       -drive file=seed.img,index=1,media=cdrom -usb -device usb-ccid \
       -device ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=fake-smartcard-ca,cert2=fake-smartcard-ca,cert3=fake-smartcard-ca -usb \
       -device virtio-rng-pci -nographic

  Login with user1/password and run:

  sudo apt update
  sudo apt install -y pcscd pcsc-tools libnss3-tools opensc realmd sssd gnutls-bin softhsm2
  sudo mount /dev/sr0 /mnt

  Finally run this command:

  sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db
  /mnt/fake-smartcard-ca.crt --token_name nothere

  This will look for a non existing token. Without the patch it will
  only look at the opensc-pkcs11 module and stop.

  [p11_child[3916]] [do_card] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA (null) - no label given- 0003.
  [p11_child[3916]] [do_card] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA (null) - no label given- 0002.
  [p11_child[3916]] [do_card] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA (null) - no label given- 0001.
  [p11_child[3916]] [do_card] (0x4000): No certificate found.
  0

  Apply the patch and rerun the previous command. The output should
  finish like this:

  [p11_child[4696]] [do_slot] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so nothere Fake Smart Card CA (null) - no label given- 0003.
  [p11_child[4696]] [do_slot] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so nothere Fake Smart Card CA (null) - no label given- 0002.
  [p11_child[4696]] [do_slot] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so nothere Fake Smart Card CA (null) - no label given- 0001.
  [p11_child[4696]] [do_slot] (0x4000): No certificate found.
  [p11_child[4696]] [do_card] (0x4000): common name: [softhsm2].
  [p11_child[4696]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so].
  [p11_child[4696]] [do_card] (0x4000): Description [SoftHSM slot ID 0x0] Manufacturer [SoftHSM project] flags [1] removable [false] token present [true].

  Now it will also check the softhsm2 module:

  
  [Where Problems Could Occur]

  The worst case scenario would be that a workin system fails to
  authenticate. I don't think that is likely as we are just reworking
  the failure path. What will happen is that non-working setups will
  start working now if a second valid authentication token is found.

  [Other Info]

  Backported from a couple of upsteam patches

  https://github.com/SSSD/sssd/commit/1b3d5d829c0201aa03621ff80f077787557508b4
  https://github.com/SSSD/sssd/commit/782a6dd54967e7c2dd3013f7e68134ee8751ab88

  From this issue:

  https://github.com/SSSD/sssd/issues/5905

  The first patch might appear to be too large but mostly is just
  transposing code from inside a function to an external function.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2110521/+subscriptions

More information about the Ubuntu-sponsors mailing list