[Bug 495410] Re: PKCS#11 signing does not work

Steve Langasek steve.langasek at canonical.com
Thu Jan 7 01:42:58 UTC 2010 

** Description changed:

  Binary package hint: opensc
  
  Hello,
  we are using OpenSC to authenticate our users and allow access to our Intranet. On Jaunty this worked fine
  but under Karmic it is e.g. not possible to sign data using our smartcards.
  
  Here the output of my testscript under Karmic:
  --8<---8<---
  # dpkg -l opensc libopensc2 libccid pcscd libpcsclite1 linux-image-generic
  
  # dpkg -l opensc libopensc2 libccid pcscd libpcsclite1 linux-image-generic
  Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
  | Status=Nicht/Installiert/Config/U=Entpackt/Fehlgeschl. Konfiguration/
-          Halb installiert/Trigger erWartet/Trigger anhängig
+          Halb installiert/Trigger erWartet/Trigger anhängig
  |/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
  ||/ Name               Version            Beschreibung
  +++-==================-==================-====================================================
  ii  libccid            1.3.10-1           PC/SC driver for USB CCID smart card readers
  ii  libopensc2         0.11.8-1ubuntu1    SmartCard library with support for PKCS#15 compatibl
  ii  libpcsclite1       1.5.3-1ubuntu1     Middleware to access a smart card using PC/SC (libra
  ii  linux-image-generi 2.6.31.16.29       Generic Linux kernel image
  ii  opensc             0.11.8-1ubuntu1    SmartCard utilities with support for PKCS#15 compati
  ii  pcscd              1.5.3-1ubuntu1     Middleware to access a smart card using PC/SC (daemo
  
  # opensc-tool -l
  Readers known about:
  Nr.    Driver     Name
  0      pcsc       SCM SCR 335 (21120738300434) 00 00
  
  # pkcs11-tool -l -t
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
-   seeding (C_SeedRandom) not supported
-   seems to be OK
+   seeding (C_SeedRandom) not supported
+   seems to be OK
  Digests:
-   all 4 digest functions seem to work
-   MD5: OK
-   SHA-1: OK
-   RIPEMD160: OK
+   all 4 digest functions seem to work
+   MD5: OK
+   SHA-1: OK
+   RIPEMD160: OK
  Signatures (currently only RSA signatures)
-   testing key 0 (Private Key)
+   testing key 0 (Private Key)
  error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5)
  
  Aborting.
  ----8<----8<-----
  The same script under Jaunty runs without errors:
  ----8<----8<-----
  # ./smartcard-test.sh
  
  # dpkg -l opensc libopensc2 libccid pcscd libpcsclite1 linux-image-generic
  Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
  | Status=Nicht/Installiert/Config/U=Entpackt/Fehlgeschl. Konfiguration/
-          Halb installiert/Trigger erWartet/Trigger anhängig
+          Halb installiert/Trigger erWartet/Trigger anhängig
  |/ Fehler?=(kein)/Halten/R=Neuinst notw/X=beide (Status, Fehler: GROSS=schlecht)
  ||/ Name               Version            Beschreibung
  +++-==================-==================-====================================================
  ii  libccid            1.3.8-1            PC/SC driver for USB CCID smart card readers
  ii  libopensc2         0.11.4-5ubuntu1    SmartCard library with support for PKCS#15 compatibl
  ii  libpcsclite1       1.4.102-1ubuntu2   Middleware to access a smart card using PC/SC (libra
  ii  linux-image-generi 2.6.28.17.22       Generic Linux kernel image
  ii  opensc             0.11.4-5ubuntu1    SmartCard utilities with support for PKCS#15 compati
  ii  pcscd              1.4.102-1ubuntu2   Middleware to access a smart card using PC/SC (daemo
  
  # opensc-tool -l
  Readers known about:
  Nr.    Driver     Name
  0      pcsc       SCM SCR 335 00 00
  
  # pkcs11-tool -l -t
  Please enter User PIN:
  C_SeedRandom() and C_GenerateRandom():
-   not implemented
+   not implemented
  Digests:
-   all 4 digest functions seem to work
-   MD5: OK
-   SHA-1: OK
-   RIPEMD160: OK
+   all 4 digest functions seem to work
+   MD5: OK
+   SHA-1: OK
+   RIPEMD160: OK
  Signatures (currently only RSA signatures)
-   testing key 0 (Private Key)
-   all 4 signature functions seem to work
-   testing signature mechanisms:
-     RSA-PKCS: OK
-     SHA1-RSA-PKCS: OK
-     MD5-RSA-PKCS: OK
-     RIPEMD160-RSA-PKCS: OK
+   testing key 0 (Private Key)
+   all 4 signature functions seem to work
+   testing signature mechanisms:
+     RSA-PKCS: OK
+     SHA1-RSA-PKCS: OK
+     MD5-RSA-PKCS: OK
+     RIPEMD160-RSA-PKCS: OK
  Verify (currently only for RSA):
-   testing key 0 (Private Key)
-     RSA-PKCS: OK
-     SHA1-RSA-PKCS: OK
-     MD5-RSA-PKCS: OK
-     RIPEMD160-RSA-PKCS: OK
+   testing key 0 (Private Key)
+     RSA-PKCS: OK
+     SHA1-RSA-PKCS: OK
+     MD5-RSA-PKCS: OK
+     RIPEMD160-RSA-PKCS: OK
  Key unwrap (RSA)
-   testing key 0 (Private Key)
-     DES-CBC: OK
-     DES-EDE3-CBC: OK
-     BF-CBC: OK
-     CAST5-CFB: OK
+   testing key 0 (Private Key)
+     DES-CBC: OK
+     DES-EDE3-CBC: OK
+     BF-CBC: OK
+     CAST5-CFB: OK
  Decryption (RSA)
-   testing key 0 (Private Key)
-     RSA-PKCS: OK
+   testing key 0 (Private Key)
+     RSA-PKCS: OK
  Testing card detection
  Please press return to continue, x to exit: x
  Testing card detection using C_WaitForSlotEvent
  Please press return to continue, x to exit: x
  No errors
  
  ----8<----8<-----
  
  The debug output from opensc (debug-level 99) is attached.
  
  Kind regards,
  Dominik Fischer
+ 
+ SRU JUSTIFICATION:  breaks backwards-compatibility with any starcos
+ cards that were initialized using opensc from Ubuntu 9.04 or earlier.
+ 
+ TEST CASE:
+ must be verified by someone in possession of the starcos hardware.
+ 1. initialize a starcos smartcard with opensc in jaunty.
+ 2. verify that 'sudo pkcs11-tool -l -t' works.
+ 2. upgrade to karmic.  verify that 'sudo pkcs11-tool -l -t' now fails.
+ 3. install libopensc2 and opensc from karmic-proposed.
+ 4. verify that 'sudo pkcs11-tool -l -t' again works.
+ 5. downgrade to the karmic version of libopensc2 and opensc, and initialize a (new?) card.
+ 6. verify that 'sudo pkcs11-tool -l -t' works.
+ 7. install libopensc2 and opensc from karmic-proposed.
+ 8. verify that 'sudo pkcs11-tool -l -t' still works.
+ 
+ REGRESSION POTENTIAL:
+ Although we can confirm that cards initialized with opensc << 0.11.5 aren't usable with karmic and therefore have zero chance of regression, it's OTOH possible (though unlikely) that this change will inadvertently break compatibility with starcos cards that users have already initialized with karmic and are using successfully.  It does not seem likely that we will have other starcos smartcard users who can test this possibility for us, so we are dependent on Dominik to test against this potential regression for us if he's willing.

-- 
PKCS#11 signing does not work 
https://bugs.launchpad.net/bugs/495410
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list