pkcs15 profiles not packaged, pkcs15-init not functional

i can confirm this bug.

Status changed to 'Confirmed' because the bug affects multiple users.

I first tried to fix it like this:

mkdir /usr/share/opensc
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/opensc/opensc_0.11.13.orig.tar.gz
tar -xzf opensc_0.11.13.orig.tar.gz
cp opensc-0.11.13/src/pkcs15init/*profile /usr/share/opensc/
rm -Rf opensc-0.11.13 opensc_0.11.13.orig.tar.gz

After this you can inititalize the card, but something is still broken.
If you dump the card everything looks fine.

But when you try to use the pkcs15 token it fails mysteriously. The card is not initialised correctly.

When i try to use this token on ubuntu 11.04 it fails too. But when i reinitialize it on ubuntu 11.04 with exactly same commands and same p12 file it suddenly works.

this my error message under 11.04 with token initalized under 11.10:
[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: File not found
[opensc-pkcs11] iso7816.c:462:iso7816_select_file: returning with: File not found
[opensc-pkcs11] card-entersafe.c:467:entersafe_select_fid: APDU transmit failed: File not found
[opensc-pkcs11] card.c:554:sc_select_file: returning with: File not found
[opensc-pkcs11] pkcs15-sec.c:56:select_key_file: sc_select_file() failed: File not found
[opensc-pkcs11] pkcs15-sec.c:260:sc_pkcs15_compute_signature: Unable to select private key file: File not found
C_Sign failed: 5

more to follow, just have to reboot my system ;-)

Ok, now i rebooted and have reproducable steps. I am using a Feitian PKI ePass Token.

My steps:

1. ubuntu 11.04 (oneiric)
pkcs15-init failed because of missing pkcs15.profile
Using reader with a card: Feitian SCR301 00 00
Couldn't bind to the card: File not found

2. now i copy old profile files as root:
mkdir /usr/share/opensc
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/opensc/opensc_0.11.13.orig.tar.gz
tar -xzf opensc_0.11.13.orig.tar.gz
cp opensc-0.11.13/src/pkcs15init/*profile /usr/share/opensc/
rm -Rf opensc-0.11.13 opensc_0.11.13.orig.tar.gz

3. Now i can erase the card:
$ pkcs15-init -E
Using reader with a card: Feitian SCR301 00 00
$ pkcs15-tool -D
Using reader with a card: Feitian SCR301 00 00
PKCS#15 Card [(null)]:
 Version : 0
 Serial number : 3047475113131210
 Manufacturer ID: entersafe
 Flags :

4. Now i initalize the card with my p12 file (still on 11.10)
$ pkcs15-init -E
$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key
$ pkcs15-init --store-private-key my.p12 --format pkcs12 --auth-id 01
Importing 2 certificates:
  0: /C=DE/ST=Germany/...
  1: /C=DE/ST=Germany/...

I can dump the content with pkcs15-tool -D
Everything *seems* to be fine fine. But some operations are very slow...

5. Now i try to connect to my ssh server, it fails (still on 11.10)

$ ssh -I /usr/lib/opensc-pkcs11.so zentrale.kicktipp.de
C_GetTokenInfo failed: 224
Enter PIN for 'label (User PIN)':
C_Login failed: 160
ssh_rsa_sign: RSA_sign failed: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library
me@myhost's password:

6. Now i reboot into 11.04

ssh still fails with this token, which was initailized under 11.10

$ ssh -I /usr/lib/opensc-pkcs11.so myhost
[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: File not found
[opensc-pkcs11] iso7816.c:462:iso7816_select_file: returning with: File not found
[opensc-pkcs11] card-entersafe.c:467:entersafe_select_fid: APDU transmit failed: File not found
[opensc-pkcs11] card.c:554:sc_select_file: returning with: File not found
[opensc-pkcs11] pkcs15-sec.c:56:select_key_file: sc_select_file() failed: File not found
[opensc-pkcs11] pkcs15-sec.c:260:sc_pkcs15_compute_signature: Unable to select private key file: File not found
C_Sign failed: 5

7. reinit the token under 11.04 with the same p12 file and same commands as 4. above
looks fine (and it is!)

8. try ssh under 11.04
$ ssh -I /usr/lib/opensc-pkcs11.so myhost
works now like a charm

9. rebooting again to check this token under 11.10
(But token was initialized under 11.04)

ssh -I /usr/lib/opensc-pkcs11.so myhost
C_GetTokenInfo failed: 224
Enter PIN for 'label (User PIN)':
Last login: Sun Nov 20 13:19:50 2011 from ...
$

So it still workes but shows one error message.

It seems to me that packaging of opensc is completly broken. Please fix it! If i can help you in any way, please let me know.

regards
janning

I can confirm this, including that initialisation ( pkcs15-init --create-pkcs15 --profile pkcs15+onepin+feitianpki --use-default-transport-key ....) is reeeaaaaalllllyyyyy ssssllllooooowwww.
Maybe unrelated, but gemalto .net card when libgtop11dotnet.so is used as pkcs11 lib is also slooow on oneiric, and the same card on USB seems to be slower than using a pcmcia reader.

I can confirm it too... we use tokens for authentication in our company and I can't now initialize new tokens so it's quite very bad issue for me...

This problem is still present in Precise beta as of today. Manually copying the profiles from the opensc-0.12.2 distribution makes things work for me. This seems like a simple packaging error - could it please be fixed by the next Precise beta release?

so the fix is apparently just to add a line in debian/opensc.install reading:
debian/tmp/usr/share/opensc/*.profile

could we please have it fixed?

Ok so I put a branch up for review and assigned this to myself.

I hope the process is correct...

Uploaded: thank you very much for your work!

This bug was fixed in the package opensc - 0.12.1-1ubuntu4

---------------
opensc (0.12.1-1ubuntu4) precise; urgency=low

  * debian/opensc.install: Added profiles (LP: #872019)
 -- Christopher Glass <email address hidden> Sat, 31 Mar 2012 09:10:01 +0200