[Ubuntu] 18.04.3 - CKR_SIGNATURE_INVALID, CKR_FUNCTION_FAILED when running the rsa_tests from opencryptoki 3.9.0 on the ICA token

------- Comment From <email address hidden> 2019-08-16 03:47 EDT-------
Problem description (Tested with 18.04.2 but need be fixed with 18.04.3)
=======
Ubuntu 18.04.2 system installed ( 4.15.0-55-generic kernel ) providing
opencryptoki version 3.9.0, and libica version 3.2.1
The rsa_tests being part of the github opencryptoki package show failures.
Total=717, Ran=591, Passed=560, Failed=31, Skipped=126, Errors=2
The problem is immediately reproducible.

Details
=======
Set up Ubuntu 18.04.2 with opencryptoki and libica3.
Initialize the opencryptoki ICA token, compile and build the opencryptoki tests
being part of the github opencryptoki package tagged as 3.9.0.
After successful initialization, the ICA token is expected to be readily initialized
as follows:

# pkcsconf -t -c 0
Token #0 Info:
Label: icatest
Manufacturer: IBM Corp.
Model: IBM ICA
Serial Number: 123
Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED)
Sessions: 0/18446744073709551614
R/W Sessions: 18446744073709551615/18446744073709551614
PIN Length: 4-8
Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 17:48:54

export PKCS11_USER_PIN=<Your PIN> and run the rsa_tess against the ICA token.

Terminal ouptut
===============
...
------
* TESTCASE do_SignVerifyRSA BEGIN RSA X.509 Sign and Verify with test vector 0,
publ_exp='03', mod_bits='512', keylen='0'.
* TESTCASE do_SignVerifyRSA FAIL (rsa_func.c:491) C_Verify(), rc=CKR_SIGNATURE_INVALID
------
// Happening for test vectors 0 to 29 in the same way.
...
------
* TESTCASE do_SignVerify_RSAPSS BEGIN RSA PKCS PSS Sign and Verify with test vector 3,
publ_exp='010001', mod_bits='1024', keylen='0'.
* TESTCASE do_SignVerify_RSAPSS ERROR (rsa_func.c:642)) C_DigestInit rc=CKR_MECHANISM_INVALID
------
...
------
* TESTCASE do_EncryptDecryptRSA BEGIN RSA PKCS OAEP Encrypt and Decrypt with test vector 3.
publ_exp='010001', modbits=1024, publ_exp_len=3, inputlen=28.
* TESTCASE do_EncryptDecryptRSA ERROR (rsa_func.c:210)) C_Encrypt, rc=CKR_FUNCTION_FAILED
------

---uname output---
Linux t35lp22 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:21:03 UTC 2019 s390x s390x s390x GNU/Linux

Machine Type = IBM 3906

---Debugger---
A debugger is not configured

---Steps to Reproduce---
1.) Install the opencryptoki and libica3 packages
2.) Add your user to the pkcs11 group: usermod -aG pkcs11 root and re-login
3.) run: systemctl start pkcsslotd.service
4.) compile and build the opencryptoki version 3.9.0 test cases using the
GitHub package version 3.9
5.) run the rsa_tests from the testcases/crypto/ directory, against the ICA slot
./rsa_tests -slot <N>

Userspace tool common name: N/A

The userspace tool has the following bit modes: 64bit

Userspace rpm: opencryptoki

------- Comment From <email address hidden> 2019-08-16 03:50 EDT-------
Solution
Backport of following git-commits

- CKR_SIGNATURE_INVALID error
=> https://github.com/opencryptoki/opencryptoki/commit/02a5840afef2fd3b5879d4bed35e17c809341cf0
that came after 3.9.0.

- CKR_MECHANISM_INVALID with RSA PKCS PSS Sign
- RSA PKCS OAEP Encrypt and Decrypt:

This test vector uses CKG_MGF1_SHA224 as MGF. SHA224 was not supported as MGF until commit
=> https://github.com/opencryptoki/opencryptoki/commit/f5e55194748fc52360adbf69f7a7e8168644cc3b
that came after 3.9.0.

All these problems are already fixed in 3.10.0 and need to be backported into 3.9.0

Please notice that it's requited to always run on the latest Ubuntu level, for example run:
sudo apt update && sudo apt full-upgrade
(and depending on a newer kernel don't forget to restart to activate it)
opencryptoki and libica3 are fine in this case, but the kernel is not the latest.
As of today the current kernel is 4.15.0.58.

------- Comment From <email address hidden> 2019-08-16 05:56 EDT-------
Decrease severity to 'high' due to fix being available.

Hello bugproxy, or anyone else affected,

Accepted opencryptoki into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.9.0+dfsg-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

------- Comment From <email address hidden> 2019-09-13 05:13 EDT-------
this bugzilla can be closed,
OCK behaves correctly, it returns CKR_MECHANISM_INVALID when an unsupported mechanism is specified in the PSS or OQEP parameters. That's as expected.

------- Comment From <email address hidden> 2019-09-13 06:05 EDT-------
The tests are execute on opencryptoki/bionic-proposed (opencryptoki/bionic-proposed 3.9.0+dfsg-0ubuntu1.2 s390x) and run the rsa_test on the ICA token.
Hands verified successfull done..

Updating the verification tags accordingly ...

The verification of the Stable Release Update for opencryptoki has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

------- Comment From <email address hidden> 2019-09-17 03:40 EDT-------
IBM Bugzilla status -> closed, Fix Released with Ubuntu 18.04.3