PKCS#11 signing does not work

To exclude the kernel as the possible cause, I've installed a kernel package (2.6.31-14) from karmic on a jaunty system. The test runs without error.

So: the kernel don't cause this problem.

Regards,
Dominik

To summarize, this bug is about a regression in Karmic. Smartcards that worked perfectly fine under Jaunty now show an error.

On the same way I've eliminated:
  * libccid
  * libpcsclite1
  * pcscd

After I've installed libopensc2-0.11.8 the error occured. So the bug seems to be introduced after libopensc2 version
0.11.4-5ubuntu1

Regards,
Dominik

Cross-checked: On my Karmic system I've downgraded libopensc2 to 0.11.4 and the Smartcard works!

So: Now it's up to you to find the change which causes the problem.

Regards,
Dominik

On Fri, 2009-12-11 at 12:35 +0000, Dominik wrote:
> Cross-checked: On my Karmic system I've downgraded libopensc2 to 0.11.4
> and the Smartcard works!

Great detective work! Can we possibly get access to the test
script/program and hardware?

Hi Dominik,

What architecture is this happening on?

There was an intermediate version of opensc uploaded prior to the karmic release, that was superseded by 0.11.8 in karmic final - could you try downloading the packages linked from https://launchpad.net/ubuntu/karmic/+source/opensc/0.11.7-2ubuntu1 (click on the architecture name on the right-hand side), to verify whether that version is also affected and help us narrow the search?

Hi Steve,
architecture is i386. I've not tested other architectures (amd64) so far.
I get the same error after downgrading to 0.11.7-2ubuntu1.

the cause is change 3401 between 0.11.4 and 0.11.5. reverting it will get your cards to work for now.

however we still need to analyse the situation. I guess the change is correct. the new code will properly encode information on the cards. however the fixed format is incompatible with the old one, thus new code can't handle old cards and vice versa. in that case we
need extra code to detect cards initialized with old code, and decode the "broken" format on the old cards so they work again with new code. and a tool to convert old cards from broken to correct format.

discussion takes place on opensc-devel mailing list., will update this entry once we know what exactly is going on and how we can handle it.

Hi,
Andreas implemented a way to recognize and handle (starcos) smartcard initialized before opensc-0.11.5.
He released a release candidate (opensc-0.11.12-rc1) which I've tested: it works in our environment.
Andreas did a great job!

I think after Release of opensc-0.11.12 it should be included in Karmic and of course in Lucid. What ist the further way to get it officially in there?

Regards,
Dominik

This bug was fixed in OpenSC 0.11.12. For details see:
http://www.opensc-project.org/pipermail/opensc-announce/2009-December/000030.html

Ubuntu could publish packages of this latest version or backport the changes to older versions
(simply diff 0.11.12 against 0.11.11 so you can easily extract the related changes).

I have packaged the new version. Have a look at the opensc-team PPA:
https://launchpad.net/~opensc-team/+archive/opensc

Regards,
Dominik

Currently, 0.11.9 is included in Lucid (10.04). Does this particular version have the fix? With 10.04 being an LTS release, we are conservatively updating packages and only pulling from Debian testing (instead of unstable), which also has 0.11.9. We have the option to make exceptions, but will need to know if 0.11.9 addresses the problem seen in Karmic before considering it.

0.11.9 does not work for us (I tried all versions between 0.11.4 and 0.11.11, they all don't work for us).
The behaviour was fixed in version 0.11.12 which was released on 2009-12-18 by Andreas. We have problems with all versions between 0.11.5 and 0.11.11. So please include 0.11.12 in Lucid (which I would prefer) or backport the relevant changes from 0.11.12.

Kind regards,
Dominik

no, opensc in debian (0.11.9-2) is too old to contain the fix.
so please update to 0.11.11, or backport the changes (but since
most other changes are important fixes too ...).

if you care about working smart card support, it would be nice
to fix openct too (see my new bug report 503119).

oops, got the version wrong.

please update to opensc 0.11.12, the first version with the fix.

Since this is entirely a community-supported package in Ubuntu and we don't have the hardware resources to regression-test a new upstream version for karmic, I'm afraid this will be a backport of the one fix in the case of karmic.

For lucid, I think it's reasonable to pull the new upstream version in directly given that there's cause. However, the package in the ppa diverges significantly from what's currently in lucid, in part because the packaging appears to lag behind the Debian maintainer's work. Are either of you willing to update the ppa to the current lucid packaging and test the result, so that we can get some confirmation that the package works prior to uploading to lucid?

with an eraseable starcos card (iKey 3000) I did those tests for forward and backward compatibility.
if that token is initialized with opensc >= 0.11.5 or the latest opensc with the fixes, it still works on
opensc < 0.11.5 fine in both cases.

Since the fix is being backported for karmic, the concern will be whether we can assume that your test results with 0.11.12 apply to this backported version. Even if you're confident that the change stands alone, there's always the possibility that I've screwed up the backport. :) So from the perspective of the SRU team, it's far preferable to have a test with the actual package that's been uploaded to karmic-proposed (which has not yet been published), to eliminate any doubt - but if a full regression test here is too intrusive, I can understand that.

I have access to the hardware and can test the backported fix for Karmic
and any new package for Lucid.

Steve,
I will build packages for lucid tomorrow (or the weekend). For this I will have a look at the debian packages to find the lag you mentioned.

Regards,
Dominik

On Thu, Jan 07, 2010 at 07:03:33PM -0000, Dominik wrote:
> I will build packages for lucid tomorrow (or the weekend). For this I will
> have a look at the debian packages to find the lag you mentioned.

Ok. Please see lp:ubuntu/opensc as well, I've pulled in the new upstream
version and cherry-picked a couple of your changes from your ppa, hopefully
this is everything that's needed to get this up-to-date.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Accepted opensc into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

I've uploaded a package for lucid to opensc ppa. This package is based on lp:ubuntu/opensc .
The only thing I've changed was the copyright since it was outdated. Please have a look at
the package.

Next I will test the proposed package for karmic for regressions (like described earlier).
Btw: what does "SRU" stand for?

SRU:
https://wiki.ubuntu.com/StableReleaseUpdates

"SRU" is "stable release update", i.e. ubuntu plans to fix karmic via karmic-proposed-updates.

I saw the branch in launchpand and it looks good, but is there a ppa with packages somewhere?

packages.ubuntu.com doesn't show any opensc package except in the normal releases.

 ah, there are source and binary packages here:
https://launchpad.net/ubuntu/karmic/+source/opensc/0.11.8-1ubuntu2

Dominik, can you verify those with your cards?

any idea why searching for "opensc" in "any" distribution on packages.ubuntu.com
doesn't find those?

My test results:

- installed fresh Jaunty
- initialized smartcard
- "pkcs11-tool -l -t": Runs without the error.
- updated to karmic
- !!! Regression: provider_library is wrong: should be /lib/libpcsclite.so.1 --> Changed it in /etc/opensc/opensc.conf
- "pkcs11-tool -l -t": Runs with error!
- updated opensc and libopensc2 to version from karmic-proposed
- "pkcs11-tool -l -t": Runs without the error.
- downgraded opensc and libopensc to original karmic version, (changed provider_library again...)
- initialized smartcard again
- "pkcs11-tool -l -t": Runs without the error.
- upgraded to karmic-proposed version (changed provider_library again...)
- "pkcs11-tool -l -t": Runs without the error.

So, for me: The version in karmic-proposed is OK!

The only point is the "regression" between jaunty and karmic: With the new version in lucid we have to correct the
provider_library (which I've already done in my ppa for karmic and I will change this too in my ppa for lucid).

Good night :-)

This bug was fixed in the package opensc - 0.11.8-1ubuntu2

---------------
opensc (0.11.8-1ubuntu2) karmic-proposed; urgency=low

  * debian/patches/starcos-fix.patch: add upstream workaround for
    OpenSC <= 0.11.4 with bad encoding of Integers in asn.1: fix starcos
    cards with negative keyReference or pinReference by adding 256.
    LP: #495410.
  * Build-depend on quilt for the above.
 -- Steve Langasek <email address hidden> Thu, 07 Jan 2010 01:19:36 +0000

currently lucid has 0.11.9-2ubuntu1 which does not contain the fix,
so it is a regression from the fixed ubuntu 0.11.8-1ubuntu2.

please have a look at bug 519750:
if you simply import 0.11.12-1 from debian testing you can drop all ubuntu specific
changes and will have a working package. please do that, will fix this bug for lucid
as well!

oops, small issue: opensc-0.11.9/debian/mozilla-opensc.links
 needs to be copied over, as on debian this has different content (iceweasel vs.firefox etc.)
 this is the ubuntu content:
 usr/lib/opensc-signer.so usr/lib/firefox/plugins/opensc-signer.so
 usr/lib/opensc-signer.so usr/lib/mozilla/plugins/opensc-signer.so
 usr/lib/opensc-signer.so usr/lib/xulrunner-addons/plugins/opensc-signer.so
but if you forget to do that - no big harm. we haven't seen any user of that code in many years
 (on upstream development lists).

Well, opensc 0.11.12 has been uploaded to lucid in the meantime by another dev, bypassing this bug report... so the core issue here is now fixed in lucid. Marking as such.

Dominik, what exactly was outdated about the copyright? When I looked at the package in the PPA I found a debian/copyright that didn't contain the Policy-mandated information, so I gave that a pass when pulling; but we should certainly correct any bugs in the current debian/copyright as well.

from copyright file:
> It was downloaded from http://www.opensc.org/
we lost that domain years ago. our homepage is www.opensc-project.org.

> Upstream Authors:
that list is from 2001. Our wiki page "AuthorsAndCredits" has the full list,
and all the copryright statements (for opensc and software used by opensc
(autoconf/make/libtool, m4 macros, getpass source, getopt source, etc.)

btw: the doc/nonpersistent/wiki.out/* files should be shipped as part
of some package - our wiki documentation, converted so it can be used
as local documentation.

hmm,I though I had submitted a fix for that once, but maybe that was to debian and
it got lost somehow. I haven't found out how the debian/ubuntu sync works, and how
to make sure no improvements are lost.

The Debian to Ubuntu sync is described here:
https://wiki.ubuntu.com/SyncRequestProcess
If you need any help with it, let me know.