My reasoning for this is because call out p11_child directly uses the code that was upgraded. do_card() do_slot() read_certs() 1863 do_slot() 1743 - find a token 1805 - token name
** Description changed: + [ Impact ] + + TLDR; users cannot authenticate properly. + + p11_child handles (pre-)authentication in two steps. + In the first step, it locates a PKCS#11 token that could contain certificates for authentication. + In the second step, it checks if there are actually valid, usable certificate(s) on it. + + During both steps, filtering is performed based on arguments given to + p11_child. If a mismatch occurs during the first step, it simply skips + the module/slot/token and goes onto the next one. However if a mismatch + occurs in the second step, this is considered a failure; it does not + return to the first step to see if a different token contains the right + certificates (or to wait for it, if --wait_for_card is given). + + To address this, the code needs to be refactored so that the certificate + search happens inside the loop that searches/waits for tokens. + + + [ Test Plan ] + + Follow instructions from beginning from here + https://canonical-se-wiki.readthedocs-hosted.com/en/latest/content/whershberger/virtual-smartcard/ + (until launch vm) + + add cert to host nssdb + certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t TC,TC,TC -n fake-smartcard-noble-ca + + launch qemu + + apt-get update && apt-get upgrade + sudo apt-get install pcscd pcsc-tools libnss3-tools opensc pcks11-tools realmd sssd + + # initialize new certificate nss database in vm + mkdir -p $HOME/.pki/nssdb + certutil -d $HOME/.pki/nssdb -N + + certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t + TC,TC,TC -n fake-smartcard-noble-ca + + # check db if you see certs + certutil -d sql:$HOME/.pki/nssdb -L + + sudo pcsc_scan + user1@ubuntu:~$ sudo pcsc_scan + PC/SC device scanner + V 1.7.1 (c) 2001-2022, Ludovic Rousseau <ludovic.rouss...@free.fr> + Using reader plug'n play mechanism + Scanning present readers... + 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00 + + Tue Jul 15 20:47:59 2025 + Reader 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00 + Event number: 0 + Card state: Card inserted, + ATR: 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34 + ... + + Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): + 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34 + Republic Slovenia e-Gov, Ministry of Public Administration + SIGOV-CA, Slovenian Governmental Certification Authority + Giesecke & Devrient (PIV Endpoint) G&D Sm@rtCafe Expert v3.2 + + sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 + --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem + + scp cac-card cert to vm + and save to vm's nssdb. + + # call out to p11_child directly + user1@ubuntu:~$ sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem + [p11_child[4329]] [main] (0x0400): p11_child started. + [p11_child[4329]] [main] (0x2000): Running in [pre-auth] mode. + [p11_child[4329]] [do_card] (0x4000): Login NOT required. + [p11_child[4329]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card Noble CA] + [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. + [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. + [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC ID Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. + [p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] + [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. + [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. + [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. + [p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] + [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. + [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. + [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. + [p11_child[4329]] [do_card] (0x4000): No certificate found. + + [ Where Problems Could Occur] + + [ Other Info ] + Backport from upstream. Continue searching other PKCS#11 tokens if certificates are not found https://github.com/SSSD/sssd/issues/5905 https://github.com/SSSD/sssd/commit/782a6dd54967e7c2dd3013f7e68134ee8751ab88 ** Description changed: [ Impact ] TLDR; users cannot authenticate properly. - p11_child handles (pre-)authentication in two steps. - In the first step, it locates a PKCS#11 token that could contain certificates for authentication. + p11_child handles (pre-)authentication in two steps. + In the first step, it locates a PKCS#11 token that could contain certificates for authentication. In the second step, it checks if there are actually valid, usable certificate(s) on it. During both steps, filtering is performed based on arguments given to p11_child. If a mismatch occurs during the first step, it simply skips the module/slot/token and goes onto the next one. However if a mismatch occurs in the second step, this is considered a failure; it does not return to the first step to see if a different token contains the right certificates (or to wait for it, if --wait_for_card is given). To address this, the code needs to be refactored so that the certificate search happens inside the loop that searches/waits for tokens. - [ Test Plan ] Follow instructions from beginning from here - https://canonical-se-wiki.readthedocs-hosted.com/en/latest/content/whershberger/virtual-smartcard/ - (until launch vm) + https://canonical-se-wiki.readthedocs-hosted.com/en/latest/content/whershberger/virtual-smartcard/ + (until launch vm) add cert to host nssdb certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t TC,TC,TC -n fake-smartcard-noble-ca launch qemu apt-get update && apt-get upgrade - sudo apt-get install pcscd pcsc-tools libnss3-tools opensc pcks11-tools realmd sssd + sudo apt-get install pcscd pcsc-tools libnss3-tools opensc pcks11-tools realmd sssd # initialize new certificate nss database in vm mkdir -p $HOME/.pki/nssdb certutil -d $HOME/.pki/nssdb -N certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t TC,TC,TC -n fake-smartcard-noble-ca # check db if you see certs certutil -d sql:$HOME/.pki/nssdb -L sudo pcsc_scan user1@ubuntu:~$ sudo pcsc_scan PC/SC device scanner V 1.7.1 (c) 2001-2022, Ludovic Rousseau <ludovic.rouss...@free.fr> Using reader plug'n play mechanism Scanning present readers... 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00 - + Tue Jul 15 20:47:59 2025 - Reader 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00 - Event number: 0 - Card state: Card inserted, - ATR: 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34 + Reader 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00 + Event number: 0 + Card state: Card inserted, + ATR: 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34 ... Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34 - Republic Slovenia e-Gov, Ministry of Public Administration - SIGOV-CA, Slovenian Governmental Certification Authority - Giesecke & Devrient (PIV Endpoint) G&D Sm@rtCafe Expert v3.2 - - sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 - --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem + Republic Slovenia e-Gov, Ministry of Public Administration + SIGOV-CA, Slovenian Governmental Certification Authority + Giesecke & Devrient (PIV Endpoint) G&D Sm@rtCafe Expert v3.2 scp cac-card cert to vm and save to vm's nssdb. # call out to p11_child directly - user1@ubuntu:~$ sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem + sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem + [p11_child[4329]] [main] (0x0400): p11_child started. [p11_child[4329]] [main] (0x2000): Running in [pre-auth] mode. [p11_child[4329]] [do_card] (0x4000): Login NOT required. [p11_child[4329]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card Noble CA] [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC ID Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. [p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. [p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. [p11_child[4329]] [do_card] (0x4000): No certificate found. [ Where Problems Could Occur] [ Other Info ] Backport from upstream. Continue searching other PKCS#11 tokens if certificates are not found https://github.com/SSSD/sssd/issues/5905 https://github.com/SSSD/sssd/commit/782a6dd54967e7c2dd3013f7e68134ee8751ab88 ** Description changed: [ Impact ] TLDR; users cannot authenticate properly. p11_child handles (pre-)authentication in two steps. In the first step, it locates a PKCS#11 token that could contain certificates for authentication. In the second step, it checks if there are actually valid, usable certificate(s) on it. During both steps, filtering is performed based on arguments given to p11_child. If a mismatch occurs during the first step, it simply skips the module/slot/token and goes onto the next one. However if a mismatch occurs in the second step, this is considered a failure; it does not return to the first step to see if a different token contains the right certificates (or to wait for it, if --wait_for_card is given). To address this, the code needs to be refactored so that the certificate search happens inside the loop that searches/waits for tokens. [ Test Plan ] Follow instructions from beginning from here https://canonical-se-wiki.readthedocs-hosted.com/en/latest/content/whershberger/virtual-smartcard/ (until launch vm) add cert to host nssdb certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t TC,TC,TC -n fake-smartcard-noble-ca - launch qemu + # launch qemu + sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic user,model=virtio -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off -drive file=root.img,media=disk,index=0,if=virtio -drive file=seed.img,index=1,media=cdrom -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$HOME/.pki/nssdb,cert1=fake-smartcard-ca,cert2=fake-smartcard-ca,cert3=fake-smartcard-ca -usb -device virtio-rng-pci -nographic apt-get update && apt-get upgrade sudo apt-get install pcscd pcsc-tools libnss3-tools opensc pcks11-tools realmd sssd # initialize new certificate nss database in vm mkdir -p $HOME/.pki/nssdb certutil -d $HOME/.pki/nssdb -N certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t TC,TC,TC -n fake-smartcard-noble-ca # check db if you see certs certutil -d sql:$HOME/.pki/nssdb -L sudo pcsc_scan user1@ubuntu:~$ sudo pcsc_scan PC/SC device scanner V 1.7.1 (c) 2001-2022, Ludovic Rousseau <ludovic.rouss...@free.fr> Using reader plug'n play mechanism Scanning present readers... 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00 Tue Jul 15 20:47:59 2025 Reader 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00 Event number: 0 Card state: Card inserted, ATR: 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34 ... Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34 Republic Slovenia e-Gov, Ministry of Public Administration SIGOV-CA, Slovenian Governmental Certification Authority Giesecke & Devrient (PIV Endpoint) G&D Sm@rtCafe Expert v3.2 scp cac-card cert to vm and save to vm's nssdb. # call out to p11_child directly sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem [p11_child[4329]] [main] (0x0400): p11_child started. [p11_child[4329]] [main] (0x2000): Running in [pre-auth] mode. [p11_child[4329]] [do_card] (0x4000): Login NOT required. [p11_child[4329]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card Noble CA] [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC ID Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. [p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. [p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. [p11_child[4329]] [do_card] (0x4000): No certificate found. [ Where Problems Could Occur] [ Other Info ] Backport from upstream. Continue searching other PKCS#11 tokens if certificates are not found https://github.com/SSSD/sssd/issues/5905 https://github.com/SSSD/sssd/commit/782a6dd54967e7c2dd3013f7e68134ee8751ab88 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2110521 Title: Continue searching other PKCS#11 tokens if certificates are not found To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2110521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
