** Description changed: [ Impact ] TLDR; users cannot authenticate properly. p11_child handles (pre-)authentication in two steps. In the first step, it locates a PKCS#11 token that could contain certificates for authentication. In the second step, it checks if there are actually valid, usable certificate(s) on it. During both steps, filtering is performed based on arguments given to p11_child. If a mismatch occurs during the first step, it simply skips the module/slot/token and goes onto the next one. However if a mismatch occurs in the second step, this is considered a failure; it does not return to the first step to see if a different token contains the right certificates (or to wait for it, if --wait_for_card is given). To address this, the code needs to be refactored so that the certificate search happens inside the loop that searches/waits for tokens. [ Test Plan ] Follow instructions from beginning from here https://canonical-se-wiki.readthedocs-hosted.com/en/latest/content/whershberger/virtual-smartcard/ (until launch vm) add cert to host nssdb certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t TC,TC,TC -n fake-smartcard-noble-ca # launch qemu sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic user,model=virtio -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off -drive file=root.img,media=disk,index=0,if=virtio -drive file=seed.img,index=1,media=cdrom -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$HOME/.pki/nssdb,cert1=fake-smartcard-ca,cert2=fake-smartcard-ca,cert3=fake-smartcard-ca -usb -device virtio-rng-pci -nographic apt-get update && apt-get upgrade sudo apt-get install pcscd pcsc-tools libnss3-tools opensc realmd sssd gnutls-bin # initialize new certificate nss database in vm mkdir -p $HOME/.pki/nssdb certutil -d $HOME/.pki/nssdb -N certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t TC,TC,TC -n fake-smartcard-noble-ca # check db if you see certs certutil -d sql:$HOME/.pki/nssdb -L sudo pcsc_scan PC/SC device scanner V 1.7.1 (c) 2001-2022, Ludovic Rousseau <ludovic.rouss...@free.fr> Using reader plug'n play mechanism Scanning present readers... 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00 Tue Jul 15 20:47:59 2025 Reader 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00 Event number: 0 Card state: Card inserted, ATR: 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34 ... Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34 Republic Slovenia e-Gov, Ministry of Public Administration SIGOV-CA, Slovenian Governmental Certification Authority Giesecke & Devrient (PIV Endpoint) G&D Sm@rtCafe Expert v3.2 scp cac-card cert to vm and save to vm's nssdb. sudo su mkdir /etc/sssd/pki cd pki touch cat fake-smartcard-ca.crt >> /etc/sssd/pki/sssd_auth_ca_db.pem cat fake-smartcard-ca.crt >> /etc/sssd/pki/sssd_auth_ca_db.pem # call out to p11_child directly sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem [p11_child[4329]] [main] (0x0400): p11_child started. [p11_child[4329]] [main] (0x2000): Running in [pre-auth] mode. [p11_child[4329]] [do_card] (0x4000): Login NOT required. [p11_child[4329]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card Noble CA] [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC ID Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. [p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. [p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0]. [p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate]. [p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping. [p11_child[4329]] [do_card] (0x4000): No certificate found. + # shutdown vm, make empty cert and relaunch + sudo shutdown now + # make an empty cert and add it to nssdb certutil -S -s "CN=''" -n CACert -x -t "CT,C,C" -v 120 -m 1234 -d sql:$PWD certutil -R -s "CN='\?', O=Canonical , L=COS, ST=CO, C=US" -o mycert.req -d sql:$PWD certutil -d sql:$PWD -L certutil -C -m 2345 -i mycert.req -o invalid.crt -c CACert -d sql:$PWD openssl x509 -in invalid.crt -noout -text + + certutil -A -d sql:$PWD -i invalid.crt -t TC,TC,TC -n invalid-fake- + smartcard-ca + + sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic user,model=virtio + -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off -drive + file=root.img,media=disk,index=0,if=virtio -drive + file=seed.img,index=1,media=cdrom -usb -device usb-ccid -device ccid- + card-emulated,backend=certificates,db=sql:$PWD,cert1=fake-invalid- + smartcard-ca,cert2=fake-invalid-smartcard-ca,cert3=fake-invalid- + smartcard-ca -usb -device virtio-rng-pci -nographic sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem # installing coolkey gives access to cac-card sudo apt-get install opensc coolkey whereis opensc-pkcs11.so /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so ~$: sudo modutil -dbdir sql:$HOME/.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Module "CAC Module" added to database. sudo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 \ --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' \ --token_name CACard --key_id 0001 --pin 1234 # we'll create the empty cert, add to db and run p11_child audo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' --token_name CACard --key_id 0001 --pin 1234 [p11_child[2183]] [main] (0x0400): p11_child started. [p11_child[2183]] [main] (0x2000): Running in [pre-auth] mode. [p11_child[2183]] [main] (0x2000): Running with effective IDs: [0][0]. [p11_child[2183]] [main] (0x2000): Running with real IDs [0][0]. [p11_child[2183]] [do_card] (0x4000): Module List: [p11_child[2183]] [do_card] (0x4000): common name: [opensc-pkcs11]. [p11_child[2183]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. [p11_child[2183]] [do_card] (0x4000): Description [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...] Manufacturer [QEMU] flags [7] removable [true] token present [true]. [p11_child[2183]] [do_card] (0x4000): Token label [Fake Smart Card CA]. [p11_child[2183]] [do_card] (0x4000): Found [Fake Smart Card CA] in slot [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...][0] of module [0][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. [p11_child[2183]] [do_card] (0x4000): Login NOT required. [p11_child[2183]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card CA] [p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. [p11_child[2183]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card CA] [p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. [p11_child[2183]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card CA] [p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. [p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0003. [p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0002. [p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0001. [p11_child[2183]] [do_card] (0x4000): No certificate found. 0 * Previous code stops here #Then after upgrade we have a cert. sudo apt-get install --only-upgrade sssd apt-cache policy sssd sssd: Installed: 2.10.1-2ubuntu5.1testpkg1 Candidate: 2.10.1-2ubuntu5.1testpkg1 Version table: *** 2.10.1-2ubuntu5.1testpkg1 500 user1@ubuntu:~$ sudo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' --token_name CACard --key_id 0001 --pin 1234 [p11_child[2800]] [main] (0x0400): p11_child started. [p11_child[2800]] [main] (0x2000): Running in [pre-auth] mode. [p11_child[2800]] [main] (0x2000): Running with effective IDs: [0][0]. [p11_child[2800]] [main] (0x2000): Running with real IDs [0][0]. [p11_child[2800]] [do_card] (0x4000): Module List: [p11_child[2800]] [do_card] (0x4000): common name: [opensc-pkcs11]. [p11_child[2800]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. [p11_child[2800]] [do_card] (0x4000): Description [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...] Manufacturer [QEMU] flags [7] removable [true] token present [true]. [p11_child[2800]] [do_card] (0x4000): Token label [Fake Smart Card CA]. [p11_child[2800]] [do_slot] (0x4000): Found [Fake Smart Card CA] in slot [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...][0] of module [0][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. [p11_child[2800]] [do_slot] (0x4000): Login NOT required. [p11_child[2800]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card CA] [p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. [p11_child[2800]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card CA] [p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. [p11_child[2800]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card CA] [p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. [p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0003. [p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0002. [p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0001. [p11_child[2800]] [do_slot] (0x4000): No certificate found. [p11_child[2800]] [do_card] (0x4000): common name: [softhsm2]. [p11_child[2800]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so]. [p11_child[2800]] [do_card] (0x4000): Description [SoftHSM slot ID 0x0] Manufacturer [SoftHSM project] flags [1] removable [false] token present [true]. 0 # We continue the search for certs even if we didn't find a valid certificate. [ Where Problems Could Occur] Someone has already identified an issue upstream. https://github.com/SSSD/sssd/issues/7912 [ Other Info ] Backport from upstream. Continue searching other PKCS#11 tokens if certificates are not found https://github.com/SSSD/sssd/issues/5905 https://github.com/SSSD/sssd/commit/782a6dd54967e7c2dd3013f7e68134ee8751ab88
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2110521 Title: Continue searching other PKCS#11 tokens if certificates are not found To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2110521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
