[Bug 2110521] Re: Continue searching other PKCS#11 tokens if certificates are not found
Heather Lemon
2110521 at bugs.launchpad.net
Fri Aug 1 17:19:39 UTC 2025
** No longer affects: sssd (Ubuntu Oracular)
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2110521
Title:
Continue searching other PKCS#11 tokens if certificates are not found
Status in sssd package in Ubuntu:
In Progress
Status in sssd source package in Jammy:
Won't Fix
Status in sssd source package in Noble:
In Progress
Status in sssd source package in Plucky:
In Progress
Status in sssd source package in Questing:
In Progress
Bug description:
[ Impact ]
TLDR; users cannot authenticate properly.
p11_child handles (pre-)authentication in two steps.
In the first step, it locates a PKCS#11 token that could contain certificates for authentication.
In the second step, it checks if there are actually valid, usable certificate(s) on it.
During both steps, filtering is performed based on arguments given to
p11_child. If a mismatch occurs during the first step, it simply skips
the module/slot/token and goes onto the next one. However if a
mismatch occurs in the second step, this is considered a failure; it
does not return to the first step to see if a different token contains
the right certificates (or to wait for it, if --wait_for_card is
given).
To address this, the code needs to be refactored so that the
certificate search happens inside the loop that searches/waits for
tokens.
[ Test Plan ]
Follow instructions from beginning from here
https://canonical-se-wiki.readthedocs-hosted.com/en/latest/content/whershberger/virtual-smartcard/
(until launch vm)
add cert to host nssdb
certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t TC,TC,TC -n fake-smartcard-noble-ca
# launch qemu
sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic user,model=virtio -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off -drive file=root.img,media=disk,index=0,if=virtio -drive file=seed.img,index=1,media=cdrom -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$HOME/.pki/nssdb,cert1=fake-smartcard-ca,cert2=fake-smartcard-ca,cert3=fake-smartcard-ca -usb -device virtio-rng-pci -nographic
apt-get update && apt-get upgrade
sudo apt-get install pcscd pcsc-tools libnss3-tools opensc realmd sssd gnutls-bin
# initialize new certificate nss database in vm
mkdir -p $HOME/.pki/nssdb
certutil -d $HOME/.pki/nssdb -N
certutil -A -d sql:$HOME/.pki/nssdb -i fake-smartcard-noble-ca.cer -t
TC,TC,TC -n fake-smartcard-noble-ca
# check db if you see certs
certutil -d sql:$HOME/.pki/nssdb -L
sudo pcsc_scan
PC/SC device scanner
V 1.7.1 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau at free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00
Tue Jul 15 20:47:59 2025
Reader 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:01.2-1) 00 00
Event number: 0
Card state: Card inserted,
ATR: 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34
...
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34
Republic Slovenia e-Gov, Ministry of Public Administration
SIGOV-CA, Slovenian Governmental Certification Authority
Giesecke & Devrient (PIV Endpoint) G&D Sm at rtCafe Expert v3.2
scp cac-card cert to vm
and save to vm's nssdb.
sudo su
mkdir /etc/sssd/pki
cd pki
touch cat fake-smartcard-ca.crt >> /etc/sssd/pki/sssd_auth_ca_db.pem
cat fake-smartcard-ca.crt >> /etc/sssd/pki/sssd_auth_ca_db.pem
# call out to p11_child directly
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem
[p11_child[4329]] [main] (0x0400): p11_child started.
[p11_child[4329]] [main] (0x2000): Running in [pre-auth] mode.
[p11_child[4329]] [do_card] (0x4000): Login NOT required.
[p11_child[4329]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card Noble CA]
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0].
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate].
[p11_child[4329]] [read_certs] (0x0040): Certificate [CAC ID Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping.
[p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA]
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0].
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate].
[p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Signature Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping.
[p11_child[4329]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA]
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [0].
[p11_child[4329]] [do_verification] (0x0040): X509_verify_cert failed [18][self-signed certificate].
[p11_child[4329]] [read_certs] (0x0040): Certificate [CAC Email Encryption Certificate][/CN=Fake Smart Card Noble CA] not valid, skipping.
[p11_child[4329]] [do_card] (0x4000): No certificate found.
# shutdown vm, make empty cert and relaunch
sudo shutdown now
# make an empty cert and add it to nssdb
certutil -S -s "CN=''" -n CACert -x -t "CT,C,C" -v 120 -m 1234 -d sql:$PWD
certutil -R -s "CN='\?', O=Canonical , L=COS, ST=CO, C=US" -o mycert.req -d sql:$PWD
certutil -d sql:$PWD -L
certutil -C -m 2345 -i mycert.req -o invalid.crt -c CACert -d sql:$PWD
openssl x509 -in invalid.crt -noout -text
certutil -A -d sql:$PWD -i invalid.crt -t TC,TC,TC -n invalid-fake-
smartcard-ca
sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic
user,model=virtio -chardev
socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off -drive
file=root.img,media=disk,index=0,if=virtio -drive
file=seed.img,index=1,media=cdrom -usb -device usb-ccid -device ccid-
card-emulated,backend=certificates,db=sql:$PWD,cert1=fake-invalid-
smartcard-ca,cert2=fake-invalid-smartcard-ca,cert3=fake-invalid-
smartcard-ca -usb -device virtio-rng-pci -nographic
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
--ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem
# installing coolkey gives access to cac-card
sudo apt-get install opensc coolkey
whereis opensc-pkcs11.so
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
~$: sudo modutil -dbdir sql:$HOME/.pki/nssdb/ -add "CAC Module"
-libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Module "CAC Module" added to database.
sudo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 \
--ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' \
--token_name CACard --key_id 0001 --pin 1234
# we'll create the empty cert, add to db and run p11_child
audo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' --token_name CACard --key_id 0001 --pin 1234
[p11_child[2183]] [main] (0x0400): p11_child started.
[p11_child[2183]] [main] (0x2000): Running in [pre-auth] mode.
[p11_child[2183]] [main] (0x2000): Running with effective IDs: [0][0].
[p11_child[2183]] [main] (0x2000): Running with real IDs [0][0].
[p11_child[2183]] [do_card] (0x4000): Module List:
[p11_child[2183]] [do_card] (0x4000): common name: [opensc-pkcs11].
[p11_child[2183]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
[p11_child[2183]] [do_card] (0x4000): Description [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...] Manufacturer [QEMU] flags [7] removable [true] token present [true].
[p11_child[2183]] [do_card] (0x4000): Token label [Fake Smart Card CA].
[p11_child[2183]] [do_card] (0x4000): Found [Fake Smart Card CA] in slot [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...][0] of module [0][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
[p11_child[2183]] [do_card] (0x4000): Login NOT required.
[p11_child[2183]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card CA]
[p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2183]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card CA]
[p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2183]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card CA]
[p11_child[2183]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0003.
[p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0002.
[p11_child[2183]] [do_card] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0001.
[p11_child[2183]] [do_card] (0x4000): No certificate found.
0
* Previous code stops here
#Then after upgrade we have a cert.
sudo apt-get install --only-upgrade sssd
apt-cache policy sssd
sssd:
Installed: 2.10.1-2ubuntu5.1testpkg1
Candidate: 2.10.1-2ubuntu5.1testpkg1
Version table:
*** 2.10.1-2ubuntu5.1testpkg1 500
user1 at ubuntu:~$ sudo /usr/libexec/sssd/p11_child --wait_for_card --pre -d 10 --debug-fd=2 --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --module_name 'Fake Smart Card CA' --token_name CACard --key_id 0001 --pin 1234
[p11_child[2800]] [main] (0x0400): p11_child started.
[p11_child[2800]] [main] (0x2000): Running in [pre-auth] mode.
[p11_child[2800]] [main] (0x2000): Running with effective IDs: [0][0].
[p11_child[2800]] [main] (0x2000): Running with real IDs [0][0].
[p11_child[2800]] [do_card] (0x4000): Module List:
[p11_child[2800]] [do_card] (0x4000): common name: [opensc-pkcs11].
[p11_child[2800]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
[p11_child[2800]] [do_card] (0x4000): Description [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...] Manufacturer [QEMU] flags [7] removable [true] token present [true].
[p11_child[2800]] [do_card] (0x4000): Token label [Fake Smart Card CA].
[p11_child[2800]] [do_slot] (0x4000): Found [Fake Smart Card CA] in slot [Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...][0] of module [0][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
[p11_child[2800]] [do_slot] (0x4000): Login NOT required.
[p11_child[2800]] [read_certs] (0x4000): found cert[CAC ID Certificate][/CN=Fake Smart Card CA]
[p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2800]] [read_certs] (0x4000): found cert[CAC Email Signature Certificate][/CN=Fake Smart Card CA]
[p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2800]] [read_certs] (0x4000): found cert[CAC Email Encryption Certificate][/CN=Fake Smart Card CA]
[p11_child[2800]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check.
[p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0003.
[p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0002.
[p11_child[2800]] [do_slot] (0x4000): Fake Smart Card CA /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so CACard Fake Smart Card CA 0001 - no label given- 0001.
[p11_child[2800]] [do_slot] (0x4000): No certificate found.
[p11_child[2800]] [do_card] (0x4000): common name: [softhsm2].
[p11_child[2800]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so].
[p11_child[2800]] [do_card] (0x4000): Description [SoftHSM slot ID 0x0] Manufacturer [SoftHSM project] flags [1] removable [false] token present [true].
0
# We continue the search for certs even if we didn't find a valid certificate.
[ Where Problems Could Occur]
Someone has already identified an issue upstream.
https://github.com/SSSD/sssd/issues/7912
[ Other Info ]
Backport from upstream.
Continue searching other PKCS#11 tokens if certificates are not found
https://github.com/SSSD/sssd/issues/5905
https://github.com/SSSD/sssd/commit/782a6dd54967e7c2dd3013f7e68134ee8751ab88
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2110521/+subscriptions
More information about the Ubuntu-sponsors
mailing list