Bug 1298669 - Segmentation fault using pkcs11-tool
Segmentation fault using pkcs11-tool
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: opensc (Show other bugs)
23
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Nikos Mavrogiannopoulos
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-14 12:27 EST by Kaloyan Raev
Modified: 2016-01-28 13:29 EST (History)
6 users (show)

See Also:
Fixed In Version: opensc-0.15.0-4.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-28 13:29:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kaloyan Raev 2016-01-14 12:27:09 EST
I have an OmniKey CardMan 6121 with Siemens CardOS V4.3B. I follow the instructions of my provider to install the necessary drivers on Linux: http://wiki.infonotary.com/index.php/Installation_of_smart_card_reader_and_smart_card_drivers_in_Linux 

I have some success. Some commands show that the setup is correct.

$ opensc-tool -a
Using reader with a card: OMNIKEY CardMan (076B:6622) 6121 00 00
3b:f2:18:00:02:c1:0a:31:fe:58:c8:08:74

$ opensc-tool -n
Using reader with a card: OMNIKEY CardMan (076B:6622) 6121 00 00
CardOS M4

$ pkcs15-tool -D
Gives a long output. Let me know if I should attach it.

But this one fails:
pkcs11-tool -lt --module opensc-pkcs11.so
Segmentation fault (core dumped)

Versions of some components I installed:
opensc.x86_64                 0.15.0-2.fc23
pcsc-lite.x86_64              1.8.14-1.fc23                                                                 pcsc-lite-asekey.x86_64       3.7-2.fc23                                                                    pcsc-lite-libs.x86_64         1.8.14-1.fc23
ifdokccid_linux_x86_64-v4.1.5 from HID official site

Due to the segfault I cannot actually use the electronic signature. Firefox just crashes when the card reader is inserted in the USB.

The same card reader and smart card worked without a problem on Ubuntu 15.04 on the same laptop before I switched to Fedora 23.
Comment 1 Nikos Mavrogiannopoulos 2016-01-15 04:36:11 EST
The page you link requires acr38u for pcsc-lite. Is there such a Fedora package?
Comment 2 Kaloyan Raev 2016-01-15 06:44:51 EST
The acr38u driver is required for a different card readers - ACR38U and ACR38T. Mine is OmniKey and works with the ccid driver.
Comment 3 Nikos Mavrogiannopoulos 2016-01-15 07:22:27 EST
Then please do:
$ sudo dnf install pcsc-lite-ccid
$ sudo dnf remove pcsc-lite-asekey
$ sudo systemctl restart pcscd

and check whether everything works right.
Comment 4 Kaloyan Raev 2016-01-15 08:11:55 EST
I followed your instructions. I still get the segfault.
I also uninstalled the ifdokccid driver I installed manually - still no luck.
Comment 5 Nikos Mavrogiannopoulos 2016-01-15 08:23:53 EST
Then try getting a backtrace:
$ sudo debuginfo-install opensc
$ gdb pkcs11-tool
 > run -lt --module /usr/lib64/pkcs11/opensc-pkcs11.so
 
 > bt full on crash
Comment 6 Kaloyan Raev 2016-01-15 10:16:36 EST
Here is the complete output of gdb:

[kraev@ThinkPad drivers]$ gdb pkcs11-tool 
GNU gdb (GDB) Fedora 7.10.1-30.fc23
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from pkcs11-tool...Reading symbols from /usr/lib/debug/usr/bin/pkcs11-tool.debug...done.
done.
(gdb) run -lt --module /usr/lib64/pkcs11/opensc-pkcs11.so
Starting program: /usr/bin/pkcs11-tool -lt --module /usr/lib64/pkcs11/opensc-pkcs11.so
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
sc_pkcs15_dup_pubkey (ctx=0x5555557770e0, key=0x0, 
    out=out@entry=0x55555578ff00) at pkcs15-pubkey.c:1073
1073		if (key->alg_id) {
(gdb) bt full on crash
No symbol "on" in current context.
(gdb) bt full
#0  sc_pkcs15_dup_pubkey (ctx=0x5555557770e0, key=0x0, 
    out=out@entry=0x55555578ff00) at pkcs15-pubkey.c:1073
        pubkey = 0x55555578feb0
        rv = 0
        alg = 0x55555579fa70 "\001"
        alglen = 13
        __FUNCTION__ = "sc_pkcs15_dup_pubkey"
#1  0x00007ffff69c7f34 in __pkcs15_prkey_bind_related (pk=0x55555578feb0, 
    fw_data=0x55555578ae10) at framework-pkcs15.c:770
        pubkey = 0x55555578d810
        obj = 0x55555578d810
        id = 0x5555557948b0
        i = 10
#2  pkcs15_bind_related_objects (fw_data=fw_data@entry=0x55555578ae10)
    at framework-pkcs15.c:838
        obj = 0x55555578feb0
        i = 5
        __FUNCTION__ = "pkcs15_bind_related_objects"
#3  0x00007ffff69d08d4 in _pkcs15_create_typed_objects (fw_data=0x55555578ae10)
    at framework-pkcs15.c:1062
        rv = <optimized out>
#4  pkcs15_create_tokens (p11card=0x55555578a3a0, app_info=0x0, 
    first_slot=0x7fffffffd090) at framework-pkcs15.c:1276
---Type <return> to continue, or q <return> to quit---
        fw_data = <optimized out>
        ffda = 0x0
        auth_user_pin = 0x55555578d870
        auth_sign_pin = 0x0
        fauo = 0x0
        slot = 0x0
        i = <optimized out>
        rv = <optimized out>
        idx = 0
        __FUNCTION__ = "pkcs15_create_tokens"
#5  0x00007ffff69c35df in card_detect (reader=reader@entry=0x555555789490) at slot.c:292
        atrblock = <optimized out>
        enable_InitToken = <optimized out>
        app_generic = 0x0
        first_slot = 0x0
        p11card = 0x55555578a3a0
        rc = <optimized out>
        rv = <optimized out>
        i = <optimized out>
        j = <optimized out>
        __FUNCTION__ = "card_detect"
#6  0x00007ffff69c3c05 in initialize_reader (reader=0x555555789490) at slot.c:144
        i = <optimized out>
        rv = <optimized out>
        conf_block = <optimized out>
        list = <optimized out>
#7  0x00007ffff69c3e6f in card_detect_all () at slot.c:347
        reader = 0x555555789490
        i = 0
        __FUNCTION__ = "card_detect_all"
#8  0x00007ffff69be3f5 in C_GetSlotList (tokenPresent=0 '\000', pSlotList=0x0, pulCount=0x555555770b08 <p11_num_slots>) at pkcs11-global.c:392
        i = <optimized out>
        slot = <optimized out>
        prev_reader = <optimized out>
        rv = <optimized out>
        found = <optimized out>
        numMatches = <optimized out>
        pulCount = 0x555555770b08 <p11_num_slots>
        pSlotList = 0x0
        tokenPresent = 0 '\000'
        rv = <optimized out>
---Type <return> to continue, or q <return> to quit---
#9  0x000055555556052f in list_slots (tokens=<optimized out>, print=0, refresh=1) at pkcs11-tool.c:968
        info = {
          slotDescription = "\b\002", '\000' <repeats 14 times>, "\001.\000\000\000\200\377\377\377\321\377\377\377\177\000\000\000\000\000\000\000\000\000\000\003\000\000\000\060", '\000' <repeats 18 times>, 
          manufacturerID = "0\000\000\000\060\000\000\000\300\322\377\377\377\177\000\000\000\322\377\377\377\177\000\000\000S\235\232\004\205\335\016", flags = 0, 
          hardwareVersion = {major = 119 'w', minor = 0 '\000'}, firmwareVersion = {major = 0 '\000', minor = 0 '\000'}}
        n = <optimized out>
        rv = <optimized out>
#10 0x0000555555559595 in main (argc=<optimized out>, argv=0x7fffffffdf78) at pkcs11-tool.c:728
        session = 0
        object = 0
        err = 0
        c = <optimized out>
        long_optind = 0
        do_show_info = 0
        do_list_slots = 0
        list_token_slots = 0
        do_list_mechs = 0
        do_list_objects = 0
        do_sign = 0
        do_decrypt = 0
        do_hash = 0
        do_derive = 0
        do_gen_keypair = 0
        do_write_object = 0
        do_read_object = 0
        do_delete_object = 0
        do_set_id = 0
        do_test = 1
        do_test_kpgen_certwrite = 0
        do_test_ec = 0
        do_test_fork = 0
        need_session = 3
        opt_login = 1
        do_init_token = 0
        do_init_pin = 0
        do_change_pin = 0
        do_unlock_pin = 0
        action_count = 1
        rv = <optimized out>
(gdb)
Comment 7 Vladimir Penev 2016-01-18 04:53:02 EST
I have same issue, with the same debug output.
The only way to use opensc on fedora 23 is to downgrade it to fedora 22 version.
Comment 8 Nikos Mavrogiannopoulos 2016-01-18 05:17:15 EST
Unfortunately I'm not able to reproduce that as my smart cards work. Could you try opensc from git [0] and see if the issue is fixed on latest master?

1. If it is fixed, then please do a git bisect from tag 0.15.0 to current head to figure where the issue was fixed.

2. If it is not fixed, then please do a git bisect from tag 0.14.0 to 0.15.0 to find out where the issue was introduced so I could attempt a fix.

Let me know if you need help with that.

[0]. https://github.com/OpenSC/OpenSC
Comment 9 Kaloyan Raev 2016-01-18 07:09:03 EST
I see that the following commit [0] looks quite promising.

I cloned the OpenSC git repo locally. Please, give me some detailed instruction how I can make Fedora use OpenSC from git master instead of the library already installed.

[0] https://github.com/OpenSC/OpenSC/commit/6e5ae841eb398b6393d7349d45f2386f820c9f5f
Comment 10 Nikos Mavrogiannopoulos 2016-01-18 07:41:28 EST
I've put a scratch-build with the fix that you referenced at:
http://koji.fedoraproject.org/koji/taskinfo?taskID=12592181

Please download and test these rpms. If they work, I'll submit of fix based on that.
Comment 11 Nikos Mavrogiannopoulos 2016-01-18 07:42:07 EST
(note that the build is in progress and may take some time for the result to be available)
Comment 12 Vladimir Penev 2016-01-18 08:09:01 EST
At my side it works as well.
I didn't try to sign a document, but the tool pkcs11-tool works fine, no crashes.
Thanks
Comment 13 Kaloyan Raev 2016-01-18 08:33:19 EST
Thanks, Nikos!

I think we have some progress, although it does not work completely yet.

I downloaded and installed the following RPMs from your build:
- opensc-0.15.0-4.fc23.x86_64.rpm 
- opensc-debuginfo-0.15.0-4.fc23.x86_64.rpm 

Now the pkcs11-tool does not crash, but fails. Here is the output:

[kraev@ThinkPad ~]$ pkcs11-tool -lt --module opensc-pkcs11.so
Using slot 1 with a present token (0x1)
Logging in to "InfoNotary (PIN)".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only RSA signatures)
  testing key 0 (E586C2EF-BDF3-467D-88C4-77080CD59AB7) 
error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5)

Aborting.

I get the same CKR_GENERAL_ERROR in Firefox when I try to login in a web site that requires authentication with this electronic signature: 

An error occurred during a connection to inetdec.nra.bg. A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred. (Error code: sec_error_pkcs11_general_error)
Comment 14 Kaloyan Raev 2016-01-18 08:40:34 EST
I was able to resolve this last error. As suggested in the instructions by Infonotary, I uninstalled pcsc-lite-ccid and manually installed ifdokccid_linux_x86_64-v4.1.5 from HID official site.

Now pkcs11-tool works correctly and I can the signature works perfectly in Firefox.

The issue is resolved for me :-)

Many thanks, Nikos!

I think you can submit the fix for OpenSC to Fedora 23.
Comment 15 Fedora Update System 2016-01-18 09:34:53 EST
opensc-0.15.0-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-30b36854a0
Comment 16 Fedora Update System 2016-01-19 22:55:12 EST
opensc-0.15.0-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-30b36854a0
Comment 17 Kaloyan Raev 2016-01-20 04:46:34 EST
I removed the opensc package and then installed it again using:

sudo dnf install opensc --enablerepo=updates-testing

My electronic signature works as expected.
Comment 18 Nikos Mavrogiannopoulos 2016-01-20 04:49:28 EST
Please provide feedback on the link in Comment #16 to speed up the move of this package to stable.
Comment 19 Kaloyan Raev 2016-01-20 04:59:15 EST
(In reply to Nikos Mavrogiannopoulos from comment #18)
> Please provide feedback on the link in Comment #16 to speed up the move of
> this package to stable.

Done.
Comment 20 Fedora Update System 2016-01-28 13:29:21 EST
opensc-0.15.0-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.