Bug 1947025
| Summary: | Failed to store private key: Requested object not found | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Mike Ralph <mralph> | ||||||
| Component: | opensc | Assignee: | Jakub Jelen <jjelen> | ||||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||
| Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> | ||||||
| Priority: | medium | ||||||||
| Version: | 8.8 | CC: | jjelen, lmanasko, mjahoda, spoore | ||||||
| Target Milestone: | beta | Keywords: | Triaged | ||||||
| Target Release: | 8.8 | Flags: | pm-rhel:
mirror+
|
||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Known Issue | |||||||
| Doc Text: |
.Smart-card provisioning process through OpenSC `pkcs15-init` does not work properly
The `file_caching` option is enabled in the default OpenSC configuration, and the file caching functionality does not handle some commands from the `pkcs15-init` tool properly. Consequently, the smart-card provisioning process through OpenSC fails.
To work around the problem, add the following snippet to the `/etc/opensc.conf` file:
--
app pkcs15-init {
framework pkcs15 {
use_file_caching = false;
}
}
--
The smart-card provisioning through `pkcs15-init` only works if you apply the previously described workaround.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2022-09-19 15:12:16 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Comment 1
Jakub Jelen
2021-04-07 20:22:11 UTC
(In reply to Jakub Jelen from comment #1) > What was the last time the same process worked for you? RHEL 8.3? Before? > The debug log would be more useful from the failing command: > > $ OPENSC_DEBUG=9 pkcs15-init --store-private-key miker_idm.key --auth-id 01 > --id 01 --so-pin redhat --pin redhat > > There was really just couple of small changes in the last update and really > none of them related to MyEID driver nor pkcs15-init. Can you try with > use_file_caching = false; in /etc/opensc.conf? Correct, it worked in RHEL 8.3. I am attaching the debug log for both with file caching and without. Created attachment 1770266 [details]
with file caching
Created attachment 1770267 [details]
without file caching
Thank you for the logs. Without the caching, you already have different error:
Failed to store private key: Non unique object ID
So I assume the key was already written, but the file cache was not updated (or something else was broken during the writing).
One fast idea how to solve this, can you try to add the following to the /etc/opensc.conf:
app pkcs15-init {
framework pkcs15 {
use_file_caching = false;
}
}
Then reset/format the card and retry the setup? Or just retry with the use_file_caching=false from the beginning to make sure this is the only cause for this issue?
I think we only tested reading cards with this option, where the file caching brings significant performance improvements, but I do not think we have some enrollment of myeid cards in the plans ...
(In reply to Jakub Jelen from comment #5) > > One fast idea how to solve this, can you try to add the following to the > /etc/opensc.conf: > > app pkcs15-init { > framework pkcs15 { > use_file_caching = false; > } > } This was already set to false, but apparently you need to restart after making the change for it to take effect. I had shut the machine down and when it came up, I verified that it was set to false and tried it again and it worked. > Then reset/format the card and retry the setup? Or just retry with the > use_file_caching=false from the beginning to make sure this is the only > cause for this issue? > > I think we only tested reading cards with this option, where the file > caching brings significant performance improvements, but I do not think we > have some enrollment of myeid cards in the plans ... This does raise a question for me. This was a brand new install with a blank card, so what is cached to cause the issue? The above snippet should disable the caching only for the pkcs15-init tool. But you executed several commands, which touched the card. So probably the last one used some cached information from the previous invocation. This is something we should fix. In short term with probably with a workaround as posted above (assuming it will work), in long term with proper cache invalidation during pkcs15-init enrollment. But as I do not have MyEID card myself at hand, it will take some time before I will get to that. (In reply to Jakub Jelen from comment #7) > The above snippet should disable the caching only for the pkcs15-init tool. > > But you executed several commands, which touched the card. So probably the > last one used some cached information from the previous invocation. > > This is something we should fix. In short term with probably with a > workaround as posted above (assuming it will work), in long term with proper > cache invalidation during pkcs15-init enrollment. But as I do not have MyEID > card myself at hand, it will take some time before I will get to that. I just checked an opensc.conf on a RHEL 8.3, and it has use_file_caching commented out. Not certain if that means anything as some apps have default parameters commented out. The RHEL 8.4 Beta does not have it commented out. So I have a couple of questions. First is since it might take some time to resolve this, what service reads opensc.conf? I will use this info to make a KCS until this is fixed. Second one is, what is the difference between: app default { framework pkcs15 { use_file_caching = true; } and app pkcs15-init { framework pkcs15 { use_file_caching = false; } } (In reply to Mike Ralph from comment #8) > I just checked an opensc.conf on a RHEL 8.3, and it has use_file_caching > commented out. Not certain if that means anything as some apps have default > parameters commented out. The RHEL 8.4 Beta does not have it commented out. Thats intended. See #1892810 > So I have a couple of questions. First is since it might take some time to > resolve this, what service reads opensc.conf? No service. The opensc-pkcs11.so a opensc tools read this file directly. > I will use this info to make a KCS until this is fixed. > > Second one is, what is the difference between: > > app default { > framework pkcs15 { > use_file_caching = true; > } > > and > > app pkcs15-init { > framework pkcs15 { > use_file_caching = false; > } > } The first is default and should apply to all opensc tools, the second should apply only for the pkcs15-init for the card enrollment. Not sure what are priorities in case of both of them are present (whether one needs to come before the other). It needs some testing. Looks good. Thanks! FYI, this was recently discussed in the upstream PR https://github.com/OpenSC/OpenSC/pull/2501 when we tried to enable the file caching by default too. The summary is that the caching code is not very suitable for updating cards objects as it is now so it would require some modification of the caching code to invalidate cache on write, which is not in place yet. So for now, the workaround proposed in comment #5 should do the job. If we will update opensc in RHEL8, we should probably bring these changes in. There is some work in progress of fixing this in upstream right now properly, but I do not think we will be backporting these changes to RHEL8 unless there would be huge demand for this so I am closing this bug. https://github.com/OpenSC/OpenSC/pull/2501 |