Opensc 0.20 packages for Ubuntu 16.04?

Do you intend to provide prebuilt packages for Ubuntu 16.04 LTS for opensc 0.20 as well? On https://github.com/Nitrokey/opensc-build there is still only 0.19 and it is quite aged by now. Would appreciate an update and hope it will be possible to have 0.20 even for the older Ubuntu 16.04.

If you do not intend to provide them on your own - is there an explicit build script (activated compile options, path values, etc.) that was used for 0.19 and could be reused for 0.20?

Thank you very much in advance!

Hi @daubsi !

I believe we are not supporting Ubuntu 16.04 LTS anymore, only 18.04 and up. We do not have the v0.20 packages indeed, which should be corrected. As for the build scripts, these are integrated already with the repository.

@nitroalex - could you run the build with a new version?
If that would not make trouble, please build for 16.04 as well but without testing, and mark it as experimental/untested.

That would be great thank you! I compiled opensc last night from scratch, however I am never 100% sure, whether I used the same/correct options/paths so that the new version really replaces an existing one in the right places and leaves no zombie artifacts that are then mixed and might cause problems, etc. Thus I really appreciate you providing a proper built that fits the previous versions file system layout wise. Thanks

Itā€™s quite safe to compile and install OpenSC or sc-hsm-embedded via configure, make, make install. Just make sure you first uninstall the OpenSC package that comes with the distribution.

The main difference is, that local builds install in /usr/local, so they donā€™t usually interfere with distribution install locations.

I just wanted to add, that one can use checkinstall on Ubuntu/Debian to manage the installation from sources, like any Debian package.

Cool. Didnā€™t know that. Thanks

So checkinstall is like an installation monitor? Ok I didnā€™t know I need to remove all previous packages, because I thought I would break and/or remove quite a lot of additional packages that are in turn installed with opensc for exampleā€¦

FYI:

This is the way I built opensc-0.20

> wget https://github.com/OpenSC/OpenSC/archive/0.20.0.tar.gz
> mkdir opensc-0.20
> cd opensc-0.20
> tar xzf ../0.20.0.tar.gz
> cd OpenSC-0.20.0/
> ./bootstrap
> ./configure --prefix=/usr --sysconfdir=/etc
> sudo apt-get install -y apt-src wget scdaemon libccid pcscd
> ./configure --prefix=/usr --sysconfdir=/etc/opensc
> cd ..
> wget https://github.com/frankmorgner/openpace/releases/download/1.1.0/openpace-1.1.0.tar.gz
> tar xzf openpace-1.1.0.tar.gz
> cd openpace-1.1.0/
> autoreconf --verbose --install
> ./configure --prefix=/usr --sysconfdir=/etc
> make all
> sudo make install
> cd ..
> cd opensc-0.20/
> sudo apt install libpcsclite-dev
> ./configure --prefix=/usr --sysconfdir=/etc
> make all

Then verifying operation via:

src/tools/pkcs11-tool --module src/pkcs11/.libs/opensc-pkcs11.so -I
src/tools/pkcs11-tool --module src/pkcs11/.libs/opensc-pkcs11.so --verbose -t --pin <mypin> --id 2
src/tools/pkcs11-tool --module src/pkcs11/.libs/opensc-pkcs11.so --generate-random 16 | hexdump -C

So far still refraining from doing a full ā€œmake installā€

Is this the proper setup?
Would you suggest now to run ā€œcheckinstall sudo make installā€?
Which packages do I need to uninstall to be on the safe side?

Also, I remember I had to build the pkcs11 engine for openssl like this:

git clone https://github.com/OpenSC/libp11.git
cd libp11/
libtoolize
aclocal
autoconf
automake --add-missing
autoreconf
./configure
make
/usr/local/ssl/bin/openssl engine dynamic -pre SO_PATH:/tmp/libp11/src/.libs/pkcs11.so -PRE ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
sudo cp pkcs11.so /usr/lib/ssl/engines/

Will I need to rebuild the engine once I use opensc-0.20? Or is this engine independant from the opensc version?

Have you considered commands from the opensc-build projectā€™s main script?
This would build you the package with flags default to your distribution.
I unfortunately do not know well the build process for the OpenSC.

About libp11, I do not think so, but might be wrong.

No need to have openpace in the loop. That is only needed if you want to use secure messaging, but we never test that.

OK it was just the case that the plain vanilla ./configure asked for its support and as I didnā€™t know you might have explicitly disabled this I added it :wink:

I build new versions.

2 Likes

Could you kindly please add builds for Ubuntu 20.04. LTS ā€œfocalā€ as well please?
See problems mentioned in Update of opensc-build? due to new openssl 1.1.1 update

Hm, I tried the mentioned build script from GitHub - Nitrokey/opensc-build: Quick builds of OpenSC for Ubuntu and Debian and opensc build find. However neither pkcs11-tool nor pkcs15-tool find anymore my Nitrokey HSM2

Hi!

  1. Can you check the logs from OpenSC? Under Linux it should suffice to run the tools prefixed with env OPENSC_DEBUG=9, e.g.
    env OPENSC_DEBUG=9 pkcs11-tool -L
    
  2. What does sc-hsm-tool say?
  3. Make sure the newly build pcscd deamon is active, and not the old one (as long as it is part of the package).
  4. I might be wrong, but AFAIR Nitrokey HSM support in OpenSC has to be explicitly enabled during the build - please check that if possible.

Maint. note: to be moved to separate topic

Thanks for your fast feedback and the helpful suggestions. Before you answered I already rebooted the server (was scheduled anyway) and after the reboot pkcs11-tool again saw the NitroKey HSM2. I presume it might be you point 3) which eventually was the problem and was solved by the reboot.

Is it sensible to also migrate to v0.22.0 of opensc? Or are the nitrokey extensions only available for 0.20.0?

I also have feedback regarding the build-script:

I added to the docker-compose.yml a seperate section for Ubuntu 20.04. ā€œfocalā€ and started it with docker-compose up. Everything ran fine so far, until in-midst of the updates one package asked me for an answer regarding locale/timezone. However, due to being run via docker-compose I could not actually answer anything (input was ignored) so I had to CTRL+C it.

I was eventually able to run it with the following command succesfully without docker-compose;

docker run -it --mount 'type=bind,source=/tmp/opensc-build,destination=/opensc' ubuntu:focal

I then manually installed the two DEB files using:

sudo **dpkg** -i opensc-pkcs11_0.20.0-1\~nitrokey_amd64.deb
sudo **dpkg** -i opensc_0.20.0-1\~nitrokey_amd64.deb

As far as I observed, the installed openssl in the docker container is not the latest and greatest from today (1.1.1m) and the pkcs11-opensc.so is still not working 100% when used as a openssl engine.

Mar 19 12:17:36 bigigloo dovecot[16316]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:2506406A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name: symname(bind_engine): /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so: undefined symbol: bind_engine, error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name, error:260B6068:engine routines:dynamic_load:DSO failure, error:260BC066:engine routines:int_engine_configure:engine configuration error: section=pkcs11_section, name=dynamic_path, value=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so, error:0E07606D:configuration file routines:module_run:module initialization error: module=engines, value=engine_section, retcode=-1 : user=<>, rip=192.168.0.113, lip=192.168.0.1

As soon as I disable the engine in the openssl.cnf dovecot starts up again happily as all the years before. Unfortunately rebuilding opensc today did not fix the problem. As said, presumably due to not the lastest version of openssl being in the container. The problems started right after I had upgraded openssl today. (I am not actually using pkcs11 in dovecot, but something seems to trigger this error. I only encountered it in dovecot so far)

The original problem this morning was:

Mar 19 08:37:51 bigigloo dovecot[3090]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:2506406A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name: symname(EVP_PKEY_get_base_id): /usr/lib/ssl/engines/pkcs11.so: undefined symbol: EVP_PKEY_get_base_id, error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name: user=<>, rip=192.168.0.112, lip=192.168.0.1

ā†’ Different symbol ā€œEVP_PKEY_get_base_idā€ - I presume something changed here in the latest version.

Me againā€¦ as it turned out libssl1.1.1n is not from Ubuntu main repo but from a launchpad repo I added to get more uptodate versions of certain software components then from the LTS. So it was a homemade problem. I added that repo to the opensc-build script and rebuild everything but still the final opensc.so and pkcs11-opensc.so cause problems when used in combination with dovecot since that version libssl1.1.1n.

Anyway, I understand this is neither a opensc nor build-script problem and caused by my setup, so I donā€™t expect more support about this from here.

If anyone wants to give it a try though, please add this repo
add-apt-repository ppa:savoury1/build-tools

Using that libssl package will break the opensc module in openssl it seems.

1 Like