testing the next ubuntu release

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

testing the next ubuntu release

Andreas Jellinghaus-2
Hi everyone,

Ubuntu 10.04 LTS Beta 1 ("lucid") is now available on www.ubuntu.org.
I did some testing already, and it seems to work fine for the apps I
tested. More testing would be very welcome!

Also for those of you that want to test firefox with https client certificate
authentication, I found out you can do that easily with openssl. See below
for details.

Regards, Andreas

My testing so far:

1.) Version test
        Package OpenSC Ubuntu Lucid
        Enginge PKCS#11 0.1.8 0.1.8-2
        Lib P11 0.2.7 0.2.7-1
        OpenCT 0.6.20 0.6.19-1ubuntu3
        OpenSC 0.11.13 0.11.12-1ubuntu2
        Pam P11 0.1.5 0.1.5-1build1

    Result:
        Versions ok, latest OpenCT/OpenSC changes with Rutoken S patch missing
        (but those were released quite late, so ok)

2.) Content check
        Pam P11 Looks OK
        Lib P11 HTML Documentation missing
                        api.out missing in source tar.gz
        Engine PKCS#11 Looks OK
        OpenCT Looks OK
        OpenSC HTML Documentation (wiki) missing

3.) Function test
        Had to use VirtualBox Personal/Evaluation edition:
                * Virtmanager with KVM and USB devices didn't work out.
                * VirtualBox OSE doesn't include USB device support.
        Installed Ubuntu Lucid amd64 beta 1 Desktop (default installation).
        Installed dselect with "apt-get install dselect"
        In dselect installed all openct, opensc, libp11, pam-p11, engine-pkcs11
                packages
        Added my user ("ubuntu") to group scard, logout, login again.
        Plugged in an token (Rainbow iKey 3000), assigned it to the guest VM
        Run "openct-tool list" -> found!
        Run "/etc/init.d/openct stop; /etc/init.d/openct start"
        Run "openct-tool list" again -> found!

        Testing with other tokens:
         * Rainbow iKey 3000 OK
         * Aladdin eToken PRO (4.2B) OK
         * GemPC KEY with Cryptoflex OK, but very slow
         * SCM SCR 335 OK

        -> Hotplugging seems to work fine. Wow, first Ubuntu release with that?
       
4.) Test by QuickStart (all tests only once, with an Aladdin eToken PRO 4.2B)
        Lets test the commands from each projects QuickStart documentation.

        OpenCT
                openct-tool list
                openct-tool atr
        OpenSC
                opensc-tool --list-readers
                opensc-tool --reader 0 --atr
                opensc-tool --reader 0 --name
                pkcs15-init --create-pkcs15 --so-pin 12345678 --so-puk 78907890
                pkcs15-init --store-pin --auth-id 01 \
                        --label "Andreas Jellinghaus" \
                        --pin 123456 --puk 567890 --so-pin 12345678
                pkcs15-init --generate-key rsa/2048 --auth-id 01 \
                        --pin 123456 --so-pin 12345678
                openssl
                        engine dynamic \
                                -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \
                                -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
                                -pre MODULE_PATH:opensc-pkcs11.so \
                                -pre PIN:123456
                        req -engine pkcs11 -new -key id_45 -keyform engine \
                                -x509 -out cert.pem -text \
                                -subj "/CN=Andreas Jellinghaus"
                openssl verify -CAfile cert.pem cert.pem
                pkcs15-init --store-certificate cert.pem --auth-id 01 --id 45 \
                        --format pem --pin 123456 --so-pin 12345678
                pkcs15-tool --dump
                pkcs11-tool --test --login --pin 123456
        Libp11 - no special commands
        Engine PKCS#11 - already covered
        Pam P11 : pam_p11_opensc
                As root: modify pam config for su:
                auth       required   pam_p11_opensc.so /usr/lib/opensc-pkcs11.so

                And create a file with login information (still as root):
                mkdir ~/.eid
                chmod 0755 ~/.eid
                pkcs15-tool -r 45 > ~/.eid/authorized_certificates
                chmod 0644 ~/.eid/authorized_certificates

                Keep xterm as root open, so you can fix / undo things.
               
                Open a new xterm with Alt-F2 and try "su" from user to root.

        Pam P11 : pam_p11_openssh
                        Pam config for "su:
                auth       required   pam_p11_openssh.so /usr/lib/opensc-pkcs11.so

                mkdir ~/.ssh
                chmod 0755 ~/.ssh
                ssh-keygen -D 0 > ~/.ssh/authorized_keys
                chmod 0644 ~/.ssh/authorized_keys

        OpenSSH
                not compiled with ssh support.

        Firefox
                Edit / Preferences / ... (load opensc-pkcs11.so as module)

                Setup a local https test server:
               
  openssl genrsa -out server.key 2048
                openssl req -new -x509 -key server.pem -out server.pem \
                        -days 365 -subj "/CN=localhost"
                openssl s_server -accept 4443 -cert server.pem -key server.key \
                        -www -verify 99

                The use firefox to surv to "https://localhost:4443/"
       
        Other applications
                wpa_supplicant - no test environment here
                strongswan - no test environment here
                thunderbird - no test environment here
                -> testing and feedback and test procedures welcome

        Cleanup
                pkcs15-init --erase-card --pin 123456 --so-pin 12345678

        Card information for cardos cards
                cardos-tool --info

        Running the test suite (on empty cards)
                svn co http://www.opensc-
project.org/svn/opensc/releases/opensc-0.11.13/src/tests/regression
                cd regression
                ./run-all --installed
                (on cryptoflex cards need a transport key specified,
                        for example "-T" for the default one)
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: testing the next ubuntu release

Roland Schwarz
Hi Andreas!

Andreas Jellinghaus schrieb:
>
> Firefox
> Edit / Preferences / ... (load opensc-pkcs11.so as module)

I am trying this with Karmic.
Are there any known issues with pcsc-lite?

On my machine upon loading I can see a very high CPU load, and cannot
log into my card.

I try to find out what is going on and currently try to understand the
code in reader-pcsc.c. The pcsc_wait_for_event in partikular.
When I activate debugging I can see that in every call

reader-pcsc.c:1031:pcsc_wait_for_event: Gemplus GemPC Key 00 00
before=0x0000 now=0x0122

before and now will trigger an event which results in very high
polling frequency. From reading the MS specs of this function I
cannot understand what the code in pcsc_wait_for_event is trying
to do since the MS specs have no before and now.

On the other hand it might simply be the case that I do not
understand the code and the problem is anywhere else.

Any ideas?

Thank you for taking care, regards
Roland

--
_________________________________________
  _  _  | Roland Schwarz aka. speedsnail
 |_)(_  | sip:[hidden email]
 | \__) | mailto:[hidden email]
________| http://www.blackspace.at
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: testing the next ubuntu release

Martin Paljak-2
On Apr 1, 2010, at 16:58 , Roland Schwarz wrote:

> Hi Andreas!
>
> Andreas Jellinghaus schrieb:
>>
>> Firefox
>> Edit / Preferences / ... (load opensc-pkcs11.so as module)
>
> I am trying this with Karmic.
> Are there any known issues with pcsc-lite?
>
> On my machine upon loading I can see a very high CPU load, and cannot
> log into my card.

Are you sure you use OpenSC 0.11.13?


> I try to find out what is going on and currently try to understand the
> code in reader-pcsc.c. The pcsc_wait_for_event in partikular.
> When I activate debugging I can see that in every call
>
> reader-pcsc.c:1031:pcsc_wait_for_event: Gemplus GemPC Key 00 00
> before=0x0000 now=0x0122
>
> before and now will trigger an event which results in very high
> polling frequency. From reading the MS specs of this function I
> cannot understand what the code in pcsc_wait_for_event is trying
> to do since the MS specs have no before and now.

state before calling SCardGetStatusChange and after the call returns.

--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: testing the next ubuntu release

Roland Schwarz


Martin Paljak wrote:
> opensc-tool --info

opensc 0.12.0-svn [gcc  4.4.1]

> C_WaitForSlotEvent is broken in trunk.

I see. Thank you for the pointer.
On which branch does the ubuntu lucid candidate live?

Btw. I discovered today a rather obvious to fix bug
that prevented the opendsc-pkcs11.so changing the
PIN, but instead segfaulting. This might be interesting
to put for lucid too.

Regards,
Roland

--
_________________________________________
  _  _  | Roland Schwarz aka. speedsnail
 |_)(_  | sip:[hidden email]
 | \__) | mailto:[hidden email]
________| http://www.blackspace.at
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: testing the next ubuntu release

Andreas Jellinghaus-2
Am Donnerstag 01 April 2010 16:23:53 schrieb Roland Schwarz:
> On which branch does the ubuntu lucid candidate live?

no branch. ubuntu is based on the 0.11.12 release
(0.11.13 was too late).

> Btw. I discovered today a rather obvious to fix bug
> that prevented the opendsc-pkcs11.so changing the
> PIN, but instead segfaulting. This might be interesting
> to put for lucid too.

post it here for discussion, get it reviewed, create
new bug in launchpad.net and attach the patch.

I found a bug while testing the packages in lucid, and
attached the patch to a new bug in launchpad and within
a few days someone created a new package with it.

hope it works as well for the bug you found.

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: testing the next ubuntu release

Martin Paljak-2
On Apr 2, 2010, at 15:16 , Andreas Jellinghaus wrote:
> Am Donnerstag 01 April 2010 16:23:53 schrieb Roland Schwarz:
>> Btw. I discovered today a rather obvious to fix bug
>> that prevented the opendsc-pkcs11.so changing the
>> PIN, but instead segfaulting. This might be interesting
>> to put for lucid too.
>
> post it here for discussion, get it reviewed, create
> new bug in launchpad.net and attach the patch.

It was the trunk version that was tested, not the Ubuntu packages.

The segfault exists in trunk and is fixed in r4194 [1]


[1] http://www.opensc-project.org/opensc/changeset/4194
--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: testing the next ubuntu release

Jean-Michel Pouré - GOOZE
In reply to this post by Andreas Jellinghaus-2
On Fri, 2010-04-02 at 14:16 +0200, Andreas Jellinghaus wrote:
> no branch. ubuntu is based on the 0.11.12 release
> (0.11.13 was too late).
Then it is completely outdated. There are so many fixes in SVN.
--
                  Jean-Michel Pouré - [hidden email]

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: testing the next ubuntu release

Andreas Jellinghaus-2
Am Freitag 02 April 2010 15:14:01 schrieb Jean-Michel Pouré - GOOZE:
> On Fri, 2010-04-02 at 14:16 +0200, Andreas Jellinghaus wrote:
> > no branch. ubuntu is based on the 0.11.12 release
> > (0.11.13 was too late).
>
> Then it is completely outdated. There are so many fixes in SVN.

svn trunk is under development. until it we agree the development
phase is over and we make it stable, and test a lot and port it
to other systems, and fix whatever new bugs we introduced with the
many changes, until then 0.11.* is the latest and best release,
and distributions should use 0.11.*.

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: testing the next ubuntu release

Martin Paljak-2
In reply to this post by Jean-Michel Pouré - GOOZE
On Apr 2, 2010, at 16:14 , Jean-Michel Pouré - GOOZE wrote:
> On Fri, 2010-04-02 at 14:16 +0200, Andreas Jellinghaus wrote:
>> no branch. ubuntu is based on the 0.11.12 release
>> (0.11.13 was too late).
> Then it is completely outdated. There are so many fixes in SVN.

If you pinpoint some specific bugs that make it impossible to use 0.11.X, then another 0.11 release can be done or an Ubuntu bug be filed.

Otherwise you have the option to either provide pre-built packages for your customers or instruct them to use SVN snapshots of OpenSC.

0.11.13 was released in mid-february, which is less than 2 months ago. 0.12 will be in development for about the as long time as well.

--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: testing the next ubuntu release

Jean-Michel Pouré - GOOZE
On Fri, 2010-04-02 at 17:21 +0300, Martin Paljak wrote:
> If you pinpoint some specific bugs that make it impossible to use
> 0.11.X, then another 0.11 release can be done or an Ubuntu bug be
> filed.

I tried to test OpenSC everyday in different scenarios and I found the
following bugs:

#197: Entersafe driver: impossible to transfer 2048bit key to PKI card

#207: pkcs15-init: Failed to connect to card: Unknown error
This was fixed in SVN, as I cannot reproduce the bug.

#206: opensc-tool requires version 0.9.8 or later, but
libcrypto.0.9.7.dylib provides version 0.9.7

MacOSX 10.4 and 10.5 version were not functional. This was fixed in
OpenSCA.

[opensc-devel] #203: pkcs11-tool --list-slots returns invalid slot

#202: pkcs15-tool --verify-pin fails for entersafe

#200: pkcs15-tool --read-ssh-key 45 -o filename broken

These are only my bugs. There are so many other fixes in SVN. After one
and a half month, SVN head is more stable than the current release.

I believe that it is interesting for a free software project to release
often.

Kind regards,
Jean-Michel


--
                  Jean-Michel Pouré - [hidden email]

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: testing the next ubuntu release

Martin Paljak-2
Hello,

On Apr 3, 2010, at 17:20 , Jean-Michel Pouré - GOOZE wrote:
> On Fri, 2010-04-02 at 17:21 +0300, Martin Paljak wrote:
>> If you pinpoint some specific bugs that make it impossible to use
>> 0.11.X, then another 0.11 release can be done or an Ubuntu bug be
>> filed.
>
> I tried to test OpenSC everyday in different scenarios and I found the
> following bugs:
>
> #197: Entersafe driver: impossible to transfer 2048bit key to PKI card
OK, a bug, affects entersafe and importable keys. If unsure about your requirements, the suggestions should always be to generate the keys on the card.


> #207: pkcs15-init: Failed to connect to card: Unknown error
> This was fixed in SVN, as I cannot reproduce the bug.
So it's not a real bug if it can not be reproduced.  The specific issue does not seem to be a problem with OpenSC either, but with pcsc-lite (I might be wrong as well...)

> #206: opensc-tool requires version 0.9.8 or later, but
> libcrypto.0.9.7.dylib provides version 0.9.7
>
> MacOSX 10.4 and 10.5 version were not functional. This was fixed in
> OpenSCA.
This is an issue with the macosx *installer* and not OpenSC. One of the goals for 0.12 is to have a working release building mechanism of Windows and OS X installers, that don't depend on the release schedules of distros and is downloadable from opensc-project.org website. So this is not a reason for a new *OpenSC* release.


> [opensc-devel] #203: pkcs11-tool --list-slots returns invalid slot
Exists in trunk and is more like a cosmetic issue than a bug.

> #202: pkcs15-tool --verify-pin fails for entersafe
--verify-pin was added in trunk and should not be a critical bug for entersafe (as it is a new feature, not a regression)

> #200: pkcs15-tool --read-ssh-key 45 -o filename broken
Yes, a problem, but the feature is still usable (you can copypaste the key)


> These are only my bugs. There are so many other fixes in SVN. After one
> and a half month, SVN head is more stable than the current release.
I believe that there needs to be an overall good release, not just an incremental small release. If you have pressing reasons, you can always use SVN trunk.

> I believe that it is interesting for a free software project to release
> often.
Yes, as often as possible and reasonable.

--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user