-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vmware view is not able to load opensc #183
Comments
Can you load the same PKCS#11 in another application like Firefox? |
Yep, OpenSC 0.12.2 and 0.13.0 do work with Firefox. |
I want to add, that OpenSC 0.12.1 works. |
I don't know how OpenSC PKCS11 module exports only |
PKCS#11 2.01 Section 10.4 C_GetFunctionList... "C_GetFunctionList is the only Crypto function which an application may call before calling C_Initialize." |
Then it seems like a bug for vmware-view? How/why vmware-view needs OpenSC pkcs11 module in the first place? I've only used it with USB devices... |
On 10/21/2013 12:11 PM, Martin Paljak wrote:
No. If Its OK to call C_Initialize before C_GetFunctionList then C_Initialize better have be exported. A simple test would be to build pkcs11-spy with C_Initialize and C_GetFunctionList exported and see,
Douglas E. Engert [email protected] |
Yes, re-reading the latest PKCS#11 v2.30, which does not make it more clear, it feels like C_GetFunctionList is a convenience function that just happens to be used by most software currently known, but which is not mandatory to be used for querying the entry points. So yes, indeed it seems like reverting the export file is the right action.. |
On Mon, Oct 21, 2013 at 8:27 PM, Doug Engert [email protected]:
Only C_Initialize or all the C_* functions of PKCS#11 ? |
All of this: 5a23069 |
On 10/22/2013 3:07 AM, Martin Paljak wrote: Should pkcs11-spy.exports also be updated?
Douglas E. Engert [email protected] |
All PKCS#11 module exports. The change was inspired by another change somewhere I can't find at the moment.. |
fixes OpenSC#183
could someone check if #340 fixes the problem? |
In #183 there were some requests to try some other tests, Have these been tried? In #183 the bug reporter (dontsueme) said he has to change the symlink, as vmware view would PKCS#11 are modules, which may be different then shared libs. modules are meant Reverting all of the changes does not sounds like the correct solution. Goolge'ing for vmware view PKCS#11 https://bugs.launchpad.net/ubuntu/+source/vmware-view-client/+bug/1268770 Note it says get vmware to fix their dynamic load code. Reverting all of the changes does not sounds like the correct solution. Or maybe better still, create a libopensc-pkcs11.so as a share lib, with all the exports, On 12/19/2014 4:32 AM, Frank Morgner wrote:
Douglas E. Engert [email protected] |
The standard itself is really not clear about it. However, the official
While I hate all those macros, I think this means that all functions in |
Is there anyone on this list that can try vmware client? On 12/19/2014 2:37 PM, Frank Morgner wrote:
Yes, the standards including the Oasis 2.40 drafts are very vague. In the 2.30 header files: it has: /* Before including this file (pkcs11.h) (or pkcs11t.h by
Note that it talks about dynamic vs static, but does not say what to do.
Before we go ahead an expose all of the entry points because vmware view has a problem, (1) latest version of vmware client and using the symlink as opensc-pkcs11.so -> opensc-pkcs11.so (2) latest version of vmware client and using the symlink as libopensc-pkcs11.so -> opensc-pkcs11.so (3) latest version of vmware client and using the symlink as opensc-pkcs11.so -> opensc-pkcs11.so (4) latest version of vmware client and using the symlink as libopensc-pkcs11.so -> opensc-pkcs11.so (5) latest version of vmware client and using the symlink as opensc-pkcs11.so -> opensc-pkcs11.so (6) latest version of vmware client and using the symlink as libopensc-pkcs11.so -> opensc-pkcs11.so (1) and (2) are reported to fail as of last year. https://bugs.launchpad.net/ubuntu/+source/vmware-view-client/+bug/1268770 I suspect that the vmware view code is loading the modules and looking for C_Initialize. If it does not If (3) works, then go with that. If (4) works, then go with that, same as (3) for OpenSC its the same thing. Just that vmware has a strange If it takes (5) or (6) then we go with that.
Douglas E. Engert [email protected] |
Hello there, I wasn't aware, that the discussion was still ongoing, because I had the impression at one point, that the symbols are just going to be exported again. But well, I had to update OpenSC to 0.15.0 and was running in the same problem two years ago. At least I still could easily revert the patch myself. And after reading this thread here, I'm still having troubles to understand, why those symbols aren't exported anymore. There seems to be no explanation except "because we won't". @dengert I also have checked 6 other PKCS#11 implementations from various vendors, like coolkey and they are fine with exporting those symbols. No really, they all look like this: https://gist.github.com/dontsueme/91ca9a0d0eff6c9ed990 So why are the OpenSC developers against it? |
@dontsueme could you check whether exporting |
@frankmorgner Could not resolve C_Finalize from /usr/lib/vmware/view/pkcs11/libopensc-pkcs11.so |
(1) latest version of vmware client and using the symlink as opensc-pkcs11.so -> opensc-pkcs11.so
(2) latest version of vmware client and using the symlink as libopensc-pkcs11.so -> opensc-pkcs11.so
(3) latest version of vmware client and using the symlink as opensc-pkcs11.so -> opensc-pkcs11.so
(4) latest version of vmware client and using the symlink as libopensc-pkcs11.so -> opensc-pkcs11.so
(5) latest version of vmware client and using the symlink as opensc-pkcs11.so -> opensc-pkcs11.so
(6) latest version of vmware client and using the symlink as libopensc-pkcs11.so -> opensc-pkcs11.so
and because people are going to ask for sure: (7) C_GetFunctionList, C_Initialize and C_Finalize are exported.
BUT be aware, that I can't test (7) completely. Even if it was loaded, I can't say for sure, that it won't fail later. (6) is tested and known to work. |
How about a compromise, in addition to building the opensc-pkcs11.so as a MODULE, change the Makefile to also build a libopensc-pkcs11.so as a SHARED LIBRARY with the PKCS#11 routines exported, to accomadate programs that don't know how to get entry points from a dynamicly loaded MODULE. The main reason PKCS#11 implementations are module, as it allows an application such as NSS to load multiple implementations, at the same time. Also... https://communities.vmware.com/message/2483258 As best as I can tell, he is installing the 32 bit version on a 64 bit system, and the only bundle I could fine was: Are you running 32 or 64 bit? |
Hi dengert. Did you acknowledge, that all other PKCS#11 implementation do export those symbols and they do work fine with firefox for instance? I have tested on a 32bit only installation and as far as I know is the VMware View client not opensource (anymore). The self extracting tar should have both versions (x86/x86_64) included. So, if you want to create two shared libraries, one with all symbols exported and one only reduced to the bare minimum (so the intention that it should only be used as a module is clear), would be fine for me, as long as you support both versions. |
The source of an older version of the client is available (vmware view open client). Here for instance: http:https://packages.ubuntu.com/en/precise/x11/vmware-view-open-client Here is the part, that loads the module: Which seems like a quite sane implementation to me. Edit: created a mirror: https://github.com/dontsueme/vmware-view-open-client |
This appears to show how it finds the name of the module: Could this be an issue with a LD_LIBRARY_PATH needing to be set? ldd would show what libraries it needs. |
If I am readind the C++ correctly: GetFuncs is gotten via: funcs is gotten via: and g_module_symbol says it uses dlopen,so it is still not clear why g_module_symbol even needs these exported if it is calling dlsym. The only difference I see is Vmware is using the G_MODULE_BIND_LOCAL flag, which should map to the dlopen RTLD_LOCAL which says "This is the converse of RTLD_GLOBAL, and the default if neither flag is specified." Actually trying to use opensc-spy might also help, as it shows the PKCS#11 calls as they are made. OpenSC also have an issue if C_getSotLists is not called befire an attempt to use a slot is made. Please checkout LD_LIBRARY_PATH to make sure you are not having an issue when loading mismatched opensc-pkcs11, libopenssc.so and openssl's libcrypto.so. |
On 8/27/2015 8:30 AM, dontsueme wrote:
I heard you said that. Did you acknowledge that OpenSC also works fine with other applications that don't need the symbols exported?
That was an idea and it looks like once the module is created, the support issues would be next to nothing. I did not hear from any other developers if that is acceptable. Its OK with me.
Douglas E. Engert [email protected] |
Doesn't matter. Now you have one case that doesn't.
Look, I gave you the implementation. It clearly uses g_module_symbol () for C_Initialize, C_GetFunctionList and C_Finalize, which states that it looks for exported symbols and you are still asking, why it needs them? It needs them, because it is implemented that way. Because every other vendor has exported those symbols and it worked in their test cases. It's obvious, that the chance that someone is actually using them, if they are there, is actually quite high. Just acknowledge that. It's not a subject, that can be discussed away. We can't change that.
I want to revert that patch, that removed those symbols from being exported, because there is no explanation, why linking should be forbidden. If someone wants to use the OpenSC PKCS#11 implementation exclusively, then let them.
It's hardcoded: They just look for files in one path, that are ending with *.so and load, what survives a simple sanity check. |
@frankmorgner (or other developers) It looks like just changes to the Makefile.am and an extra exports file to create the extra lib. Not clear if it should still be a module or not. I am not getting very far trying to build the vmware-client from source, or installing it. |
I don't think that sloppy implementation should be encouraged, but it also doesn't hurt to export two more functions (C_GetFunctionList, C_Initialize and C_Finalize) if that would make an application work and user satisfied. And the vendor notified. What about this ? |
Yes, I thing that would work for vmware-client. If that will not work, can try this patch: It builds versions of the 3 modules with the name lib* with all the PKCS#11 symbols. So this could also be used with simple PKCS#11 coe that does not use the C_GetFunctionList, but just uses the export routines directly. |
also fixes OpenSC#183 when used with pkcs11-spy
@frankmorgner The main idea was if there were issues with some OS with having all the entry points exported, I am OK with exporting all the PKCS#11 entrypoints, or just the 3 that @martinpaljak suggested In eiter case, we should also export the entry points in pks11-spy too. |
What would be the advantage if we kept a library with a single entry point? Having two libraries with the same functionality and only minor technical differences only creates confusion... |
It needs at least 3 entrypoints for vmware-client. Yes confusion is an issue. I agree with @martinpaljak add the 3 entry points. The only reason to have two versions of the module would be if some OS has some issue with loading modules and needs a real shared lib. That does not appear to be the case with vmware, Any example of problems with modules occured when I was building OpenSC for Solaris10 a few years ago. It turned out libtool was not building modules correctly on Solaris It needed: $ cat libtool.diff.2.2.6 Commands used to build a loadable module if different from buildinga shared archive.-module_cmds="" Whether we are building with GNU ld or not. |
So to close a long thread, #537 should be sufficient? |
Yes! @dengert the issue on Solaris 10 should be addressed separately when it occurs today (I don't know if maybe libtool has solved this already). |
Hi! Unfortunatelly I'm late to the party, but there is another application which does not work if all symbols are not exported: ISC BIND 9.10. BIND is simply calling I would say that at least spy.so should be benevolent and export everything, so spy can be easily used for debugging applications even if the opensc decides not to export everything. |
I should add that BIND works if I add all |
lol, if you had told us earlier, the discussion could have been two years shorter! |
LOL. Anyway, is there any chance to get all symbols exported? BIND is typically used with high-end HSMs so I guess that other vendors simply export everything (as was mentioned somewhere in the thread), otherwise BIND could not work with other PKCS#11 libs. |
@pspacek If you still need it, please open a PR. But I think the better solution would be to submit a patch to BIND so that it behaves compliant to PKCS#11! |
@frankmorgner Given BIND's lifecycle it is going to take years to get the patch to versions used in wild, not speaking about uncertainity of that effort. Can you point me to particular chapter in PKCS#11 standard which says that this is ilegal? That might help to convince upstream to make the change, but I'm not able to find such statement in the docs. It seems that whole |
Sorry, I preemptively adopted other's people opinions, though I should have known better. I already pointed out that the pkcs11 headers indeed define all functions as |
Yes it looks like #340 wold work for Vmware and BIND. If there are issues with adding the exports, we can still do the two versions of a libs somthing like: dengert@1432c3b |
Looks like #340 will solve the VMware and BIND issues. If that cuases an issue with other software, we can still do two versions of the libs one with and one without all the symbols exported. |
Hello there,
today I tried to let vmware view load OpenSC as PKCS#11 module. For that you have to create the folder /usr/lib/vmware/view/pkcs11 and symlink the PKCS#11 library. Creating a symlink with the original filename does not work out for vmware view, because then it tries to access libopensc-pkcs11.so.so. So I renamed it to libopensc-pkcs11.so, which does the trick.
But then, when it tries to load the module, following error occurs:
vmware-view.log:
CoolKey, Gemalto and other pkcs#11 implementations are working fine. So, I guess, there is a problem with OpenSC.
OpenSC versions tried: 0.13.0 and 0.12.2
Version from VMware View: 2.1.0
Best regards…
The text was updated successfully, but these errors were encountered: