Bug#1090077: refreshing available smartcards causes crash without opensc-pkcs11 module installed

John Scott jscott at posteo.net
Mon Dec 16 08:08:00 GMT 2024 

Package: secrets
Version: 9.6-2
Severity: normal
X-Debbugs-CC: pykcs11 at packages.debian.org
Control: found -1 10.1-1

Hi,

While fooling around with Secrets and trying to open a password-protected database, I thought I'd push the refresh arrow on the smartcard list just to be silly. To my surprise, Secrets crashed:

src/dyn_unix.c:34:SYS_dyn_LoadLibrary() /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: cannot open shared object file: No such file or directory
16-12-24 02:30:09 | WARNING | Could not load pkcs11 library: Load (/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so)
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/gsecrets/provider/pkcs11_provider.py", line 158, in pkcs11_refresh
    self._pkcs11.load(const.PKCS11_LIB)
  File "/usr/lib/python3/dist-packages/PyKCS11/__init__.py", line 481, in load
    raise PyKCS11Error(rv, pkcs11dll_filename)
PyKCS11.PyKCS11Error: Load (/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/gsecrets/provider/pkcs11_provider.py", line 161, in pkcs11_refresh
    task.return_error(err)

There's a few things going on it seems. For some reason it tries to find OpenSC's PKCS #11 module, but I don't have it installed and I wonder why it's trying to look for it in the first place? The appeal of PKCS #11 is you can use any module you want according to your needs. I use Scute to do PKCS #11 operations using GnuPG's tools, and GNOME Keyring also (at least at one time?) also had a PKCS #11 module. OpenSC is definitely one of the more popular ones and it supports a wide variety of security modules, but I wonder where it's hard-coded that it should be tried in the first place?

There's been a few initiatives within the GnuTLS, GNOME, and FreeDesktop.org ecosystems to make shims and things to make finding modules easier, so it seems especially strange it's not smart here. I'm sure if I install opensc-pkcs11 then the crash may not happen, but this should probably not be made a Depends or Recommends. Installing extraneous PKCS #11 modules increases the odds an application will try the wrong ones or keep exclusive access to cards. The whole point of PKCS #11 is that modules are swappable to accommodate different kinds of key stores and Secrets really shouldn't have any reason to want OpenSC in particular.

This could be an issue in pykcs11; I don't know Python very well so maybe they can lay eyes on this.

Thanks

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20241216/25945d92/attachment-0001.sig>

More information about the pkg-gnome-maintainers mailing list