OpenPGP card v3.4 pkcs15-init reports not supported private key about opensc HOT 13 CLOSED

Can you run the code under valgrind to get a backtrace of the double-free?

from opensc.

Do you need any special parameters for valgrind?

from opensc.

No, the default memcheck should catch double free and print backtraces.

from opensc.

@Jakuje here it is:
valgrind-out.txt

from opensc.

errors reported by pgp_set_blob are often ignored, but that doesn't seem to be the problem here.

I think your code is en par with 0.25.0. Here, card-openpgp.c:2551 calls pgp_put_data with algo_blob->data. It seems that this very algo_blob is found as existing blob and modified by pgp_put_data, which invalidates the pointer when the underlying pgp_set_blob does its cleanup. I think you can fix this with the following change:

diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
index 0e8015053..c7b067bdf 100644
--- a/src/libopensc/card-openpgp.c
+++ b/src/libopensc/card-openpgp.c
@@ -2547,8 +2547,8 @@ pgp_update_new_algo_attr(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *key_
                }
 
                pgp_set_blob(algo_blob, data, data_len);
+               r = pgp_put_data(card, tag, data, data_len);
                free(data);
-               r = pgp_put_data(card, tag, algo_blob->data, data_len);
                /* Note: Don't use pgp_set_blob to set data, because it won't touch the real DO */
                LOG_TEST_RET(card->ctx, r, "Cannot set new algorithm attributes");
        } else {

However, I'm not too deep into that code to check whether there is some logical problem that should be fixed first.

from opensc.

@msetina did you try with the changed code proposed by Frank?

from opensc.

By the words around I did not bite, but now I tried it and there is no change from user side. It still says unsupported, but I think now it does not write certificate.

from opensc.

I've reverted and I can confirm that after the mentioned change certificate is not written. Reverting I get Private key and certificate on the card.

from opensc.

thanks for the feedback. I created a pull request with the fix.

from opensc.

@frankmorgner I am sorry for the confusion, but the proposed change did not fix the issue. It added a problem of not writing a certificate.
The original code wrote the private key, public key and the certificate to the card, but reported the unsupported private key because of the problem with releasing memory.
I did revert your change on my side to confirm that original code did write the certificate.

from opensc.

I've made a test case that prepares as private key and a certificate and tries to write it to the card. In one case it core dumped, when running in a separate process it said it has a corrupted double-linked list in another malloc_consolidate(): unaligned fastbin chunk detected.
In the last case I got it to run over pkcs11-spy and in debug mode:
opensc-debug.txt
logfile.txt

from opensc.

I would suggest that you build OpenSC and add to CPPFLAGS and LDGLAGS -g
Then run under debugger (gdb for example) and when it crashes, get a back trace and look at the some of the parameters.

from opensc.

I would do that if I was not running in python over PyKCS11. It would be easy for me to help you if I was capable of CPP or C.
Thanks anyway. I've done what I could.
The problem started with pkcs15-init and I see the same with PKCS11.

from opensc.