Horribly broken awp package

[martinpaljak]

To make #36 more understandable and/or actionable, here's a small lintian report:

$ apt download awp
Get:1 https://installer.id.ee/media/ubuntu bionic/main amd64 awp amd64 5.3.0.18.04.75 [15.5 MB]
Fetched 15.5 MB in 5s (3,117 kB/s)
$ lintian awp_5.3.0.18.04.75_amd64.deb 
E: awp: embedded-library usr/local/AWP/lib/libOcsAuthentIC22Mod.so: openssl
E: awp: embedded-library usr/local/AWP/lib/libOcsAuthentIC22Mod.so: tinyxml
E: awp: embedded-library usr/local/AWP/lib/libOcsAuthentICV3Mod.so: openssl
E: awp: embedded-library ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: awp: shared-lib-without-dependency-information usr/local/AWP/lib/libOcsReaderPCSC2ESP.so
W: awp: shared-lib-without-dependency-information usr/local/AWP/lib/libOcsReaderPCSC2EST.so
W: awp: shared-lib-without-dependency-information usr/local/AWP/lib/libOcsReaderPCSC2FRA.so
W: awp: shared-lib-without-dependency-information ... use --no-tag-display-limit to see all (or pipe to a file/program)
E: awp: missing-dependency-on-libc needed by usr/local/AWP/OTCryptokiGui and 10 others
E: awp: changelog-file-missing-in-native-package
E: awp: no-copyright-file
E: awp: extended-description-is-empty
W: awp: bad-homepage www.idemia.com
W: awp: non-standard-dir-perm usr/ 0775 != 0755
W: awp: non-standard-dir-perm usr/lib/ 0775 != 0755
W: awp: non-standard-file-perm usr/lib/mozilla/pkcs11-modules/idemiapkcs11firefox.json 0444 != 0644
W: awp: non-standard-dir-perm usr/local/ 0775 != 0755
E: awp: dir-in-usr-local usr/local/AWP/
W: awp: non-standard-dir-perm ... use --no-tag-display-limit to see all (or pipe to a file/program)
E: awp: file-in-usr-local usr/local/AWP/OCSMiddlewareConf.xml
W: awp: file-in-unusual-dir usr/local/AWP/OCSMiddlewareConf.xml
E: awp: file-in-usr-local usr/local/AWP/OCSMiddlewareConfCTL.xml
W: awp: file-in-unusual-dir usr/local/AWP/OCSMiddlewareConfCTL.xml
E: awp: file-in-usr-local usr/local/AWP/OTCryptokiGui
W: awp: file-in-unusual-dir usr/local/AWP/OTCryptokiGui
E: awp: file-in-usr-local ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: awp: file-in-unusual-dir ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: awp: non-standard-executable-perm usr/local/AWP/awp_uninstall.sh 0544 != 0755
E: awp: dir-in-usr-local usr/local/AWP/lib/
W: awp: non-standard-file-perm usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{2F45F62B-CF18-414D-AC42-47F3D67F468B}.xpi 0444 != 0644
W: awp: maintainer-script-ignores-errors postinst
W: awp: maintainer-script-empty preinst
W: awp: maintainer-script-ignores-errors preinst
E: awp: shlib-with-executable-bit usr/local/AWP/lib/libOcsAuthentIC22Mod.so 0755
E: awp: shlib-with-executable-bit usr/local/AWP/lib/libOcsAuthentICV3Mod.so 0755
E: awp: shlib-with-executable-bit usr/local/AWP/lib/libOcsCryptoki.so 0755
E: awp: shlib-with-executable-bit ... use --no-tag-display-limit to see all (or pipe to a file/program)

Also, the file contained in ./usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{2F45F62B-CF18-414D-AC42-47F3D67F468B}.xpi seems to be the same as https://github.com/open-eid/firefox-pkcs11-loader/blob/master/webextension/background.js which, as the header in the file nicely tells, is licensed under LGPL. Given the error in the package lint above (E: awp: no-copyright-file) makes one question about the license of the whole package and/or necessary crediting (./DEBIAN/postinst of the package looks very much like a trimmed version of https://github.com/open-eid/linux-installer/blob/master/esteid-update-nssdb, licensed under MIT. Re-use is OK, as long as attribution rules are followed).

In any case, this package should have not been published in the first place, as it seems to lack any basic QA and sanity checks. I'm sure there are tools that take the idea of "unwrap this targzip to folder X and execute X/script.sh after installation" and produce a sane package file 🤔

[laurivosandi]

What is this abomination postinst script I am seeing there? Otherwise I'd ask about the missing reference to my script, but that thing just doesn't make any sense.

sudo apt install in postinst? I see that person doesn't have any clue about package management?

Also creating nssdb there won't make any sense since this will be running as root user and root user shouldn't run Chrome anwyay.

Great job Idemia or whoever compiled the package. Not only did they infringe copyright but also made themselves look like total asses in the process as well 👏

[virtual-machinist]

Is there any source for this blob? I can't seem to find any Linux support on IDEMIA homepage. Was this built by RIA?

[martinpaljak]

OT probably refers to Oberthur (pre-IDEMIA). For Latvia, this is what was given at some point: https://github.com/eid-lv but that does not seem to have anything to do with awp (there is a half-baked fork of OpenSC in that jar).

Googline for "oberthur awp" gives for example this document: http://nortemedico.pt/middleware/AWP_5.2_FAQ.pdf which makes me believe this is a full-blown product by itself.

I doubt there will be any source with it. Nor do I think I want to install this binary blob either.

[martinpaljak]

Extracted extractable parts of it for inspection here: https://github.com/martinpaljak/awp_5.3.0.18.04.75_amd64.deb

[martinpaljak]

Looking at that content:

$ ls -lRh
.:
total 0
drwxrwxr-x 1 martin martin 154 Nov  7 17:04 AWP

./AWP:
total 7.2M
-r-xr--r-- 1 martin martin   35 Nov  7 16:51 awp_uninstall.sh
drwxrwxr-x 1 martin martin  910 Nov  7 17:04 lib
-rw-r--r-- 1 martin martin  482 Nov  7 16:51 OCSMiddlewareConfCTL.xml
-rw-r--r-- 1 martin martin 2.6K Nov  7 17:03 OCSMiddlewareConf.xml
-rwxr-xr-x 1 martin martin 7.2M Nov  7 17:04 OTCryptokiGui

./AWP/lib:
total 31M
-rwxr-xr-x 1 martin martin 4.0M Nov  7 17:04 libOcsAuthentIC22Mod.so
-rwxr-xr-x 1 martin martin 4.1M Nov  7 17:04 libOcsAuthentICV3Mod.so
-rwxr-xr-x 1 martin martin 4.0M Nov  7 17:04 libOcsCryptoki.so
-rwxr-xr-x 1 martin martin 4.1M Nov  7 17:04 libOcsIASMod.so
-rwxr-xr-x 1 martin martin 4.0M Nov  7 17:04 libOcsIDOneClassicMod.so
-rwxr-xr-x 1 martin martin 4.2M Nov  7 17:04 libOcsMSFTMod.so
-rwxr-xr-x 1 martin martin 2.6M Nov  7 17:04 libOcsPIVMod.so
-rwxr-xr-x 1 martin martin  27K Nov  7 17:04 libOcsPKCS11Wrapper.so
-rwxr-xr-x 1 martin martin 9.7K Nov  7 17:04 libOcsReaderPCSC2ESP.so
-rwxr-xr-x 1 martin martin 9.7K Nov  7 17:04 libOcsReaderPCSC2EST.so
-rwxr-xr-x 1 martin martin 9.7K Nov  7 17:04 libOcsReaderPCSC2FRA.so
-rwxr-xr-x 1 martin martin 5.7K Nov  7 17:04 libOcsReaderPCSC2IT.so
-rwxr-xr-x 1 martin martin 5.7K Nov  7 17:04 libOcsReaderPCSC2PTG.so
-rwxr-xr-x 1 martin martin 9.7K Nov  7 17:04 libOcsReaderPCSC2RUS.so
-rwxr-xr-x 1 martin martin 2.1M Nov  7 17:04 libOcsReaderPCSC2.so
-rwxr-xr-x 1 martin martin 5.7K Nov  7 17:04 libOcsReaderStdESP.so
-rwxr-xr-x 1 martin martin 5.7K Nov  7 17:04 libOcsReaderStdEST.so
-rwxr-xr-x 1 martin martin 5.7K Nov  7 17:04 libOcsReaderStdFRA.so
-rwxr-xr-x 1 martin martin 5.7K Nov  7 17:04 libOcsReaderStdIT.so
-rwxr-xr-x 1 martin martin 5.7K Nov  7 17:04 libOcsReaderStdPTG.so
-rwxr-xr-x 1 martin martin 5.7K Nov  7 17:04 libOcsReaderStdRUS.so
-rwxr-xr-x 1 martin martin 2.1M Nov  7 17:04 libOcsReaderStd.so

I make the following aww-ssumptions:

• there are 7 binary blob modules implementing
  • 2x 4MB blobs for AuthentIC different version support (not related to Estonian eID)
  • 1 4MB blob for implementing support for Microsoft card (not related)
  • 1 4MB blob for implementing support for ID-one classic (not related)
  • 1 2.6MB blob for implementing support for PIV (not related)
  • 1 4MB blob for implementing support for PKCS#11 (Cryptoki, ?)
  • 1 4MB blob implementing IAS, which should be the Estonian eID according to https://installer.id.ee/media/id2019/TD-ID1-Chip-App.pdf
• 1 27KB file for actually implementing a PKCS#11 module interface (probably a module framework for loading the above, on demand?)
• The software speaks (to some extent) Spanish, Estonian, Russian, French, Italian, Portuguese
• There's a 7.2MB binary blob that provides some kind of GUI

For those who have a system that fails to install packages and would still just like to have the filesavailable on the system without a broken package, the following should do the trick:

echo '#!/bin/sh' | sudo tee /var/lib/dpkg/info/awp.postinst

After what sudo apt install should just extract the binaries and leave out the postinst nonsense. Manual installation of the PKCS#11 module shall be necessary after this (assuming it works in the first place, listing slots hangs in C_Finalize() on my buster/sid amd64 machine with pkcs11-tool --module /usr/local/AWP/lib/libOcsPKCS11Wrapper.so -L)

[tynisr]

Thank you for all that information.
We are escalating this issue right now.

Best Regards
Tõnis Reimo, eID software Product Owner
RIA

[martinpaljak]

Any updates?

[dkorzhevin]

Can you please give update or estimate?

[snoopcatt]

Please add it to top of file awp.postinst because installation of awp package will stuck at "not configured" state:

HOME=$(grep "^${SUDO_USER}:" /etc/passwd | cut -d: -f6)

---

Please do not do as indicated in this: open-eid/DigiDoc4-Client#435 post, because sometimes username and home directory location do not match.

It is better to grep $HOME location for $SUDO_USER from /etc/passwd as I described in first part of my post.

[martinpaljak]

Maybe the right path for getting this noticed and fixed is with the "upstream" and https://github.com/martinpaljak/awp_5.3.0.18.04.75_amd64.deb/blob/master/DEBIAN/control#L9 or https://twitter.com/IdemiaGroup

[sergey-abc]

On my computer Firefox have not seen Idemia PKCS11 module until I copied idemiapkcs11firefox.json to ~/.mozilla/pkcs11-modules/ directory. According to https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests
these extensions can be located globally either in /usr/lib/mozilla/pkcs11-modules/ or in /usr/lib64/mozilla/pkcs11-modules/. Per my understanding second one is correct path for x64 systems.

martinpaljak did detailed analysis of this package
#37 (comment)
In my opinion there are only 3 useful items in this package: Idemia PKCS loader (idemiapkcs11firefox.json), Idemia browser extension (.xpi file), and binary module itself (libOcsPKCS11Wrapper.so). Fortunately last one linked statically and does not need any additional libraries. All other stuff can be thrown out. Set of 3 mentioned components is self-sufficient, at least it's enough to have new ID card working in firefox.
Maybe it is a good idea to put these components to separate package, like "idemia-firefox-support"?
Yes, I googled for "awp", did not found anything related to idemia or id-cards. Why package name is so weird?

[Jalakas]

"awp" dependency is removed now: https://github.com/open-eid/linux-installer/pull/49/files