Project

General

Profile

Current open-ecard-app .deb Version fails to start

Added by Thomas Römke over 4 years ago

Hi all,

before the upgrade to a new version, I ran the open-ecard-app (1.3) without
any problems in Mint 19.1. Now after the upgrade to 19.3, the 1.3 version ceased
to work, and I used the Debian/Ubuntu package of your web site to upgrade to version 1.4.3
(Mint is a Ubuntu derivative!).

This version refuses to work for different reasons:

1. /tmp was illegally used as a storage place for executable files (I don't know
by which component). Setting TMPDIR to $HOME/.openecard/tmp helped (the dir was created manually)
2. The app claims that it cannot start (see attached picture)

The log file says:
-----------------
2020-06-17 14:46:37,749+02 [main] ERROR org.openecard.scio.PCSCFactory:68 - Failed to initialize smartcard system.
2020-06-17 14:46:37,754+02 [main] ERROR org.openecard.richclient.RichClient:316 - http://www.bsi.bund.de/ecard/api/1.1/resultminor/al/common#unknownError
> java.lang.reflect.InvocationTargetException
org.openecard.common.WSHelper$WSException: http://www.bsi.bund.de/ecard/api/1.1/resultminor/al/common#unknownError
> java.lang.reflect.InvocationTargetException
at /org.openecard.common.ECardException.makeException(ECardException.java:64)
at /org.openecard.common.WSHelper$WSException.<init>(WSHelper.java:47)
at /org.openecard.common.WSHelper.checkResult(WSHelper.java:69)
at /org.openecard.richclient.RichClient.setup(RichClient.java:299)
at /org.openecard.richclient.RichClient.main(RichClient.java:150)
-----------------

However, the pcscd runs fine:

$ ps -ef | grep pcscd
root 12846 1 0 14:37 ? 00:00:00 /usr/sbin/pcscd --foreground --auto-exit

and the smart card reader is active
$ opensc-tool --list-readers
  1. Detected readers (pcsc)
    Nr. Card Features Name
    0 No PIN pad REINER SCT cyberJack RFID komfort (1580399470) 00 00

The drivers are the latest version:
$ dpkg -l | grep -i Reiner
ii libifd-cyberjack6 3.99.5final.sp13 amd64 REINER SCT cyberJack USB chipcard reader user space driver

Java is
$ java --version
openjdk 11.0.7 2020-04-14
OpenJDK Runtime Environment (build 11.0.7+10-post-Ubuntu-2ubuntu218.04)
OpenJDK 64-Bit Server VM (build 11.0.7+10-post-Ubuntu-2ubuntu218.04, mixed mode, sharing)

AND: Other applications like my banking software (Java by the way, too) that
uses the reader (via the pcscd) for HBCI works fine including the pinpad.

My question:
1. Who is the developer of this software and who is giving support (A similar request
here hasnt't been answered for years!)
2. Which Java Runtime is required for this app, and where can it be configured?
3. Why is a .exe file needed to start the app at all? If it was a script, it would be much easier to locate the problem.
4. What other reason can cause this failure?

Thanks
Thomas


Replies (10)

RE: Current open-ecard-app .deb Version fails to start - Added by Tobias Assmann over 4 years ago

Dear Thomas,

thank you for using the Open eCard App. Sorry to hear you have a problem with the application.

First of all I would like to answer your questions:
1. Developer of the application is mainly the ecsec GmbH and contributers. This can be seen in the imprint of openecard.org and the git repository https://github.com/ecsec/open-ecard
2. The application is bringing it`s own Java runtime to be as independent from as possible the host. Please see: https://github.com/ecsec/open-ecard#packaging
3. As the application is packed with Java a script would not be sufficent.

I have successfully installed and started the version 1.4.3 on Linux Mint 19.3
I could access a Personalausweis in a REINER SCT Basic reader with the use of the following driver: http://support.reiner-sct.de/downloads/CCID/debian/libccid_1.3.11-2debian5_amd64.deb

Please try to use this driver instead of libifd-cyberjack6 3.99.5final.sp13, which in my case did not find the card reader correctly.

Regarding the 'illegal use of /tmp', I am not quite sure what you mean by that. Maybe you can clarify?

Best regards

Tobias

RE: Current open-ecard-app .deb Version fails to start - Added by Thomas Römke over 4 years ago

Hi Tobias,

thanks for the answers.

The given libccid cannot be installed on my system, as the
pcscd requires version libccid 1.4.1 or better:

Package: pcscd
Version: 1.8.23-1
Priority: extra
Section: universe/misc
Source: pcsc-lite
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Ludovic Rousseau <rousseau@debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 176 kB
Depends: libccid (>= 1.4.1~) | pcsc-ifd-handler, libc6 (>= 2.15), libsystemd0, libudev1 (>= 183), lsb-base (>= 3.0-6), libpcsclite1 (= 1.8.23-1)

The pcscd is required for my other smart card applications.

Did you just install the libccid package, i.e. without the pcscd ?
Otherwise: Which version of the pcscd package is installed
on your system ( dpkg -l pcscd or sudo apt show pcscd )

Btw, the libifd-cyberjack6 does not contain any libccid at all

/.
/etc
/etc/cyberjack
/etc/cyberjack/cyberjack.conf
/etc/cyberjack/cyberjack.conf.default
/lib
/lib/udev
/lib/udev/rules.d
/lib/udev/rules.d/60-libifd-cyberjack6.rules
/usr
/usr/lib
/usr/lib/pcsc
/usr/lib/pcsc/drivers
/usr/lib/pcsc/drivers/libifd-cyberjack.bundle
/usr/lib/pcsc/drivers/libifd-cyberjack.bundle/Contents
/usr/lib/pcsc/drivers/libifd-cyberjack.bundle/Contents/Info.plist
/usr/lib/pcsc/drivers/libifd-cyberjack.bundle/Contents/Linux
/usr/lib/pcsc/drivers/libifd-cyberjack.bundle/Contents/Linux/libifd-cyberjack.a
/usr/lib/pcsc/drivers/libifd-cyberjack.bundle/Contents/Linux/libifd-cyberjack.la
/usr/lib/pcsc/drivers/libifd-cyberjack.bundle/Contents/Linux/libifd-cyberjack.so.6.0.0
/usr/lib/pcsc/drivers/libifd-cyberjack.bundle/Contents/PkgInfo
/usr/share
/usr/share/doc
/usr/share/doc/libifd-cyberjack6
/usr/share/doc/libifd-cyberjack6/LIESMICH.txt.gz
/usr/share/doc/libifd-cyberjack6/README.txt.gz
/usr/share/doc/libifd-cyberjack6/changelog.Debian.gz
/usr/share/doc/libifd-cyberjack6/changelog.gz
/usr/share/doc/libifd-cyberjack6/copyright
/usr/share/doc/libifd-cyberjack6/examples
/usr/share/doc/libifd-cyberjack6/examples/cyberjack.conf.default
/usr/lib/pcsc/drivers/libifd-cyberjack.bundle/Contents/Linux/libifd-cyberjack.so
/usr/lib/pcsc/drivers/libifd-cyberjack.bundle/Contents/Linux/libifd-cyberjack.so.6

Regarding the /tmp issue. /tmp is supposed to be a storage place
for small temporary files, never for executables. That's why in
general /tmp is mounted noexec . If an app tries
to store executables there and maps them into the app space, then
this will fail. I saw this some times with the openecard app, but
its not fully reproducable. That's why I set TMPDIR to a place
in my own home directory.

Regards,
Thomas

RE: Current open-ecard-app .deb Version fails to start - Added by Thomas Römke over 4 years ago

Hi Tobias,

the problem is with whatever is stored in the directory

/tmp/jna--868112704/

which always has the same name (at least right now).
Even after removing, it reappears with the same name
after another start of the open-ecard-app.

It seems that TMPDIR is ignored by part of your
software.

Do you have any idea?

To get the same results like me, do a

sudo mount -o remount,noexec /tmp  

Regards,
Thomas

RE: Current open-ecard-app .deb Version fails to start - Added by Tobias Wich over 4 years ago

The tmp issue comes from JNA which is used for various things, especially to access libpcsclite.so. I found a description of the problem in the elasticsearch manual.
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/executable-jna-tmpdir.html

I'm not sure right now how to deal with this properly. First I think it would be interesting whether an up to date JNA version still works like that (I suspect it does). I suppose the correct place for JNA to pick would be the users run dir. On my system that would be defined for the current user as follows: XDG_RUNTIME_DIR=/run/user/1000

For now I suppose to add the property -Djna.tmpdir=<path> to the startup configuration /opt/open-ecard-app/lib/app/open-ecard-app.cfg.

RE: Current open-ecard-app .deb Version fails to start - Added by Thomas Römke over 4 years ago

Ok, for now, I will do a

(umask 077; mkdir -p $XDG_RUNTIME_DIR/jnatmp)

in my $HOME/.profile (executed once at login.
Other shells might require a different file),
and a

-Djna.tmpdir=$XDG_RUNTIME_DIR/jnatmp

as suggested by you.

The KBA requests worked (points, cars, driving licenses), while a self identity check at
https://www.buergerserviceportal.de/bund/ausweisapp/bspx_selbstauskunft
failed with "No redirect address available for an error redirect")".

RE: Current open-ecard-app .deb Version fails to start - Added by Tobias Assmann over 4 years ago

Thomas, thank you for clarifying the state regarding libccid and libifd.
I had pcscd installed, but could install libccid 1.3 nevertheless.

I did an update of libccid and can start OeC 1.4.3. now successful with this packages installed on a fresh Linux Mint 19.3:

Package: libifd-cyberjack6
Version: 3.99.5final.sp09-1.1ubuntu1

Package: libccid
Version: 1.4.29-1

Does the OeC App start now on your system? I think so cause you write:
"The KBA requests worked (points, cars, driving licenses)..."

Regarding the buergerserviceportal.de, there is a Note at the moment:
"Bitte beachten Sie: Derzeit steht dieser Service aus technischen Gründen nicht zur Verfügung."

Maybe this causes your new issue?

RE: Current open-ecard-app .deb Version fails to start - Added by Thomas Römke over 4 years ago

With the mentioned "workaround", open-e-card works as expected with the drivers I had originally installed, including the "final" driver from Reiner.
It would be nice, however, if the open-ecard-app would take care of the required settings on its own, maybe find a feasible solution together with the JNA developers.

Also consider that *nix systems are usually multi-user systems, i.e. a simple one-path solution would most probably not work (Not sure, what JNA does, when multiple users on a machine try to start JNA based apps).
And it should be a portable solution. The workaround above is not portable, as for example and as far as I know (Free)BSD systems don't have a /run filesystem by default ...

"Bitte beachten Sie: Derzeit steht dieser Service aus technischen Gründen nicht zur Verfügung."
Yep, I didn't see that. I will try later again.

RE: Current open-ecard-app .deb Version fails to start - Added by Tobias Assmann over 4 years ago

Hello Thomas,

good to hear the App is now working for you.

I did open a bug to work on this issue:
https://dev.openecard.org/issues/808

I am not sure about the support of BSD systems at the moment, but will add a note to the bug report.

If you encounter an problem with buergerserviceportal.de even if the service is up, please start a new topic.

Thanks for your input so far regarding this problem.

Best regards

Tobias

RE: Current open-ecard-app .deb Version fails to start - Added by Tobias Assmann about 4 years ago

The issue has been closed with the release 1.4.4

RE: Current open-ecard-app .deb Version fails to start - Added by Tobias Assmann about 4 years ago

The issue has been closed with the release 1.4.4

    (1-10/10)