Running python-pkcs11 in Docker - DeviceError

[Viatorus]

When I try to execute PKCS#11 functions (with python-pkcs11 and ykcs11) inside a Docker (ubuntu 22.04) container, it fails in decrypt with DeviceError.

This is the code:

# Use the YubiKey PKCS#11 library.
PKCS11_LIB = "/usr/lib/x86_64-linux-gnu/libykcs11.so"
lib = pkcs11.lib(PKCS11_LIB)

with lib.get_token().open(user_pin=pin) as session:
        private_key = session.get_key(object_class=ObjectClass.PRIVATE_KEY, key_type=KeyType.RSA, id=KEY_ID)
        private_key.decrypt(encrypted_aes_key, mechanism=Mechanism.RSA_PKCS_OAEP)  # Fails with error below 

The error:

  File "/usr/local/lib/python3.10/dist-packages/pkcs11/types.py", line 970, in decrypt
    return self._decrypt(data, **kwargs)
  File "pkcs11/_pkcs11.pyx", line 1631, in pkcs11._pkcs11.DecryptMixin._decrypt
  File "pkcs11/_pkcs11.pyx", line 1634, in pkcs11._pkcs11.DecryptMixin._decrypt
  File "pkcs11/_pkcs11.pyx", line 1562, in pkcs11._pkcs11.DataCryptOperation.crypt_process_fully
  File "pkcs11/_pkcs11.pyx", line 693, in pkcs11._pkcs11.OperationWithBinaryOutput.process_fully
  File "pkcs11/_pkcs11.pyx", line 583, in pkcs11._pkcs11.OperationContext._handle_final_retval
  File "pkcs11/_pkcs11.pyx", line 47, in pkcs11._pkcs11.assertRV
pkcs11.exceptions.DeviceError

If I run the same command with the same installed tools on the host machine (ubuntu 22.04), it just works.

This is the docker command I use:

sudo docker run -it --rm \
    --device /dev/bus/usb:/dev/bus/usb \
    --mount type=bind,source=/run/pcscd/pcscd.comm,target=/run/pcscd/pcscd.comm \
    --privileged \
    $IMAGE

How to solve this issue?

pcsc_scan does find the YubiKey inside the docker without problem, with all properties.

[MatthiasValvekens]

The probability that this is an issue with this library is very, very small.

Your best bet is trying to find out where ykcs11 puts its logs and digging through that for a more informative error message.