Bug 1115626
| Summary: | Coolkey does not support contactless PIV cards | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Roshni <rpattath> |
| Component: | coolkey | Assignee: | Bob Relyea <rrelyea> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.6 | CC: | ludovic.rousseau, rrelyea |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | coolkey-1.1.0-34.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, after the user inserted a contactless PIV card, coolkey could not access it in a contactless way. As a consequence, the light indicating the card status started to blink inconsistently, and the Enterprise Security Client (ESC) failed to detect the card. With this patch, coolkey accesses the card certificate or key instead of the PIV authentication, PIV signing, or PIV key exchange keys. As a result, when the user inserts a contactless PIV card, ECS now successfully detects it.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-22 07:06:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Roshni
2014-07-02 18:58:05 UTC
I've changed the description and component. The Reinersct's confusion about which interface to use is a hardware issue. The problem can be solved in software by having coolkey recognize the contactless interface. That means a component change and a description change, which I've now made to the bug. This is an RFE, so I believe it should target 6.7. I should also meantion, that it's OK for the blue light to go solid. coolkey should function when the blue light is solid. You can force the blue light by placing the card in the back slot (with no contact readers). OK, so the issue is that the normal certs and keys are not accessible on the contactless cards. The card certificate/key is accessible however. so I've added a patch which will access the card certificate/key instead of the PIV auth/ signing or key exchange keys. This means if the card is accessed contactless, it will show different certs (blue light = contactless, green light = contact). To test the contactless you will need a ReinerSCT CyberJack reader and the third party driver for it: pcsc-cyberjack . The third party driver seems to be a bit flacky and can hang coolkey trying to access the card under certain conditions. I'm not sure why. Anyway with the reader installed, you can insert your contactless card in the back slot to guarrentee that you get the contactless interface. The card will be called 'Coolkey' and there will be one cert very plain cert (usually no subject, nickname is CAC ID Certificate). PIV test cards 6 and 16 have not card certificate, so won't show up in ESC. PIV test card 3 does have a certificate, but for some reason it's not being recognized. update PIV Test Card 16 does have a card certificate, just not a card certificate container. The card certificate is still accessible. Also I have PIV test card 3 working, but it's not reliable. I think it doesn't really like the reader (It's the only Oberthur Type B card in the stack). Contactless PIVs only access the card certificate, which doesn't require a pin, so the cards operate as pinless cards (you can access and sign with the card cert without entering a pin). [root@dhcp129-124 sctests]# rpm -qi coolkey Name : coolkey Relocations: (not relocatable) Version : 1.1.0 Vendor: Red Hat, Inc. Release : 35.el6 Build Date: Thu 09 Apr 2015 10:15:55 PM EDT Install Date: Fri 10 Apr 2015 12:12:35 PM EDT Build Host: x86-028.build.eng.bos.redhat.com Group : System Environment/Libraries Source RPM: coolkey-1.1.0-35.el6.src.rpm Size : 242342 License: LGPLv2 Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://directory.fedora.redhat.com/wiki/CoolKey Summary : CoolKey PKCS #11 module [root@dhcp129-124 sctests]# rpm -qi pcsc-lite Name : pcsc-lite Relocations: (not relocatable) Version : 1.5.2 Vendor: Red Hat, Inc. Release : 15.el6 Build Date: Thu 26 Feb 2015 08:39:13 PM EST Install Date: Fri 10 Apr 2015 12:06:37 PM EDT Build Host: x86-031.build.eng.bos.redhat.com Group : System Environment/Daemons Source RPM: pcsc-lite-1.5.2-15.el6.src.rpm Size : 402732 License: BSD Signature : RSA/8, Wed 04 Mar 2015 07:22:07 AM EST, Key ID 938a80caf21541eb Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://pcsclite.alioth.debian.org/ Summary : PC/SC Lite smart card framework and applications [root@dhcp129-124 sctests]# rpm -qi pcsc-cyberjack Name : pcsc-cyberjack Relocations: (not relocatable) Version : 3.99.5final.SP03 Vendor: Fedora Project Release : 13.el6 Build Date: Thu 25 Apr 2013 08:12:57 AM EDT Install Date: Fri 10 Apr 2015 12:06:45 PM EDT Build Host: buildvm-23.phx2.fedoraproject.org Group : System Environment/Libraries Source RPM: pcsc-cyberjack-3.99.5final.SP03-13.el6.src.rpm Size : 767628 License: LGPLv2+ Signature : RSA/8, Thu 02 May 2013 02:07:21 PM EDT, Key ID 3b49df2a0608b895 Packager : Fedora Project URL : http://www.reiner-sct.de/ Summary : PC/SC driver for REINER SCT cyberjack USB chip card reader I still see inconsistency in the detection of smartcards using Reiner SCT cyberJack® RFID komfort reader. PIV cards 2,3,4,5,7,8,10,11,12,13,14,15 and Northrop Grumman Oberthur card were detected by ESC and certs were listed. Certs were detected by firefox and smartcard coolkey test program. Green light blinks when inserted in the front slot and blue light blinks when inserted in the rear slot. Multiple attempts where required for most of the cards. PIV card 1 - Even after multiple attempts the certs on this card were not detected. Using Omnikey reader the certs are being detected. PIV card 6 - There are no certs on the card and the CAC ID cert is detected when inserted in the rear slot. PIV card 16 - When inserted in the front slot blinks green but certs on the card are not being detected. Using Omnikey reader there is one cert on the card detected by ESC and it is not the CAC ID cert. I've noticed the reader isn't exactly solid as my comments indicate. My PIV Card 1 words (mostly), but my PIV Card 3 never works (detected, but never any certs). It may be an issue with a he reliability of contactless. My PIV card 6 is never detected. My PIV card 16 does works. NOTE: this is about the contactless interface, slide the card in the back slot of the reader and you should get blue lights (never any green lights). The green will still be flaky because the reader has a hard time not trying to talk to the contactless. That's an issue with the reader which we can't do much about. bob All the PIV cards and Oberthur card were detected in the rear slot of the reader. The blue light was blinking that the CAC ID cert was detected. Most of the cards were detected when inserted in the fron slot of the reader. Verfication steps as explained in comment 8. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1370.html |