Bug 1445430

Summary: pkcs15-init -E fails to erase a smartcard
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: openscAssignee: Jakub Jelen <jjelen>
Status: CLOSED WORKSFORME QA Contact: Release Test Team <release-test-team>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: mgrepl, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-09 09:12:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
pkcs15-init -E output none

Description Roshni 2017-04-25 16:12:38 UTC 
Created attachment 1273958 [details]
pkcs15-init -E output

Description of problem:
pkcs15-init -E fails to erase a smartcard

Version-Release number of selected component (if applicable):
opensc-0.16.0-1.20170227git777e2a3.el7.x86_64
engine_pkcs11-0.1.8-5.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Write certificate onto a pcs15 card using default transport key.
2. pkcs15-init -E
3.

Actual results:
Erasing card fails

Expected results:
Erasing card should be successful

Additional info:
Attaching output when OPENSC_DEBUG=9 env variable was set
Comment 3 Jakub Jelen 2017-04-26 09:15:05 UTC 
Hello Roshni,
the log says about bad SO PIN, which is propagated from the APDU:

PIN [Security Officer PIN] required.
Please enter PIN [Security Officer PIN]: 
Failed to erase card: PIN code or key incorrect

Can you provide the same log from the old OpenSC version, which worked (if it worked, or whatever way you used to do the erasing before)?
Comment 4 Scott Poore 2017-04-27 16:41:36 UTC 
FYI, I was able to unblock the pin and erase the card normally:

[root@dhcp129-184 ca]# pkcs15-tool -u -so-puk redhat
Using reader with a card: OMNIKEY AG CardMan 3021 00 00
Enter PUK [Security Officer PIN]: 
Enter new PIN [Security Officer PIN]: 
Enter new PIN again [Security Officer PIN]: 

[root@dhcp129-184 ca]# pkcs15-init --erase-card --use-default-transport-keys
Using reader with a card: OMNIKEY AG CardMan 3021 00 00
PIN [Security Officer PIN] required.
Please enter PIN [Security Officer PIN]: 

Also, it was erasing normally on this same version for a while and then it stopped working until I ran the above.
Comment 5 Scott Poore 2017-04-27 17:22:37 UTC 
Also, I'm removing TestBlocker for now because I'm currently unable to reproduce the problem.

I've run about 50+ cycles of erasing, initializing, store pin, store key, store cert.  I haven't been able to reproduce it yet.

I did have to break out of my tests a few times.  Is it possible that breaking out during one of the card operations may have caused it to "block"?

Thanks,
Scott
Comment 6 Jakub Jelen 2017-05-02 07:03:33 UTC 
It can be possible if this happens during writing the pin record to the pkcs15 structures, it could get malformed and therefore reporting a wrong pin on the occasions as above.
It would be good to keep an eye on this.
Comment 7 Jakub Jelen 2017-05-15 09:14:10 UTC 
Postponing for 7.5 (so we will not block beta) in case we will be able to reproduce the problem later. Otherwise I will close this bug if there will be no further reproducer.