Bug 1455518
| Summary: | nss-based apps can't establish ssl connections when coolkey module is in nssdb but pcscd can't run (e.g. is masked) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | David Jaša <djasa> |
| Component: | pcsc-lite | Assignee: | Bob Relyea <rrelyea> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | kdudka, rpattath |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pcsc-lite-1.8.8-7.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 18:00:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Jaša
2017-05-25 12:01:52 UTC
This hang happens in both coolkey and opensc. I've included the stack traceback.
SCardEstablishContext needs to time out or detect pcsc-lite is not running and error out. I'm changing the component to pcsc-lite (doesn't change much else, same owner, qa and pm).
Stack when using coolkey:
#0 0x00007ffff66d6783 in __select_nocancel ()
at ../sysdeps/unix/syscall-template.S:81
#1 0x00007ffff49ea011 in MessageReceive () from /lib64/libpcsclite.so.1
#2 0x00007ffff49e7c40 in SCardEstablishContext () from /lib64/libpcsclite.so.1
#3 0x00007ffff54181d4 in ckyCardContext_establish (ctx=ctx@entry=0x6b9520,
scope=scope@entry=0) at cky_card.c:465
#4 0x00007ffff5418781 in CKYCardContext_Create (scope=0) at cky_card.c:489
#5 0x00007ffff5640d20 in SlotList::SlotList (this=0x614270,
log_=<optimized out>) at slot.cpp:104
#6 0x00007ffff562f5c2 in C_Initialize (pInitArgs=<optimized out>)
at coolkey.cpp:271
#7 0x00007ffff767e37f in secmod_ModuleInit (mod=mod@entry=0x6b9a80,
reload=reload@entry=0x7fffffffdcb0,
alreadyLoaded=alreadyLoaded@entry=0x7fffffffdbd4) at pk11load.c:241
#8 0x00007ffff767e9aa in secmod_LoadPKCS11Module (mod=mod@entry=0x6b9a80,
oldModule=oldModule@entry=0x7fffffffdcb0) at pk11load.c:492
#9 0x00007ffff768b408 in SECMOD_LoadModule (
modulespec=modulespec@entry=0x612580 "name=\"CoolKey PKCS #11 Module\" library=\"libcoolkeypk11.so\"", parent=parent@entry=0x60a9e0,
recurse=recurse@entry=1) at pk11pars.c:1694
Stack when using opensc:
#0 0x00007ffff66d6783 in __select_nocancel ()
at ../sysdeps/unix/syscall-template.S:81
#1 0x00007ffff4d92011 in MessageReceive () from /lib64/libpcsclite.so.1
#2 0x00007ffff4d8fc40 in SCardEstablishContext () from /lib64/libpcsclite.so.1
#3 0x00007ffff5456d18 in pcsc_detect_readers (ctx=0x6469e0)
at reader-pcsc.c:1158
#4 0x00007ffff541671f in sc_ctx_detect_readers (ctx=0x6469e0) at ctx.c:679
#5 0x00007ffff5416b1b in sc_context_create (ctx_out=0x7ffff5a52568 <context>,
parm=0x7fffffffdaa0) at ctx.c:803
#6 0x00007ffff5825247 in C_Initialize (
pInitArgs=0x7ffff7962140 <secmodLockFunctions>) at pkcs11-global.c:250
#7 0x00007ffff767e37f in secmod_ModuleInit (mod=mod@entry=0x640430,
reload=reload@entry=0x7fffffffdc90,
alreadyLoaded=alreadyLoaded@entry=0x7fffffffdbb4) at pk11load.c:241
#8 0x00007ffff767e9aa in secmod_LoadPKCS11Module (mod=mod@entry=0x640430,
oldModule=oldModule@entry=0x7fffffffdc90) at pk11load.c:492
#9 0x00007ffff768b408 in SECMOD_LoadModule (
modulespec=modulespec@entry=0x612290 "library=\"/home/bob/OpenSC/src/pkcs11/.libs/opensc-pkcs11.so\" name=\"Opensc\"", parent=parent@entry=0x60a9e0,
recurse=recurse@entry=1) at pk11pars.c:1694
fixed in pcsc-lite-1.8.8-7.el7.src.rpm [root@dhcp129-107 ~]# rpm -qi pcsc-lite Name : pcsc-lite Version : 1.8.8 Release : 7.el7 Architecture: x86_64 Install Date: Tue 28 Nov 2017 04:06:45 PM EST Group : System Environment/Daemons Size : 634433 License : BSD Signature : RSA/SHA256, Wed 01 Nov 2017 08:34:44 PM EDT, Key ID 199e2f91fd431d51 Source RPM : pcsc-lite-1.8.8-7.el7.src.rpm Build Date : Wed 01 Nov 2017 06:46:29 PM EDT Build Host : x86-020.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pcsclite.alioth.debian.org/ Summary : PC/SC Lite smart card framework and applications [root@dhcp129-107 ~]# modutil -list -dbdir /etc/pki/nssdb/ Verification steps: 1. Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34 slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 2. CoolKey PKCS #11 Module library name: libcoolkeypk11.so uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20;library-version=1.0 slots: 1 slot attached status: loaded slot: OMNIKEY AG CardMan 3021 00 00 token: alt.Gonzales.Speedy.E.0987654321 uri: pkcs11:token=alt.Gonzales.Speedy.E.0987654321 ----------------------------------------------------------- 2. [root@dhcp129-107 ~]# systemctl unmask pcscd Removed symlink /etc/systemd/system/pcscd.service. [root@dhcp129-107 ~]# systemctl start pcscd [root@dhcp129-107 ~]# modutil -list -dbdir /etc/pki/nssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34 slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 2. CoolKey PKCS #11 Module library name: libcoolkeypk11.so slots: There are no slots attached to this module status: Not loaded ----------------------------------------------------------- Also I was not able to load the coolkey security token module to firefox and smartcard was not detected. Firefox and evolution were working as expected and curl command was giving the expected output. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0962 |