Bug 1518348
| Summary: | thunderbird 52.4 with OpenSC 0.16 and PIV cards ALWAYS_AUTHENTICATE fail | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | aheverle |
| Component: | opensc | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.4 | CC: | aakkiang, aheverle, cww, mthacker, nmavrogi, rpattath |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-05-23 16:49:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1477664, 1563596 | ||
|
Description
aheverle
2017-11-28 16:50:34 UTC
What card is that? Is is standard PIV, or dual CAC card? If it is CAC, can you try the CAC driver directly as described in the following article: https://access.redhat.com/articles/3034441 These logs do not say anything useful, can you reproduce the issue solemnly with the pkcs11-tool as described in the following article and attach the logs (note that it might contain PIN so the logs should be redacted before sharing!): https://github.com/OpenSC/OpenSC/wiki/Using-pkcs11-tool-and-OpenSSL Can you try with latest build for RHEL7.5, if it will change anything? https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=622948 To summarize the status of this bug, the issue with ALWAYS_AUTHENTICATE keys can be reproduced with any PIV Test card and with any NSS application. It is a combination of NSS wrongly issuing the PKCS#11 commands out of the order (fixed in NSS 3.36) [1] and OpenSC resetting the login state in case this happens (fixed in OpenSC 0.17.0) [2]. Either of these changes fixes the issue. For demonstation, I am using the Bob's smartcard test (let me know if you don't have that -- I don't think it is somewhere public). Once I reverted the patch [2] and downgraded NSS to 3.33 in Fedora, I am able to get errors such as the following: -----Found Cert 2: CN=Test Cardholder XIII,OU=Test Agency,OU=Test Department,O=Test Government,C=US KeyType: RSA CertID [1] = 02 KeyID [1] = 02 Key can encipher... Testing enciphering Password for Test Cardholder XIII? >failed to decrypt message with private key: The operation failed because the PKCS#11 token is not logged in. -----Found Cert 3: CN=Test Cardholder XIII,OU=Test Agency,OU=Test Department,O=Test Government,C=US >failed to find private key: Unknown code ___P 3 Updating either NSS or OpenSC fixes the issue and the tests pass. The NSS is already updated in RHEL7.5 so the fix in OpenSC is not completely necessary (as it was when the bug was reported), but I would be for including the fix to make sure both with older NSS or even if there will be similar regression or some other libraries or tools would use the PKCS#11 interface wrongly. Asha, Roshni, is this summary enough for you to verify this bug? [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1333725 [2] https://github.com/OpenSC/OpenSC/pull/1084 I was not able to see any error messages as in comment 17 when the smartcard test tool was run using PIV cards with the latest nss packages This issue was resolved with the latest NSS update and there is no need to fix it again in OpenSC (and introduce other complexity). |