Bug 1562277

Summary: RFE: add support to OpenSC for CardOS 5.3 cards
Product: Red Hat Enterprise Linux 7 Reporter: Jo Vilicic <jvilicic>
Component: openscAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.4CC: ekeck, jjelen, jvilicic, kperrier, mthacker, nmavrogi, richard.ryder, rpattath, wayne.johnson
Target Milestone: rcKeywords: FutureFeature, HardwareEnablement
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: opensc-0.19.0-1.el7 Doc Type: Bug Fix
Doc Text:
CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC Previously, OpenSC did not correctly parse the ECDSA algorithm in the *TokenInfo* information provided by CardOS 5.3 smart cards. As a consequence, OpenSC did not detect these cards. The *TokenInfo* parser has been updated and now complies with the PKCS #15 specification. As a result, CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 11:24:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1563596    
Attachments:
Description Flags
pkcs11-tool -L in debug mode with CardOS 5.3 inserted. none

Description Jo Vilicic 2018-03-30 00:49:18 UTC
Description of problem:
OpenSC doesn't work with CardOS 5.3 cards.  In an orgnization that's been configured to authenticate users using CardOS v4.2C cards, new employees being given CardOS v5.3 cards cannot authenticate.


Version-Release number of selected component (if applicable):
opensc-0.16.0-5.20170227git777e2a3.el7.x86_64


How reproducible:
Consistent with CardOS v5.3 cards, not a problem with CardOS v4.2C cards


Steps to Reproduce:
1. Configure a RHEL 7.4 server to authenticate CardOS v4.2C cards
2. Update to CardOS v5.3 cards


Actual results:
Cards no longer work.  Customer has tried with HP Smartcard Keyboard card readers, and also an Omnikey reader which is known to work with older CardOS v4.2C cards


Expected results:
Newer cards to work


Additional info:

=== Non-working Cardos 5.3 card ===

$ opensc-tool --atr
Using reader with a card: Hewlett-Packard Company HP Smart Card Terminal KUS1206 [HP Smartcard Keyboard] (00000741000006) 00 00
3b:d2:18:00:81:31:fe:58:c9:03:16

$ pkcs11-tool -L

Available slots:
Slot 0 (0x0): HP RGS Remote Smart Card Reader 00 00
  (empty)
Slot 1 (0x4): Hewlett-Packard Company HP Smart Card Terminal KUS1206 [HP Smart
C_GetTokenInfo() failed: rv = CKR_TOKEN_NOT_PRESENT

$ cardos-tool -i 

Using reader with a card: Hewlett-Packard Company HP Smart Card Terminal KUS1206 [HP Smartcard Keyboard] (00000741000006) 00 00
3b:d2:18:00:81:31:fe:58:c9:03:16
Info : CardOS V5.3, 2014
Serial number: 02 06 95 0d 00 05 45 2c
OS Version: 201.3 (unknown Version)
Current life cycle: 16 (operational)
Security Status of current DF:
Free memory : 507
ATR Status: 0x0 ROM-ATR
Packages installed:
E1 0B 53 06 11 04 09 01 C9 03 8F 01 01 E1 0B 53 ..S............S
06 03 04 13 02 C9 03 8F 01 01                   ..........
Ram size: 7, Eeprom size: 83, cpu type: 78, chip config: 63, chip manufacturer: 5
Free eeprom memory: 56732
Current Maximum Data Field Length: 640
Complete chip production data:
CC 78 33 CE 01 00 01 00 0E 00 00 01 0B 02 00 00 .x3.............
00 00 00 00 00 00 00 61 75 38 30 FF FF FF FF 78 .......au80....x
01 51 41 78 05 16 07 00 00 83 12 05 E7 55 21 02 .QAx.........U!.
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00             ............
System keys: PackageLoadKey (version 0x00, retries 10)
System keys: StartKey (version 0xff, retries 10)
Path to current DF:



=== Comparison with  a working v4.2C Smart Card is below ===
$ opensc-tool --atr
Using reader with a card: Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB CCID Keyboard Smartcard Reader] (13072700000922) 00 00
3b:f2:18:00:02:c1:0a:31:fe:58:c8:0b:77

$ cardos-tool -i
Using reader with a card: Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB CCID Keyboard Smartcard Reader] (13072700000922) 00 00
3b:f2:18:00:02:c1:0a:31:fe:58:c8:0b:77
Info : CardOS V4.2C (C) Siemens AG 1994-2006
Chip type: 147
Serial number: 21 20 91 09 32 35
Full prom dump:
33 66 00 16 A5 4B 00 00 93 0D 21 20 91 09 32 35 3f...K....! ..25
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.11 (that's CardOS M4.2C)
Current life cycle: 16 (operational)
Security Status of current DF:
Free memory : 82
ATR Status: 0x0 ROM-ATR
Packages installed:
Ram size: 6, Eeprom size: 36, cpu type: 66, chip config: 63
Free eeprom memory: 15535
Current Maximum Data Field Length: 300
System keys: PackageLoadKey (version 0x00, retries 10)
System keys: StartKey (version 0x02, retries 10)
Path to current DF:
50 15 P.

$ pkcs11-tool -L
Available slots:
Slot 0 (0x0): HP RGS Remote Smart Card Reader 00 00
  (empty)
Slot 1 (0x4): Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB C
  token label        : PIN (Siemens Corporate ID Card)
  token manufacturer : Siemens AG (C)
  token model        : PKCS#15
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 3153393842535144

Comment 2 Jakub Jelen 2018-04-04 08:01:38 UTC
The ATR of the listed card is already in the card driver in RHEL7 and cardos-tool looks like recognizing the card correctly. Though the error will be probably later. Can you run the OpenSC in debug mode to gather more information what went wrong?

    OPENSC_DEBUG=9 pkcs11-tool -L

I suspect these new cards have EC keys on them and it will be solved by the following change in upstream:

https://github.com/OpenSC/OpenSC/issues/1134

Can you try if the following build resolves the issues (it is latest RHEL7.5 with the above patch)?

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=15699214

Comment 4 Jo Vilicic 2018-04-11 17:44:17 UTC
Customer confirmed that the latest OpenSC package from RHEL 7.5 fixed the issue.

We are quoting the customer below:



---------------------------------------
   After upgrading to opensc-0.16.0-8.2.20170227git777e2a3.el7.x86_64.rpm, all card versions tested work correctly (v5.3, v4.2).

   The person who has this card did not turn on debug as requested when running pkcs11-tool, but here is the output he sent us. Let us know if you still need the debug knowing that the above RPM fixes the issue.

Available slots:
Slot 0 (0x0): HP RGS Remote Smart Card Reader 00 00
  (empty)
Slot 1 (0x4): OMNIKEY AG CardMan 3021 00 00
  token label        : Siemens Corporate ID Card (V8)
  token manufacturer : www.atos.net/cardos
  token model        : PKCS#15
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 324952464D355556
Slot 2 (0x5): OMNIKEY AG CardMan 3021 00 00
  token label        : Extra PIN #1 (Siemens Corporate
  token manufacturer : www.atos.net/cardos
  token model        : PKCS#15
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 324952464D355556
Slot 3 (0x6): OMNIKEY AG CardMan 3021 00 00
  token label        : Extra PIN #0 (Siemens Corporate
  token manufacturer : www.atos.net/cardos
  token model        : PKCS#15
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 324952464D355556

Comment 5 Jakub Jelen 2018-04-12 07:02:54 UTC
Thank you for verification. Can you also clarify if the tested package was the one provided in the comment #2 or from standard RHEL7.5 update?

I assume the first, but your comment does not make it clear.

Comment 6 Jo Vilicic 2018-04-13 16:27:06 UTC
Hi Jakub,

1) My apologies -- the customer only installed the package you provided, described as being the same as RHEL 7.5 packages:

      "Can you try if the following build resolves the issues (it is latest RHEL7.5 with the above patch)?  https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=15699214"


2) So no, they haven't fully updated to 7.5, which they mention here:

      "FYI only: debug info originally requested is attached, but as we mentioned the test package resolved the issue.

      We haven't tried If RHEL 7.5 yet, but if contains the same fix, you can close this case."

   Since it does, I'll be closing that case.


3) Attaching "pkcs11-tool -L in debug mode with CardOS 5.3 inserted" debug info as a final follow-up.

Comment 7 Jo Vilicic 2018-04-13 16:27:43 UTC
Created attachment 1421438 [details]
pkcs11-tool -L in debug mode with CardOS 5.3 inserted.

Comment 8 Jakub Jelen 2018-04-16 11:59:09 UTC
Thank you for clarification. No, the RHEL7.5 does not contain this fix. It was fixed. I will make sure this will get fixed in RHEL7.6. Let me know if you will need an official hotfix earlier, or if this will be needed to be fixed in Z-stream earlier.

Comment 24 Roshni 2018-08-17 21:12:17 UTC
[root@dhcp129-188 ~]# rpm -qi opensc
Name        : opensc
Version     : 0.16.0
Release     : 10.20170227git777e2a3.el7
Architecture: x86_64
Install Date: Tue 31 Jul 2018 10:10:39 AM EDT
Group       : System Environment/Libraries
Size        : 3260617
License     : LGPLv2+
Signature   : RSA/SHA256, Tue 03 Jul 2018 04:12:33 AM EDT, Key ID 199e2f91fd431d51
Source RPM  : opensc-0.16.0-10.20170227git777e2a3.el7.src.rpm
Build Date  : Tue 03 Jul 2018 03:59:44 AM EDT
Build Host  : x86-019.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/OpenSC/OpenSC/wiki
Summary     : Smart card library and applications

Sanity tests look good.

Comment 26 errata-xmlrpc 2018-10-30 11:24:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3224