Bug 1696238

Summary:	yubikey based ssh to IPA fails with C_Sign failed: 32
Product:	Red Hat Enterprise Linux 7	Reporter:	amitkuma
Component:	opensc	Assignee:	Jakub Jelen <jjelen>
Status:	CLOSED WONTFIX	QA Contact:	Asha Akkiangady <aakkiang>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	7.6	CC:	jjelen, jwooten
Target Milestone:	rc
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-07-26 12:43:41 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Comment 2 amitkuma 2019-04-11 14:18:28 UTC

Jakub Any updates here!

Comment 4 amitkuma 2019-04-23 11:26:46 UTC

Attached 
1. output of # pkcs11-tool -O
2. Secure log in /var/log/secure
3. Messages log in /var/log/messages When Yubikey is plugged in to machine

Comment 6 amitkuma 2019-04-30 10:17:44 UTC

# pkcs11-tool --pin 123456 --test
No slots.
# pkcs11-tool --pin 177181 --test
Using slot 0 with a present token (0x0)
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (PIV AUTH key) 
error: PKCS11 function C_SignFinal failed: rv = CKR_DATA_INVALID (0x20)
Aborting.

Comment 7 Jakub Jelen 2019-04-30 10:36:44 UTC

I am not sure if I already proposed to test more recent OpenSC (to be shipped with RHEL 7.7):

https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=868732

Also I do not see here information what version and type of yubikey is customer using.

Lets provide also a opensc debug log from the test in previous comment:

OPENSC_DEBUG=9 pkcs11-tool --pin 177181 --test &> /tmp/opensc.log

Comment 10 Jakub Jelen 2019-05-02 07:28:20 UTC

And the yubikey version/type? I am personally using Yubikey 4 without any problems.

Comment 11 joel 2019-05-10 20:54:38 UTC

cu has multiple keys they are working with:

~We have YubiKey 4, 5, 5c, and 5c Fips edition to test with.

Is there anything else you would need?

Comment 12 Jakub Jelen 2019-05-14 08:24:21 UTC

All of the above yubikeys show the same issues as in this bug report or is it just one of them?

Is there some other application running that might poll the smart card status during the tests?

Comment 13 joel 2019-05-14 22:23:39 UTC

cu got back with this:

We experienced the same issue with all 3 versions of the yubikey. However, I have no idea if another program is conflicting with our configuration.

Comment 14 Jakub Jelen 2019-05-16 09:05:45 UTC

OK, so lets try the following:

 * modify /etc/opensc.conf to contain the following in the "app default" block:

    debug = 3;
    debug_file = /tmp/opensc-debug.txt;

* Restart system
* Retry the test (assuming the 177181 is the pin for the yubikey):

    $ pkcs11-tool --pin 177181 --test &> /tmp/opensc-pkcs11-tool--test.log

* Attach the /tmp/opensc-debug.log
* Attach a new sosreport

Comment 17 Jakub Jelen 2019-06-28 08:22:59 UTC

Hello,
I am sorry for a delay. I just tried my yubikey with the latest RHEL7 (beta) machine and it looks like it is still working as expected.

The error message comes from the card. How was the card provisioned? How was the key generated and certificate loaded to the yubikey? From the description, the certificate and public key look fine. Is it still the same certificate and key on all the testing cards or did you try different ones?

What version of pcsc-lite and pcsc-lite-ccid is used? Can you try to install these version from RHEL 7.7 beta too?

Also please retry with modified option disconnect_action=leave in the opensc.conf, which should address possible concurrency issues.

Comment 18 joel 2019-07-24 18:19:11 UTC

Hello,

Thanks for the update.

> What version of pcsc-lite and pcsc-lite-ccid is used?

pcsc-lite-1.8.8-8.el7.x86_64                                Tue Dec 11 14:12:56 2018
pcsc-lite-ccid-1.4.10-14.el7.x86_64                         Tue Dec 11 14:12:56 2018
pcsc-lite-libs-1.8.8-8.el7.x86_64                           Tue Dec 11 11:52:59 2018

> Is it still the same certificate and key on all the testing cards or did you try different ones?

I believe they are using the same certs for testing purposes and from them:

~We have YubiKey 4, 5, 5c, and 5c Fips edition to test with.

> Can you try to install these version from RHEL 7.7 beta too?

Is there certain packages you want them to try? I can ask if they'll make a beta test machine.

I'm requesting they try with your disconnect option.

Comment 19 Jakub Jelen 2019-07-25 15:22:24 UTC

(In reply to joel from comment #18)
> I believe they are using the same certs for testing purposes and from them:

Please, clarify how the yubikeys were provisioned and keys generated and whether it is one testing or more keys. If it is still the same key, if they can try to generate different.

> > Can you try to install these version from RHEL 7.7 beta too?
> 
> Is there certain packages you want them to try? I can ask if they'll make a
> beta test machine.

Trying complete beta would be best, otherwise I would be interested in pcsc-lite, pcsc-lite-ccid, opensc at least.

> I'm requesting they try with your disconnect option.

Thank you.