Bug 1756326

Summary:	Does not work with compressed certificates; needs to be built with zlib
Product:	[Fedora] Fedora	Reporter:	Craig <candrews>
Component:	opensc	Assignee:	Jakub Jelen <jjelen>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	31	CC:	candrews, crypto-team, gmazyland, jjelen, nmavrogi, sross, tmraz, tuju
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	opensc-0.19.0-8.fc31	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-10-04 20:05:35 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Craig 2019-09-27 12:00:37 UTC

Description of problem:
opensc currently does not work with smart cards with compressed certificates. opensc cannot access any compressed certificates.
According to upstream, the fix for this is to build opensc with zlib; full details at https://github.com/OpenSC/OpenSC/issues/1811#issuecomment-535761831

Version-Release number of selected component (if applicable):
0.19.0-7.fc31

How reproducible:
With any smart card that uses compression.
I just got a new US DoD CAC (Common Access Card) on September 9, 2019, so I suspect that many (if not all) new CACs will be impacted (and since CACs are impacted, and they're pretty big user base that's important, I've reported this as a high severity issue).

Steps to Reproduce:
1. Insert a smart card that has compressed certificates
2. Try to read the certificate using `pkcs15-tool --read-certificate 01`

Actual results:
$ pkcs15-tool --read-certificate 01 | openssl x509 -text -noout
Using reader with a card: Identiv SCR3500 A Contact Reader [CCID Interface] (54301709612490) 00 00
Certificate with ID '01' not found.
unable to load certificate
140098756077376:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICAT

Expected results:
A listing of the certificate information.

Additional info:
Please see the upstream issue report at https://github.com/OpenSC/OpenSC/issues/1811

Comment 1 Jakub Jelen 2019-09-27 12:11:17 UTC

Thank you for the report. It looks like the zlib disappeared from the build roots for the new Fedora 31 with the mass rebuild.

https://koji.fedoraproject.org/koji/buildinfo?buildID=1332387

The last build I did was still done with zlib.

https://koji.fedoraproject.org/koji/buildinfo?buildID=1239714

Anyway, I will add the proper build requires and rebuild the OpenSC package.

Comment 2 Jakub Jelen 2019-09-27 12:47:21 UTC

Please, try the following scratch build. It should address your issue:

https://koji.fedoraproject.org/koji/taskinfo?taskID=37892414

I will issue package update soon.

Comment 3 Craig 2019-09-27 14:04:51 UTC

(In reply to Jakub Jelen from comment #2)
> Please, try the following scratch build. It should address your issue:
> 
> https://koji.fedoraproject.org/koji/taskinfo?taskID=37892414
> 
> I will issue package update soon.

I tested opensc-0.19.0-7.1.fc31.x86_64.rpm and can confirm that it fixes the issue. Thank you very much!

Comment 4 Fedora Update System 2019-09-30 12:25:47 UTC

FEDORA-2019-a413bf11e2 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a413bf11e2

Comment 5 Fedora Update System 2019-10-01 03:06:28 UTC

opensc-0.19.0-8.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a413bf11e2

Comment 6 Fedora Update System 2019-10-04 20:05:35 UTC

opensc-0.19.0-8.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.