Bug 1766712

Summary: I'm unable to use my SIPR Token (smartcard, Coolkey type) for Kerberos or SSSD authentication with RHEL 8. When running kinit, the result is "Preauthentication failed" even when I enter the correct PIN.
Product: Red Hat Enterprise Linux 8 Reporter: joel <jwooten>
Component: openscAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: urgent Docs Contact:
Priority: medium    
Version: 8.0CC: aakkiang, mthacker, sveerank
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: opensc-0.19.0-6.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2140656 (view as bug list) Environment:
Last Closed: 2020-04-28 16:52:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2140656    
Attachments:
Description Flags
output of attempt to connect none

Description joel 2019-10-29 17:45:49 UTC 
Description of problem:
customer inserts card, enters pin and authentication fails

Version-Release number of selected component (if applicable):
RHEL 8.0
opensc-0.19.0-4.el8.x86_64

How reproducible:
very

Steps to Reproduce:
1. basic R8 install
2. insert cac card 
3. enter pin

Actual results:
  fails
[opensc-pkcs11] apdu.c:554:sc_transmit_apdu: called                                                                                                           
[opensc-pkcs11] apdu.c:261:sc_check_apdu: failed length check for short APDU
[opensc-pkcs11] apdu.c:339:sc_check_apdu: Invalid Case 3 short APDU:
cse=03 cla=b0 ins=54 p1=00 p2=00 lc=257 le=0

Expected results:
authentication

Additional info:
[opensc-pkcs11] apdu.c:554:sc_transmit_apdu: called                                                                                                           
[opensc-pkcs11] apdu.c:261:sc_check_apdu: failed length check for short APDU
[opensc-pkcs11] apdu.c:339:sc_check_apdu: Invalid Case 3 short APDU:
cse=03 cla=b0 ins=54 p1=00 p2=00 lc=257 le=0
resp=0x7ffd6223be90 resplen=0 data=0x7ffd6223ce90 datalen=257
[opensc-pkcs11] card-coolkey.c:1018:coolkey_apdu_io: result r=-1300 apdu.resplen=0 sw1=00 sw2=00
[opensc-pkcs11] card-coolkey.c:1021:coolkey_apdu_io: Transmit failed
[opensc-pkcs11] card-coolkey.c:1044:coolkey_apdu_io: returning with: -1300 (Invalid arguments)
[opensc-pkcs11] card-coolkey.c:1868: coolkey_compute_crypt: returning with: -1300 (Invalid arguments)
[opensc-pkcs11] sec.c:63:sc_compute_signature: returning with: -1300 (Invalid arguments)
[opensc-pkcs11] card.c:465:sc_unlock: called
[opensc-pkcs11] pkcs15-sec.c:461:sc_pkcs15_compute_signature: use_key() failed: -1300 (Invalid arguments)
[opensc-pkcs11] card.c:465:sc_unlock: called
[opensc-pkcs11] reader-pcsc.c:663:pcsc_unlock: called
[opensc-pkcs11] framework-pkcs15.c:3887:pkcs15_prkey_sign: Sign complete. Result -1300.
[opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1300 (Invalid arguments)
[opensc-pkcs11] mechanism.c:481:sc_pkcs11_signature_final: returning with: 7
[opensc-pkcs11] mechanism.c:336:sc_pkcs11_sign_final: returning with: 7
[opensc-pkcs11] pkcs11_object.c:701:C_Sign: C_Sign() = CKR_ARGUMENTS_BAD
Comment 1 joel 2019-10-29 17:49:25 UTC 
Created attachment 1630277 [details]
output of attempt to connect
Comment 2 joel 2019-10-29 17:53:48 UTC 
customer found related issue with opensc:

I am fairly certain that this is the same problem:
https://github.com/OpenSC/OpenSC/issues/1524

Customer used upstream patch, this resolved issue:

opensc-0.19.0-coolkey-2048-bit-keys.patch (0 KB)
patch from https://github.com/OpenSC/OpenSC/pull/1532

customer is looking for incorporation of this patch
Comment 7 errata-xmlrpc 2020-04-28 16:52:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1843