Bug 454003

Summary: GEMALTO GCX4 72K D1 : Card class failure : pam_pkcs11(login:auth): sign_value() failed
Product: Red Hat Enterprise Linux 5 Reporter: Aaron Lippold <aaron.lippold>
Component: pam_pkcs11Assignee: Bob Relyea <rrelyea>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: 5.2CC: aaron.lippold, eparis, mrhodes
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-22 20:32:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aaron Lippold 2008-07-03 19:24:35 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15

Description of problem:
General Error:

When I try to use the Gemalto GCX4 72k D1 card to login via GDM or the console the authentication always fails. It seems that there is a signature failed when signing the challenge from the private key however this is a guess.

Results:

I get an 'authentication failed' for both GDM and the console ( which is expected ) and the /var/log/security lists:

[12:37] aaronlippold: Jul 2 12:35:09 localhost login: pam_pkcs11(login:auth): sign_value() failed:
Jul 2 12:35:09 localhost login: FAILED LOGIN 1 FROM (null) FOR aaronl, Insufficient credentials to access authentication data

Other Notes:

1) Working

READING: The middleware can read and display all the data using the standard
tools ( esd, pklogin_finder, etc. )
Installing Certs: The 2048 certs are installed into the nssdb with out
issues
Removing Certs: The 2048 certs are removed from the nssdb with out issues
PKLOGIN_FINDER: The pklogin_finder is able to find the user cert on the card
and map it correctly to the associated user account
PKLOGIN_FINDER DEBUG : Properly established the trust chain and displays all
the expected debug info that the 64k cards give


2) Broken

- Auth via GDM: The coolkey middleware throws an error when it tries to use
the private key on the card
- Auth via console: same error because it is the same subsystem.




Version-Release number of selected component (if applicable):
nss-3.12.0.3-1.el5, nss_tools-3.12.0.3-1.el5,pam_pkcs11-0.5.3-23

How reproducible:
Always


Steps to Reproduce:
( assuming your RH client is setup to use smartcard already )

1. Install the root and intermediate certs for the test tokens into the nssdb using standard methods
2. Logout back to GDM or goto a console
3. Insert a GEMALTO GCX4 72K D1 into a supported reader
4. Get GDM or the console to ask for your pin and notice the card ( i.e. hit enter or pull and replace the card once or twice )
5. GDM or the console will ask for the pin of the user cert
6. enter pin
7. gdm/console will return with 'authentication failed'

Actual Results:
[12:37] aaronlippold: Jul 2 12:35:09 localhost login:
pam_pkcs11(login:auth): sign_value() failed:
Jul 2 12:35:09 localhost login: FAILED LOGIN 1 FROM (null) FOR aaronl,
Insufficient credentials to access authentication data

Was issued to /var/log/security

Expected Results:
Authentication should have been valid

Additional info:
Comment 1 RHEL Program Management 2014-03-07 13:35:44 UTC 
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Comment 2 Red Hat Bugzilla 2023-09-14 01:13:09 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days