Bug 688837
|
Description
Ivan Georgiev
2011-03-18 07:53:10 UTC
For fun, did you try it with SELinux in permissive mode, if it is not already? Created attachment 486287 [details]
Trance from pcscd after setting SELinux to permissive
Hello, First, Let me thank you for the fast response. No, SELinux was in enforcing mode, now is in permissive. I was kind of hoping to fix that issue first. However, I set it in permissive mode and rebooted. I cannot see any change in the logs and issue still remains. There is no change in pkcs11_listcert output. I attached the output from pcscd again. Tonight I will try to compile earlier versions of coolkey and determine when problem started. Cheers, Ivan Sure, I was not suggesting that permissive was to be the fix. It would have merely been interesting to note if the problem would go away, thus narrowing it down. You can also try export COOL_KEY_LOG_FILE=cool.log at the prompt before running the tool. That magic was not included in my handbook ;) [root@ivan-laptop src]# tail -f /tmp/cool.log CAC Cert 0: Fetch rest : 639 ms CAC Cert 0: Cert has been read: 639 ms CAC Cert 0: Cert has been uncompressed: 639 ms CAC Cert 1: select CAC applet: 71 ms Connection Error = 0x80100003 cleared all sessions refreshTokenState: Failed to load objects. isTokenPresent, card state is 0x1 C_CloseAllSessions(0x1) called Finalizing... Could this be an issue with the driver? May be I should try with earlier versions of pcsc-lite ? Here is an update: 1) Never try to steal the device from pcscd demon, because it will get mad and fill your "/" !: The following message repeated like hell ( do I have to open a bug report for this too? ) Mar 18 20:41:47 ivan-laptop pcscd: eventhandler.c:395:EHStatusHandlerThread() Error communicating to: Activkey Sim 00 00 Mar 18 20:41:47 ivan-laptop pcscd: ccid_usb.c:613:WriteUSB() write failed (8/5): -1 Device or resource busy Mar 18 20:41:47 ivan-laptop pcscd: ifdwrapper.c:481:IFDStatusICC() Card not transacted: 612 2) I can confirm that on Fedora 12 running under Virtual Box there is no issue at all. I was prompted for PIN code as expected. Below you can see package versions: ================================================================================================= Installing: coolkey i686 1.1.0-11.fc12 fedora 76 k pcsc-lite i686 1.5.2-5.fc12 updates 127 k Updating: prelink i686 0.4.3-2.fc12 updates 990 k Installing for dependencies: ccid i686 1.3.9-2.fc12 fedora 111 k ifd-egate i686 0.05-22 fedora 24 k nss-sysinit i686 3.12.8-2.fc12 updates 27 k nss-tools i686 3.12.8-2.fc12 updates 766 k pcsc-lite-libs i686 1.5.2-5.fc12 updates 26 k Updating for dependencies: nspr i686 4.8.6-1.fc12 updates 112 k nss i686 3.12.8-2.fc12 updates 756 k nss-softokn i686 3.12.8-1.fc12 updates 171 k nss-softokn-freebl i686 3.12.8-1.fc12 updates 112 k nss-util i686 3.12.8-1.fc12 updates 45 k [root@localhost ~]# pkcs11_inspect debug DEBUG:pam_config.c:188: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11.c:65: Initializing NSS ... DEBUG:pkcs11.c:75: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11.c:89: ... NSS Complete DEBUG:pkcs11_inspect.c:66: loading pkcs #11 module... DEBUG:pkcs11.c:101: Looking up module in list DEBUG:pkcs11.c:104: modList = 0x8b45870 next = 0x8b4eb50 DEBUG:pkcs11.c:105: dllName= <null> DEBUG:pkcs11.c:104: modList = 0x8b4eb50 next = 0x0 DEBUG:pkcs11.c:105: dllName= libcoolkeypk11.so DEBUG:pkcs11_inspect.c:74: initialising pkcs #11 module... PIN for token: DEBUG:pkcs11_inspect.c:101: PIN = [xxxxxx] DEBUG:pkcs11.c:399: cert 0: found (Ivan Georgiev:CAC ID Certificate), "I will skip that part" DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'cn' DEBUG:mapper_mgr.c:197: Inserting mapper [cn] into list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'uid' DEBUG:mapper_mgr.c:197: Inserting mapper [uid] into list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'pwent' DEBUG:mapper_mgr.c:197: Inserting mapper [pwent] into list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'null' DEBUG:mapper_mgr.c:197: Inserting mapper [null] into list DEBUG:pkcs11_inspect.c:139: verifing the certificate for the key #1 DEBUG:cert_vfy.c:37: Verifying Cert: Ivan Georgiev:CAC ID Certificate (Will skip that part, too) DEBUG:cert_vfy.c:41: Couldn't verify Cert: Peer's Certificate issuer is not recognized. DEBUG:pkcs11_inspect.c:152: verify_certificate() failed: DEBUG:mapper_mgr.c:214: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn DEBUG:mapper_mgr.c:148: Module cn is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() uid DEBUG:mapper_mgr.c:148: Module uid is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() null DEBUG:mapper_mgr.c:148: Module null is static: don't remove DEBUG:pkcs11_inspect.c:174: releasing pkcs #11 module... DEBUG:pkcs11_inspect.c:177: Process completed [root@localhost ~]# I tried to downgrade the packages. Now everything is working. We MUST find the issue here... [root@ivan-laptop log]# rpm -q pcsc-lite coolkey ccid pam_pkcs11 ifd-egate pcsc-lite-1.5.5-4.fc13.i686 coolkey-1.1.0-11.fc12.i686 ccid-1.3.11-2.fc13.i686 pam_pkcs11-0.5.3-25.i386 ifd-egate-0.05-20.i386 On Fedora 14 this does not sound good... If you could, you could try to update the coolkey, if it installs, and see if there is the same problem. (In reply to comment #9) > If you could, you could try to update the coolkey, if it installs, and see if > there is the same problem. Hello, Let me clarify. I am using Fedora 14. In order to get the ActiveKey working i had to downgrade. Here is what I did: 1) Using packages from Fedora 14 repository key did not work 2) I removed with yum: Running Transaction Erasing : coolkey-1.1.0-17.fc14.i686 1/3 Erasing : ccid-1.4.0-2.fc14.i686 2/3 Module "CoolKey PKCS #11 Module" deleted from database. Erasing : pcsc-lite-1.6.4-3.fc14.i686 3) I Downgraded to: pcsc-lite-1.5.5-4.fc13.i686 coolkey-1.1.0-11.fc12.i686 ccid-1.3.11-2.fc13.i686 pam_pkcs11-0.5.3-25.i386 ifd-egate-0.05-20.i386 4) Now the ActiveKey worked and I tested it successfully. As a conclusion from my tests I suspect a bug in pcsc-lite package introduced somewhere between 1.5.5 and 1.6.0m but I cannot confirm. Since this is my first bug report, please guide me if someone else should be involved. Let me also mention that this authentication method is used by quite a lot people(put 4+ digits number here ) and we will be very happy to check our mailboxes from home, without needing 20 GB copy of "other" OS ;) Cheers, Ivan Should I upgrade again, after spending my effort in downgrading ? Hi, I was merely suggesting that since you have all the supporting components downgraded, you might try upgrading only coolkey to its current version. If it still works, that may point to changes in supporting components. Another thing you may try is upgrade everything and incrementally downgrade coolkey to see if that makes it work. Hello, I updated coolkey as you suggested. It still works. So it is pcsc-lite fault then? BTW the situation makes sense - there has been no updates in coolkey package since 2008. Should i open another bug report? I believe the latest coolkey on F14 is 1.1.0-17, which was done in 2010. Hello, root@ivan-laptop ivan]# rpm -q coolkey coolkey-1.1.0-17.fc14.i686 I don't dare to argue about that. So what I've got so far is that problem is not with coolkey but with pcsc-lite or ccid. Tomorrow I will start updating as suggested - step by step and will report back... Cheers, Ivan Created attachment 486380 [details]
Listing of packages where ActiveKey works/does not work
Hello, I did a listing with packages and it seems that problem occurred between packages coolkey-1.1.0-14.fc13.i686 and coolkey-1.1.0-17.fc13.i686. I cannot find the builds between these versions. If you give me a links, I could test. Cheers, Ivan Here, this should give you a listing of the builds available. http://koji.fedoraproject.org/koji/packageinfo?packageID=5 Hello, Here is the update: issue occurred in package coolkey-1.1.0-16.fc14.i686.rpm. In coolkey-1.1.0-15.fc14.i686.rpm there was no issue. Thank you for your help with this. This is helpful information. Ivan, How many certs do you have in your token? bob Hello, I cannot be sure. Generally it is only one, but I have renewed it once. I cannot tell if the old one is deleted. > Hello,
> I cannot be sure. Generally it is only one, but I have renewed it once. I
> cannot tell if the old one is deleted.
That's enough information. The answer is that it's not 3. All the CAC cards I have have 3 certs on them. I think less than 3 broke in 1.1.0-16. If I give you a patch, could you test it for me? (that is do you have the ability to rebuild coolkey on your machine?
bob
Hello, I have tried to compile coolkey myself in past, but did not succeed ( I cannot remember the error now, but it was not related to broken dependency ). If you give me the patch, I could try again, but I would prefer a cooked rpm. Cheers, Ivan Gentlemen, Fedora 15 is out there with coolkey-1.1.0-19.fc15.i686. ISSUE STILL REMAINS! Is there going to be any patch? I do not see any error at the PC/SC level in the trace "Trance from pcscd after setting SELinux to permissive". Maybe it is a regression in pam_pkcs11 (pkcs11_inspect) Hello, I dare to disagree, because issue is resolved when I revert to older version of coolkey. I do not touch any other package. However, I would provide with whatever tests you need. Can you suggest any steps? It seems the similar issue was found on the Ubuntu 11.04. Fix avalaible here: https://bugs.launchpad.net/ubuntu/+source/coolkey/+bug/786682 Let me know if this will helps. Thanks, Vladimir (In reply to comment #6) > That magic was not included in my handbook ;) > > [root@ivan-laptop src]# tail -f /tmp/cool.log > CAC Cert 0: Fetch rest : 639 ms > CAC Cert 0: Cert has been read: 639 ms > CAC Cert 0: Cert has been uncompressed: 639 ms > CAC Cert 1: select CAC applet: 71 ms > Connection Error = 0x80100003 > cleared all sessions > refreshTokenState: Failed to load objects. > isTokenPresent, card state is 0x1 > C_CloseAllSessions(0x1) called > Finalizing... > > > Could this be an issue with the driver? May be I should try with earlier > versions of pcsc-lite ? Yep this is the same issue which I fixed alreadt. Patch was uploaded here - https://bugs.launchpad.net/ubuntu/+source/coolkey/+bug/786682 It's definitely resolve this issue. Created attachment 500732 [details]
This patch resolve issue related to ActiveKey and other token which can include empty certificate in non 0 slots.
This is a patch to resolve issue described in the bug.
This patch resolve issue related to ActiveKey and other token which can include empty certificate in non 0 slots.
This bug is appeared after CAC implementation coolkey-cac.patch... Hi, I can't find the line mentioned to correct this issue: [root@cschimidt3 coolkey]# grep CKYBuffer_Size slot.cpp | grep cert CKYSize certSize = CKYBuffer_Size(&rawCert); CKYBuffer_InitFromBuffer(&cert,&rawCert,1,CKYBuffer_Size(&rawCert)-1); I've installed Fedora 14 64 bits. I could see in the messages log that Activkey was detected: May 26 11:38:11 cschimidt3 kernel: [ 1459.874074] usb 5-1: new low speed USB device using ohci_hcd and address 4 May 26 11:38:12 cschimidt3 kernel: [ 1460.030086] usb 5-1: New USB device found, idVendor=09c3, idProduct=0003 May 26 11:38:12 cschimidt3 kernel: [ 1460.030105] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 May 26 11:38:12 cschimidt3 kernel: [ 1460.030122] usb 5-1: Product: Token-USB May 26 11:38:12 cschimidt3 kernel: [ 1460.030128] usb 5-1: Manufacturer: ActivCard S.A. I figure out that pcsc_scan hang if openct it was started: [root@cschimidt3 pcsc]# pcsc_scan PC/SC device scanner V 1.4.17 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau> Compiled with PC/SC lite version: 1.6.4 Scanning present readers... Waiting for the first reader... And pkcs11-dump list slot 1 as "E-Gate" [root@cschimidt3 ~]# pkcs11-dump slotlist /usr/lib64/pkcs11/libcoolkeypk11.so pkcs11-dump 0.3.4 - PKI Cryptoki token dump Written by Alon Bar-Lev Copyright (C) 2005-2006 Alon Bar-Lev. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 1 E-Gate 0 0 After stop openct and restar pcsc: [root@cschimidt3 ]# pkcs11-dump slotlist /usr/lib64/pkcs11/libcoolkeypk11.so pkcs11-dump 0.3.4 - PKI Cryptoki token dump Written by Alon Bar-Lev Copyright (C) 2005-2006 Alon Bar-Lev. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 1 SCM SCR 3340 ExpressCard54 [CCID Interface] (00000000000000) 00 But it's not possible see the Activkey TOKEN-USB. [root@cschimidt3 linux]# export COOL_KEY_LOG_FILE=/tmp/cool.log [root@cschimidt3 linux]# pkcs11_listcerts debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:222: Looking up module in list DEBUG:pkcs11_lib.c:225: modList = 0x12a16a0 next = 0x12b5d80 DEBUG:pkcs11_lib.c:226: dllName= <null> DEBUG:pkcs11_lib.c:225: modList = 0x12b5d80 next = 0x0 DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module... DEBUG:pkcs11_listcerts.c:94: no token available [root@cschimidt3 linux]# cat /tmp/cool.log Initialize called, hello 5 C_GetInfo called C_GetSlotList called calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 C_GetSlotList called calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 Called C_GetSlotInfo calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 Called C_GetSlotInfo calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 C_CloseAllSessions(0x1) called Finalizing... [root@cschimidt3 ~]# lsusb Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 006 Device 002: ID 138a:0007 DigitalPersona, Inc Fingeprint Reader Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 005 Device 002: ID 03f0:231d Hewlett-Packard Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 004 Device 007: ID 09c3:0003 ActivCard, Inc. Bus 004 Device 004: ID 046d:c51b Logitech, Inc. V220 Cordless Optical Mouse for Notebooks Bus 004 Device 003: ID 04e6:5119 SCM Microsystems, Inc. SCR3340 - ExpressCard54 Smart Card Reader Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 005: ID 090c:1000 Feiya Technology Corp. Flash Drive Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub I'd appreciate any help Thanks It seems you have another issue. It's not related to this defect, since in this defect we are talking about ActiveKey SIM but not ActiveKey Token-USB. Please look at http://pcsclite.alioth.debian.org/ccid/section.html and try to find you cardreader/token. It seems it's not supported by pcscd. Contact with Ludovic author of pcscd may it will help you. Exact. The 09c3:0003 ActivCard, Inc. device is not in my list. Your reader is not supported. Just use your SCR3340 reader instead. This exact same issue happens to me on any Ubuntu flavor, and also Arch, when using any coolkey > 1.1.0-6. No PIN is requested when running pkcs11_listcerts, etc. I don't believe this issue to be the same as https://bugs.launchpad.net/ubuntu/+source/coolkey/+bug/786682 I filed another bug on https://bugs.launchpad.net/ubuntu/+source/coolkey/+bug/888185 for 1.1.0-8 since that's where it started for me on Ubuntu Natty. Can confirm that when I downgrade coolkey and libckyapplet to 1.1.0-6 everything works as expected. Other than this, I can detect my Activkey by running pcsc_scan with no problem. On Arch, I install 1.1.0_19-4 and I have the same problem. You don't belive but it seems that this is the same issue. Let's discuss it in youre defect thread. BTW guys, why patch which resolve this issue still was not reviewed and was not pusblish in the redhat repo? Anybody from maintainers can review this patch? Actually you are probably right, on the other bug (#786682 ) you mention the following: Issue is appeared when CAC was implemented (coolkey-cac.patch). Some of key (include ActiveKey) can include empty certificate In this case we don't need to throw exception if this is not slot 0. So I went and removed the CAC patches (and a pcsc-lite-fix patch) from the build process outlined here: http://aur.archlinux.org/packages/co/coolkey/PKGBUILD Plus added another patch that I found over here: https://bugzilla.redhat.com/show_bug.cgi?id=626029 Builds up OK and requests for PIN as expected. Hello, I don't know for you but for me the situation got worse. I used the device easily in F12/13. In F14 I had to use the old packages. Totally gave up for F15. Now F16 the problem remains: 1) I cannot install old software, because it depends on HAL. Fedora 16 does not have HAL anymore. 2) The last package of coolkey which I was able to test today was: coolkey-1.1.0-14.fc13.i686 According to my logs when I first opened this bug report ( see attached files ) this package worked! Now it does not. The current package - coolkey-1.1.0-19.fc15.i686 does not work as well. In both cases i receive the following error: [root@ivan-laptop rpm]# pkcs11_inspect debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:222: Looking up module in list DEBUG:pkcs11_lib.c:225: modList = 0x90c0648 next = 0x90cf0e8 DEBUG:pkcs11_lib.c:226: dllName= <null> DEBUG:pkcs11_lib.c:225: modList = 0x90cf0e8 next = 0x0 DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module... DEBUG:pkcs11_inspect.c:95: no token available I followed the instructions from Gabrio and compiled myself the package by excluding the patched, he excluded - still no change. My question is: Could someone that uses the same device provide me with the exact versions of his/hers software (32 bit/64 bit, version number, build number, etc). I am interested in: 1) Distribution 2) pcsc-lite 3) pcsc-lite-libs 4) pcsc-lite-ccid 5) coolkey 6) pam_pkcs11 P.S. When the token worked, the light on it was always green. Now (Fedora 16) the light blinks only when the token is queried via pkcs11* tools: The log from pcscd shows: 00042175 eventhandler.c:256:EHStatusHandlerThread() powerState: POWER_STATE_POWERED 00000070 Card ATR: 3B FD 18 00 FF 80 B1 FE 45 1F 07 80 73 00 21 13 57 4A 54 48 61 31 47 00 5F 05006861 ifdhandler.c:1163:IFDHPowerICC() action: PowerDown, usb:09c3/0014:libudev:0:/dev/bus/usb/006/014 (lun: 0) 00001994 eventhandler.c:446:EHStatusHandlerThread() powerState: POWER_STATE_UNPOWERED Why is the token "unpowered"? It works perfect in windows, so it is not a HW problem. All help will be deeply apritiated! It's normal way after latest changes in the pcscd package. It's related to reduce power usage by the token. It will turn on it when it's needed... Could you please send the log of the pkcs11_listcerts --debug command. -- Vladimir ## Here is the outputL [root@ivan-laptop pam_pkcs11]# pkcs11_listcerts debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:222: Looking up module in list DEBUG:pkcs11_lib.c:225: modList = 0x8e54680 next = 0x8e63168 DEBUG:pkcs11_lib.c:226: dllName= <null> DEBUG:pkcs11_lib.c:225: modList = 0x8e63168 next = 0x0 DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module... DEBUG:pkcs11_listcerts.c:94: no token available [root@ivan-laptop pam_pkcs11]# pkcs11_listcerts debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb ^[[ADEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:222: Looking up module in list DEBUG:pkcs11_lib.c:225: modList = 0x8e43680 next = 0x8e52168 DEBUG:pkcs11_lib.c:226: dllName= <null> DEBUG:pkcs11_lib.c:225: modList = 0x8e52168 next = 0x0 DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module... DEBUG:pkcs11_listcerts.c:94: no token available ## Why are the modList numbers changing? The output above was with the package in the Fedora repository. The output below is from the compiled package: [root@ivan-laptop rpm]# pkcs11_listcerts debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:222: Looking up module in list DEBUG:pkcs11_lib.c:225: modList = 0x8f1f608 next = 0x0 DEBUG:pkcs11_lib.c:226: dllName= <null> DEBUG:pkcs11_lib.c:272: loading Module explictly, moduleSpec=<library="/usr/lib/pkcs11/libcoolkeypk11.so" name="SmartCard"> module=/usr/lib/pkcs11/libcoolkeypk11.so DEBUG:pkcs11_lib.c:286: load module complete DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module... DEBUG:pkcs11_listcerts.c:94: no token available There is some difference. For the compilation, I removed patches: patch -p0 < $srcdir/coolkey-cac.patch patch -p0 < $srcdir/coolkey-cac-1.patch patch -p0 < $srcdir/coolkey-pcsc-lite-fix.patch and added the fix attached here: https://bugzilla.redhat.com/show_bug.cgi?id=626029 It seems problem how configure coolkey in the pam_pkcs config.
Could you please show part of config from /etc/pam_pkcs11/pam_pkcs11.conf line where string "use_pkcs11_module = coolkey;" appears?
In my case it looks like:
use_pkcs11_module = coolkey;
pkcs11_module coolkey {
module = /usr/lib/pkcs11/libcoolkeypk11.so
description = "Coolkey";
slot_num = 1;
support_threads = false;
ca_dir = /usr/share/ca-certificates/hp;
cert_policy = ca;
mapfile = file:///etc/pam_pkcs11/subject_mapping
}
use_mappers = subject;
The problem can be appears in slot_num.
Also could you please execute such command and show the output to us:
ldd /usr/lib/pkcs11/libcoolkeypk11.so
In my case it looks like:
$ ldd /usr/lib/pkcs11/libcoolkeypk11.so
linux-vdso.so.1 => (0x00007fff11eff000)
libckyapplet.so.1 => /usr/lib/libckyapplet.so.1 (0x00007f41fa643000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f41fa42b000)
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f41fa123000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f41f9d84000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f41f9b6e000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f41f9969000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f41f96e5000)
/lib64/ld-linux-x86-64.so.2 (0x00007f41faa98000)
If in your case some of libraries is not found need to install it.
--Vladimir
(In reply to comment #41) > There is some difference. > > For the compilation, I removed patches: > patch -p0 < $srcdir/coolkey-cac.patch > patch -p0 < $srcdir/coolkey-cac-1.patch > patch -p0 < $srcdir/coolkey-pcsc-lite-fix.patch > > and added the fix attached here: > https://bugzilla.redhat.com/show_bug.cgi?id=626029 Fix which I'd attached fixing the issue appeared after applying such patches: coolkey-cac.patch coolkey-cac-1.patch So, here is an update from me: What I did: 1) Made sure that al previous files ( sources and installed binaries ) are gone. 2) Extracted srpm package and the source archive in it. 3) Applied the following patches: patch -p0 < $srcdir/coolkey-cache-dir-move.patch patch -p0 < $srcdir/coolkey-gcc43.patch patch -p0 < $srcdir/coolkey-latest.patch patch -p0 < $srcdir/coolkey-simple-bugs.patch patch -p0 < $srcdir/coolkey-thread-fix.patch patch -p0 < $srcdir/coolkey-cac.patch patch -p0 < $srcdir/coolkey-cac-1.patch patch -p0 < $srcdir/coolkey-pcsc-lite-fix.patch Log is below: [ivan@ivan-laptop coolkey-1.1.0]$ patch -p0 < ../coolkey-cache-dir-move.patch patching file src/coolkey/machdep.cpp [ivan@ivan-laptop coolkey-1.1.0]$ patch -p0 < ../coolkey-gcc43.patch patching file ./src/coolkey/slot.cpp patching file ./src/coolkey/machdep.cpp patching file ./src/coolkey/log.cpp patching file ./src/coolkey/object.cpp [ivan@ivan-laptop coolkey-1.1.0]$ patch -p0 < ../coolkey-latest.patch patching file ./src/coolkey/slot.cpp patching file ./src/coolkey/slot.h patching file ./src/libckyapplet/cky_applet.c patching file ./src/libckyapplet/cky_applet.h patching file ./src/libckyapplet/cky_card.c patching file ./src/libckyapplet/cky_factory.c patching file ./src/libckyapplet/cky_factory.h [ivan@ivan-laptop coolkey-1.1.0]$ patch -p0 < ../coolkey-simple-bugs.patch patching file ./configure.in patching file ./Makefile.am patching file ./src/coolkey/object.cpp patching file ./src/coolkey/object.h patching file ./src/coolkey/slot.cpp [ivan@ivan-laptop coolkey-1.1.0]$ patch -p0 < ../coolkey-thread-fix.patch patching file src/coolkey/coolkey.cpp patching file src/coolkey/machdep.cpp Hunk #3 succeeded at 445 (offset 79 lines). patching file src/coolkey/machdep.h [ivan@ivan-laptop coolkey-1.1.0]$ patch -p0 < ../coolkey-cac coolkey-cac-1.patch coolkey-cache-dir-move.patch coolkey-cac.patch [ivan@ivan-laptop coolkey-1.1.0]$ patch -p0 < ../coolkey-cac.patch patching file ./src/coolkey/slot.cpp patching file ./src/coolkey/slot.h patching file ./src/libckyapplet/cky_applet.c patching file ./src/libckyapplet/cky_applet.h patching file ./src/libckyapplet/cky_base.c patching file ./src/libckyapplet/cky_base.h patching file ./src/libckyapplet/cky_factory.c patching file ./src/libckyapplet/cky_factory.h [ivan@ivan-laptop coolkey-1.1.0]$ patch -p0 < ../coolkey-cac-1.patch patching file ./src/coolkey/object.cpp patching file ./src/coolkey/slot.cpp [ivan@ivan-laptop coolkey-1.1.0]$ patch -p0 < ../coolkey-pcsc-lite-fix.patch patching file ./src/coolkey/slot.cpp patching file ./src/libckyapplet/cky_card.c patching file ./src/libckyapplet/cky_card.h Applied your patch, which is attached to this bug report: [ivan@ivan-laptop coolkey-1.1.0]$ patch -p0 < ../coolkey-issue-slot-0.patch patching file ./src/coolkey/slot.cpp Hunk #1 succeeded at 2194 (offset 1 line). So far there are no errors. I compiled and installed the package. ./configure --prefix=/usr ## everything is fine make & make install ## no errors 4) Checked : [root@ivan-laptop coolkey-1.1.0]# pkcs11_listcerts debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:222: Looking up module in list DEBUG:pkcs11_lib.c:225: modList = 0x95435f0 next = 0x0 DEBUG:pkcs11_lib.c:226: dllName= <null> DEBUG:pkcs11_lib.c:272: loading Module explictly, moduleSpec=<library="/usr/lib/pkcs11/libcoolkeypk11.so" name="SmartCard"> module=/usr/lib/pkcs11/libcoolkeypk11.so DEBUG:pkcs11_lib.c:286: load module complete DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module... DEBUG:pkcs11_listcerts.c:94: no token available ## No change. The module is at place. Here is what is linked: [root@ivan-laptop coolkey-1.1.0]# ldd /usr/lib/pkcs11/libcoolkeypk11.so linux-gate.so.1 => (0x00d35000) libckyapplet.so.1 => /usr/lib/libckyapplet.so.1 (0x00e8f000) libdl.so.2 => /lib/libdl.so.2 (0x009a3000) libz.so.1 => /lib/libz.so.1 (0x005fe000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00c02000) libm.so.6 => /lib/libm.so.6 (0x0032d000) libc.so.6 => /lib/libc.so.6 (0x00110000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x0035d000) /lib/ld-linux.so.2 (0x43a8a000) I cannot see any issue. [root@ivan-laptop coolkey-1.1.0]# ldd /usr/lib/libckyapplet.so.1 linux-gate.so.1 => (0x00308000) libdl.so.2 => /lib/libdl.so.2 (0x00f3e000) libz.so.1 => /lib/libz.so.1 (0x00424000) libc.so.6 => /lib/libc.so.6 (0x00110000) /lib/ld-linux.so.2 (0x43a8a000) Created attachment 549064 [details]
My current configuration
which token to you use? Could you please set to us output of lsusb? Try to find your device id in the http://pcsclite.alioth.debian.org/ccid/section.html. Do you see it? Sorry for that but please execute such command also: export COOL_KEY_LOG_FILE=/tmp/cool.log pkcs11_listcerts debug and please attach to defect /tmp/cool.log Created attachment 549224 [details]
COOL_KEY_LOG_FILE=/tmp/cool.log; pkcs11_listcerts debug
Attached log, generated by:
export COOL_KEY_LOG_FILE=/tmp/cool.log
pkcs11_listcerts debug
(In reply to comment #46) > which token to you use? > > Could you please set to us output of lsusb? > > Try to find your device id in the > http://pcsclite.alioth.debian.org/ccid/section.html. > > Do you see it? Here is the information about the device: 1)lsusb: [ivan@ivan-laptop ~]$ lsusb Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 003 Device 002: ID 03f0:171d Hewlett-Packard Wireless (Bluetooth + WLAN) Interface [Integrated Module] Bus 006 Device 002: ID 09c3:0014 ActivCard, Inc. [ivan@ivan-laptop ~]$ 2) In the list you sent me, it looks exactly as the third token (http://pcsclite.alioth.debian.org/ccid/section.html#3) 3) Provided your configuration of pkcs11, we are both @hp, so it is the same device Very-very strange, since what I see from logs you have the same issue which was fixed by my patch. Could you please send me the source with all applied paths to vova.kravets[at]gmail.com... I will try to understood the issue... -- Vladimir This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Created attachment 767022 [details]
coolkey-1.1.0-26.fc19.src.rpm
coolkey-1.1.0-26.fc19.src.rpm
Created attachment 767023 [details]
coolkey-1.1.0-26.fc19.x86_64.rpm
CoolKey which work witch
Bus 001 Device 007: ID 09c3:0014 ActivCard, Inc. ActivIdentity ActivKey SIM USB Token
coolkey-1.1.0-26.fc19.x86_64.rpm
Created attachment 767024 [details]
coolkey-devel-1.1.0-26.fc19.x86_64.rpm
coolkey-devel-1.1.0-26.fc19.x86_64.rpm
|