Bug 826286
| Summary: | Coolkey will not operate with Actividentity's ActivKey USB Token | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert Ladd <rladdnt> | ||||||||
| Component: | coolkey | Assignee: | Bob Relyea <rrelyea> | ||||||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 17 | CC: | clibup, gnoma_86, jmagne, pjumelle, rrelyea, sjmuniz, stoyan, strasharo2000 | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2013-08-01 10:03:02 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Robert Ladd
2012-05-29 22:52:08 UTC
This is actually https://bugzilla.redhat.com/show_bug.cgi?id=688837 transferred over to F17. Is this really that problematic to incorportate the fix in the new release? Having to downgrade some packages to versions shipped in F11 is weird at best, and this "workaround" perhaps hides the actual impact of this issue. In my organization there are literally tens of thousands ActiveKeys in operation, with a couple of thousand used with Linux. AFAIK, Fedora/RHEL is the only distro where this isn't working out of the box. I confirm that exactly the same bug exists for me and a colleague of mine on an up to date Fedora 17 x86_64 installation. It's really frustrating that this bug exists only in Fedora/RHEL and for our colleagues which are using other distributions such as Ubuntu it's working out of the box. If you need any assistance from our side to troubleshoot it, don't hesitate to contact us. Does this problem also exist on RHEL? In order to fix this, I would need access to the failing hardware. bob Haven't tried it personally, but IIRC a colleague of mine reported it failing on RHEL as well. If it would help, I can provide you with root ssh acccess to my F17 x86_64 laptop with the failing hardware attached. Count me in, I also am very interested of fixing this bug. I am also trying to make it running few mounts with downgrading the coolkey rpm and trying different drivers for the card reader. If you need access, I can give you too laptop with attached device on it. Or any other assistance you may need. Using the Windows ActivClient utility I was able to find out that the ActivKey I have has 8 slots for certificates and my certificates are on slots 6 and 7 (one cert is used for mail signing and the other is class A for authentication): The Troubleshooting Wizard has detected 8 PKI slots to store private keys and digital certificates. Slot 1: does not contain a private key nor digital certificate. Slot 2: does not contain a private key nor digital certificate. Slot 3: does not contain a private key nor digital certificate. Slot 4: does not contain a private key nor digital certificate. Slot 5: does not contain a private key nor digital certificate. Slot 6 contains a private key and a digital certificate. Slot 7 contains a private key and a digital certificate. Slot 8: does not contain a private key nor digital certificate. Looks like a colleague of ours already made a Github repo with Coolkey patched to support multiple slots: https://github.com/Vanuan/coolkey I guess his code can be used as a reference for fixing this issue. Aloha, I've tried to compile manually the source provided by the Github repository. It worked fine, just keep in mind that the PIN code should be numeric, it cannot contain letters. Nothing special, just get that source code and follow the official coolkey build instructions. github? Upstream is fedora hosted. what github link are you seeing? bob Hello Bob, At the end of my previous post I provided a GitHub link, where a colleague of ours has published a patched source of Coolkey which supports multiple slots. Here's the link again - https://github.com/Vanuan/coolkey Thanks, bob. Hi Everyone,
in RHEL 6.3 (Desktop edition) Activkey will work with firefox, if you set up security devices and add coolkey as a new device and point to
either.
/usr/lib64/libcoolkeypk11.so
/usr/lib64/pkcs11/libcoolkeypk11.so
The pkcs11_inspect and other tools work. VPN does not work with connection manager and I have not yet had the time to figure how to make it work yet on RHED 6.3.
I don't know why it works in RHED and not Fedora 17. I have a working document for Fedora 17. You can use the latest modules from fedora 17 you just need to recompile one of the PKCS11 modules with the coolkey-patch from source this will rebuild the libcookeypk11.so module and allow everything to work on fedora 17. you will still not have Network Manager support, you have to use pppd with PPTP and Activkey from the command line.
I think that when we file these bugs the check if RHED is working or not and don't check the Fedora distro packages.
Hope this helps.
Regards,
Robert Ladd
If your activkey is plugged in it will prompt you to enter your pin.
On Thu, Nov 1, 2012 at 2:55 PM, <bugzilla> wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=826286
--- Comment #10 from Bob Relyea <rrelyea> ---
Thanks,
bob.
--
You are receiving this mail because:
You reported the bug.
I can add some "soft" details.
Using Ubuntu Precise, active key was working ok until I renewed certificate on it.
So, it looks like newer tools of activekey tools write certificates differently on the key.
I have Pin initialized it back and writen a new certificate and the issue is still there.
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/pkcs11/libcoolkeypk11.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/pkcs11/libcoolkeypk11.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.11
DEBUG:pkcs11_lib.c:1108: - manufacturer: Mozilla Foundation
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: CoolKey PKCS #11 Module
DEBUG:pkcs11_lib.c:1111: - library version: 1.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: Activkey Sim 00 00
DEBUG:pkcs11_lib.c:1048: - manufacturer: Unknown
DEBUG:pkcs11_lib.c:1049: - flags: 0006
DEBUG:pkcs11_listcerts.c:94: no token available
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.1 LTS
Release: 12.04
Codename: precise
$ aptitude show coolkey
Package: coolkey
State: installed
Automatically installed: no
Version: 1.1.0-10ubuntu1
Priority: optional
Section: universe/admin
Maintainer: Ubuntu Developers <ubuntu-devel-discuss.com>
Architecture: amd64
Uncompressed Size: 428 k
Depends: libckyapplet1 (= 1.1.0-10ubuntu1), libc6 (>= 2.4), libgcc1 (>=
1:4.1.1), libstdc++6 (>= 4.6), zlib1g (>= 1:1.1.4), libpcsclite1
From our internal forun:
--
It seems like CoolKey doesn't support more than 3 PKI instances (so called "slots"). And it expects "CAC ID Certificate" to be in the first (0th) slot. If it isn't found, coolkey throws an exception.
Here is my branch of coolkey that fixes this issue: https://github.com/Vanuan/coolkey (multislot_support branch). It is a hack so it might not work in all cases.
Try if it works for you.
--
Thanks
Sebastian
Created attachment 767121 [details]
coolkey-1.1.0-26.fc19.src.rpm
Work on F19
Created attachment 767122 [details]
coolkey-1.1.0-26.fc19.x86_64.rpm
Binary rpm
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |