Bug 879563
| Summary: | pkcs11_listcerts/pklogin_finder are not able to see certs/token on a smartcard | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Marian Krcmarik <mkrcmari> |
| Component: | coolkey | Assignee: | Bob Relyea <rrelyea> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.4 | CC: | jgalipea |
| Target Milestone: | rc | Keywords: | Regression, TestBlocker |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | coolkey-1.1.0-23.el6 | Doc Type: | Known Issue |
| Doc Text: |
The pkcs11_listcerts and pklogin_finder commands are not able to see certificates and tokens on a smartcard after upgrading coolkey from version 1.1.0-20 to 1.1.0-21.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 10:16:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 881827 | ||
Arg, I don't have a Gemalto TOP IM FIPS CY2 (product code HWP115291A). Can I borrow one from QA? bob OK, I think I've found some cards that fail, I should be able to get a patch tomorrow. The basic problem is the cards lies when I ask it to switch to the PIV applet, and says "OK, I can do that". Of course it can't because the applet doesn't exist, but now we think the card is a PIV card. OK, I have patch in hand that fixes this problem. Queued up and waiting for approval. (Patch looks at the returned data from the select and makes sure it's what a PIV card should return, now the Gemalto coolkeys no longer look like empty PIV cards). bob builds complete: coolkey-1.1.0-22.el6 build with rpmdiff fix: coolkey-1.1.0-23.el6 (In reply to comment #9) > build with rpmdiff fix: coolkey-1.1.0-23.el6 Works for me, Thanks. Tested with coolkey-1.1.0-23.el6, pklogin_finder command successfully recognize Gemalto 64K usb token, Gemalto 64K smart card, Safenet 330J smart card, Gemalto TOPDLGX4 144 (CAC), Gemalto GCX4 72K (CAC), PIV Card(No card details printed on the card), Oberthur ID One V5.2 (CAC) cards. Marking the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0397.html |
Description of problem: pkcs11_listcerts/pklogin_finder are not able to see certs/token on a smartcard after upgrading coolkey from coolkey-1.1.0-20 to coolkey-1.1.0-21. The tools print the certs on smartcard only once after pcscd restart. This does not work on RHEL6.3 with updated coolkey to -21 and It does work on RHEL6.4 with downgraded coolkey back to -20. Moreover It is causing problems when using smartcards over spice, with -21 coolkey It seems that ESC on the client interferes with spice client -> either smartcard is caught by ESC on the client (displayed in ESC) or is emulated in VM over spice (and not displayed in ESC on the client), It looks like They are racing Once I uninstall ESC on the client or disable autostart of ESC smartcard is correctly emulated in a VM always. This does not happen with -20 coolkey, smartcard is emulated in VM over spice as well as displayed in ESC on the client machine. The thing is that The certs are displayed in ESC but not with the tools. Version-Release number of selected component (if applicable): coolkey-1.1.0-21 How reproducible: Always Steps to Reproduce: # pkcs11_listcerts debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:222: Looking up module in list DEBUG:pkcs11_lib.c:225: modList = 0x1c837b0 next = 0x1c97dc0 DEBUG:pkcs11_lib.c:226: dllName= <null> DEBUG:pkcs11_lib.c:225: modList = 0x1c97dc0 next = 0x0 DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module... PIN for token: DEBUG:pkcs11_lib.c:48: PIN = [*****] DEBUG:pkcs11_lib.c:746: cert 0: found (mkrcmari:signing key for mkrcmari), "UID=mkrcmari,O=Token Key User" Found '1' certificate(s) Certificate #1: - Subject: UID=mkrcmari,O=Token Key User - Issuer: CN=Certificate Authority,OU=pki-ca,O=****** - Algorithm: PKCS #1 RSA Encryption DEBUG:cert_vfy.c:34: Verifying Cert: mkrcmari:signing key for mkrcmari (UID=mkrcmari,O=Token Key User) DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's Certificate issuer is not recognized. verify_certificate() failed: DEBUG:pkcs11_listcerts.c:157: releasing pkcs #11 module... DEBUG:pkcs11_listcerts.c:160: Process completed [root@dhcp131-204 ~]# yum update coolkey -y > /dev/null [root@dhcp131-204 ~]# rpm -q coolkey coolkey-1.1.0-21.el6.x86_64 [root@dhcp131-204 ~]# pkcs11_listcerts debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:222: Looking up module in list DEBUG:pkcs11_lib.c:225: modList = 0x15557b0 next = 0x1569dc0 DEBUG:pkcs11_lib.c:226: dllName= <null> DEBUG:pkcs11_lib.c:225: modList = 0x1569dc0 next = 0x0 DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module... DEBUG:pkcs11_listcerts.c:94: no token available Actual results: No token available Expected results: Tone info Additional info: My sc: # pcsc_scan PC/SC device scanner V 1.4.17 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau> Compiled with PC/SC lite version: 1.6.4 Scanning present readers... 0: Gemplus GemPC Twin 00 00 Fri Nov 23 10:42:52 2012 Reader 0: Gemplus GemPC Twin 00 00 Card state: Card inserted, ATR: 3B 95 95 40 FF AE 01 03 00 00 ATR: 3B 95 95 40 FF AE 01 03 00 00 + TS = 3B --> Direct Convention + T0 = 95, Y(1): 1001, K: 5 (historical bytes) TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0 ----- TC(2) = FF --> Work waiting time: 960 x 255 x (Fi/F) + Historical bytes: AE 01 03 00 00 Category indicator byte: AE (proprietary format) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 95 95 40 FF AE 01 03 00 00 Axalto - Cyberflex 64K Gemalto TOP IM FIPS CY2 (product code HWP115291A)