Bug 906537

Summary: CAC card ( Gemalto GCX4 72k) shows invalid-signature message during pkinit
Product: Red Hat Enterprise Linux 6 Reporter: Asha Akkiangady <aakkiang>
Component: coolkeyAssignee: Bob Relyea <rrelyea>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: jgalipea, jrieden, rpattath, sforsber
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Known Issue
Doc Text:
Personal Identity Verification (PIV) Endpoint Cards which support both CAC and PIV interfaces might not work with the latest coolkey update; some signature operations like PKINIT can fail. To work around this problem, downgrade coolkey to the version shipped with Red Hat Enterprise Linux 6.3.
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 23:05:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Asha Akkiangady 2013-01-31 20:35:11 UTC
Description of problem:
DOD CAC ( Gemalto GCX4 72k) shows invalid-signature during pkinit.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. kinit using the CAC card.

Actual results:
Eror message: Invalid Signature while getting the initial credentials.

Expected results:
kinit with this CAC card should be successful.

Additional info:
Downgraded the coolkey version to coolkey-1.1.0-20, pkinit works fine for the card. Getting the invalid signature error for the card with cookey -21 and also -24. 

Another CAC (Gemalto TOPDLGX 144) pkinit works fine with coolkey -26.

Comment 3 Jenny Severance 2013-02-01 19:15:42 UTC
Bob can you please add the appropriate information in the doc text field for the technical note - know issues

Comment 4 Bob Relyea 2013-02-01 22:59:11 UTC
Doc Text field updated.

Comment 5 Bob Relyea 2013-02-01 22:59:59 UTC
Is there anything else I need to do (set flags here or in the errata?


Comment 11 Bob Relyea 2013-08-12 19:18:31 UTC
Signatures appear to work with my Gemalto  GCX4 72K PIV endpoint card with built -27

Comment 13 Roshni 2013-09-27 15:26:32 UTC
Works fine using coolkey-1.1.0-30.el6 on RHEL 6.5

Comment 14 errata-xmlrpc 2013-11-21 23:05:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.