Description of problem:
Reiner SCT cyberJack® RFID komfort reader unable to differentiate between contact and contactless cards.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Plug in the REINERSCT Cyberjack RFID komfort reader
2. Insert a PIV test card
Inconsistently blinks blue light or green light when a contact card is inserted
Green light should blink for contact cards and ESC should detect the card
I've changed the description and component. The Reinersct's confusion about which interface to use is a hardware issue. The problem can be solved in software by having coolkey recognize the contactless interface. That means a component change and a description change, which I've now made to the bug.
This is an RFE, so I believe it should target 6.7.
I should also meantion, that it's OK for the blue light to go solid. coolkey should function when the blue light is solid. You can force the blue light by placing the card in the back slot (with no contact readers).
OK, so the issue is that the normal certs and keys are not accessible on the contactless cards. The card certificate/key is accessible however. so I've added a patch which will access the card certificate/key instead of the PIV auth/ signing or key exchange keys.
This means if the card is accessed contactless, it will show different certs (blue light = contactless, green light = contact).
To test the contactless you will need a ReinerSCT CyberJack reader and the third party driver for it: pcsc-cyberjack .
The third party driver seems to be a bit flacky and can hang coolkey trying to access the card under certain conditions. I'm not sure why.
Anyway with the reader installed, you can insert your contactless card in the back slot to guarrentee that you get the contactless interface. The card will be called 'Coolkey' and there will be one cert very plain cert (usually no subject, nickname is CAC ID Certificate).
PIV test cards 6 and 16 have not card certificate, so won't show up in ESC.
PIV test card 3 does have a certificate, but for some reason it's not being recognized.
update PIV Test Card 16 does have a card certificate, just not a card certificate container. The card certificate is still accessible. Also I have PIV test card 3 working, but it's not reliable. I think it doesn't really like the reader (It's the only Oberthur Type B card in the stack).
Contactless PIVs only access the card certificate, which doesn't require a pin, so the cards operate as pinless cards (you can access and sign with the card cert without entering a pin).
[root@dhcp129-124 sctests]# rpm -qi coolkey
Name : coolkey Relocations: (not relocatable)
Version : 1.1.0 Vendor: Red Hat, Inc.
Release : 35.el6 Build Date: Thu 09 Apr 2015 10:15:55 PM EDT
Install Date: Fri 10 Apr 2015 12:12:35 PM EDT Build Host: x86-028.build.eng.bos.redhat.com
Group : System Environment/Libraries Source RPM: coolkey-1.1.0-35.el6.src.rpm
Size : 242342 License: LGPLv2
Signature : (none)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://directory.fedora.redhat.com/wiki/CoolKey
Summary : CoolKey PKCS #11 module
[root@dhcp129-124 sctests]# rpm -qi pcsc-lite
Name : pcsc-lite Relocations: (not relocatable)
Version : 1.5.2 Vendor: Red Hat, Inc.
Release : 15.el6 Build Date: Thu 26 Feb 2015 08:39:13 PM EST
Install Date: Fri 10 Apr 2015 12:06:37 PM EDT Build Host: x86-031.build.eng.bos.redhat.com
Group : System Environment/Daemons Source RPM: pcsc-lite-1.5.2-15.el6.src.rpm
Size : 402732 License: BSD
Signature : RSA/8, Wed 04 Mar 2015 07:22:07 AM EST, Key ID 938a80caf21541eb
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://pcsclite.alioth.debian.org/
Summary : PC/SC Lite smart card framework and applications
[root@dhcp129-124 sctests]# rpm -qi pcsc-cyberjack
Name : pcsc-cyberjack Relocations: (not relocatable)
Version : 3.99.5final.SP03 Vendor: Fedora Project
Release : 13.el6 Build Date: Thu 25 Apr 2013 08:12:57 AM EDT
Install Date: Fri 10 Apr 2015 12:06:45 PM EDT Build Host: buildvm-23.phx2.fedoraproject.org
Group : System Environment/Libraries Source RPM: pcsc-cyberjack-3.99.5final.SP03-13.el6.src.rpm
Size : 767628 License: LGPLv2+
Signature : RSA/8, Thu 02 May 2013 02:07:21 PM EDT, Key ID 3b49df2a0608b895
Packager : Fedora Project
URL : http://www.reiner-sct.de/
Summary : PC/SC driver for REINER SCT cyberjack USB chip card reader
I still see inconsistency in the detection of smartcards using Reiner SCT cyberJack® RFID komfort reader.
PIV cards 2,3,4,5,7,8,10,11,12,13,14,15 and Northrop Grumman Oberthur card were detected by ESC and certs were listed. Certs were detected by firefox and smartcard coolkey test program. Green light blinks when inserted in the front slot and blue light blinks when inserted in the rear slot. Multiple attempts where required for most of the cards.
PIV card 1 - Even after multiple attempts the certs on this card were not detected. Using Omnikey reader the certs are being detected.
PIV card 6 - There are no certs on the card and the CAC ID cert is detected when inserted in the rear slot.
PIV card 16 - When inserted in the front slot blinks green but certs on the card are not being detected. Using Omnikey reader there is one cert on the card detected by ESC and it is not the CAC ID cert.
I've noticed the reader isn't exactly solid as my comments indicate.
My PIV Card 1 words (mostly), but my PIV Card 3 never works (detected, but never any certs). It may be an issue with a he reliability of contactless.
My PIV card 6 is never detected.
My PIV card 16 does works.
NOTE: this is about the contactless interface, slide the card in the back slot of the reader and you should get blue lights (never any green lights). The green will still be flaky because the reader has a hard time not trying to talk to the contactless. That's an issue with the reader which we can't do much about.
All the PIV cards and Oberthur card were detected in the rear slot of the reader. The blue light was blinking that the CAC ID cert was detected. Most of the cards were detected when inserted in the fron slot of the reader.
Verfication steps as explained in comment 8.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.