Bug 1115626 - Coolkey does not support contactless PIV cards
Summary: Coolkey does not support contactless PIV cards
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: coolkey
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-02 18:58 UTC by Roshni
Modified: 2015-07-22 07:06 UTC (History)
2 users (show)

Fixed In Version: coolkey-1.1.0-34.el6
Doc Type: Bug Fix
Doc Text:
Previously, after the user inserted a contactless PIV card, coolkey could not access it in a contactless way. As a consequence, the light indicating the card status started to blink inconsistently, and the Enterprise Security Client (ESC) failed to detect the card. With this patch, coolkey accesses the card certificate or key instead of the PIV authentication, PIV signing, or PIV key exchange keys. As a result, when the user inserts a contactless PIV card, ECS now successfully detects it.
Clone Of:
Environment:
Last Closed: 2015-07-22 07:06:06 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1370 normal SHIPPED_LIVE coolkey bug fix update 2015-07-20 17:58:50 UTC

Description Roshni 2014-07-02 18:58:05 UTC
Description of problem:
Reiner SCT cyberJack® RFID komfort reader unable to differentiate between contact and contactless cards. 

Version-Release number of selected component (if applicable):
pcsc-lite-1.5.2-14.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Plug in the REINERSCT Cyberjack RFID komfort reader
2. Insert a PIV test card
3. 

Actual results:
Inconsistently blinks blue light or green light when a contact card is inserted

Expected results:
Green light should blink for contact cards and ESC should detect the card

Additional info:

Comment 2 Bob Relyea 2014-07-03 16:53:35 UTC
I've changed the description and component.  The Reinersct's confusion about which interface to use is a hardware issue. The problem can be solved in software by having coolkey recognize the contactless interface. That means a component change and a description change, which I've now made to the bug.

Comment 3 Bob Relyea 2014-07-03 16:54:37 UTC
This is an RFE, so I believe it should target 6.7.

Comment 4 Bob Relyea 2015-02-26 22:47:04 UTC
I should also meantion, that it's OK for the blue light to go solid. coolkey should function when the blue light is solid. You can force the blue light by placing the card in the back slot (with no contact readers).

Comment 5 Bob Relyea 2015-02-27 02:10:12 UTC
OK, so the issue is that the normal certs and keys are not accessible on the contactless cards. The card certificate/key is accessible however. so I've added a patch which will access the card certificate/key instead of the PIV auth/ signing or key exchange keys. 

This means if the card is accessed contactless, it will show different certs (blue light = contactless, green light = contact).

To test the contactless you will need a ReinerSCT CyberJack reader and the third party driver for it: pcsc-cyberjack .

The third party driver seems to be a bit flacky and can hang coolkey trying to access the card under certain conditions. I'm not sure why.

Anyway with the reader installed, you can insert your contactless card in the back slot to guarrentee that you get the contactless interface. The card will be called 'Coolkey' and there will be one cert very plain cert (usually no subject, nickname is CAC ID Certificate).

PIV test cards 6 and 16 have not card certificate, so won't show up in ESC.
PIV test card 3 does have a certificate, but for some reason it's not being recognized.

Comment 7 Bob Relyea 2015-02-28 01:50:42 UTC
update PIV Test Card 16 does have a card certificate, just not a card certificate container. The card certificate is still accessible. Also I have PIV test card 3 working, but it's not reliable. I think it doesn't really like the reader (It's the only Oberthur Type B card in the stack).

Contactless PIVs only access the card certificate, which doesn't require a pin, so the cards operate as pinless cards (you can access and sign with the card cert without entering a pin).

Comment 8 Roshni 2015-04-13 13:04:47 UTC
[root@dhcp129-124 sctests]# rpm -qi coolkey
Name        : coolkey                      Relocations: (not relocatable)
Version     : 1.1.0                             Vendor: Red Hat, Inc.
Release     : 35.el6                        Build Date: Thu 09 Apr 2015 10:15:55 PM EDT
Install Date: Fri 10 Apr 2015 12:12:35 PM EDT      Build Host: x86-028.build.eng.bos.redhat.com
Group       : System Environment/Libraries   Source RPM: coolkey-1.1.0-35.el6.src.rpm
Size        : 242342                           License: LGPLv2
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://directory.fedora.redhat.com/wiki/CoolKey
Summary     : CoolKey PKCS #11 module

[root@dhcp129-124 sctests]# rpm -qi pcsc-lite
Name        : pcsc-lite                    Relocations: (not relocatable)
Version     : 1.5.2                             Vendor: Red Hat, Inc.
Release     : 15.el6                        Build Date: Thu 26 Feb 2015 08:39:13 PM EST
Install Date: Fri 10 Apr 2015 12:06:37 PM EDT      Build Host: x86-031.build.eng.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: pcsc-lite-1.5.2-15.el6.src.rpm
Size        : 402732                           License: BSD
Signature   : RSA/8, Wed 04 Mar 2015 07:22:07 AM EST, Key ID 938a80caf21541eb
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://pcsclite.alioth.debian.org/
Summary     : PC/SC Lite smart card framework and applications

[root@dhcp129-124 sctests]# rpm -qi pcsc-cyberjack
Name        : pcsc-cyberjack               Relocations: (not relocatable)
Version     : 3.99.5final.SP03                  Vendor: Fedora Project
Release     : 13.el6                        Build Date: Thu 25 Apr 2013 08:12:57 AM EDT
Install Date: Fri 10 Apr 2015 12:06:45 PM EDT      Build Host: buildvm-23.phx2.fedoraproject.org
Group       : System Environment/Libraries   Source RPM: pcsc-cyberjack-3.99.5final.SP03-13.el6.src.rpm
Size        : 767628                           License: LGPLv2+
Signature   : RSA/8, Thu 02 May 2013 02:07:21 PM EDT, Key ID 3b49df2a0608b895
Packager    : Fedora Project
URL         : http://www.reiner-sct.de/
Summary     : PC/SC driver for REINER SCT cyberjack USB chip card reader

I still see inconsistency in the detection of smartcards using Reiner SCT cyberJack® RFID komfort reader.

PIV cards 2,3,4,5,7,8,10,11,12,13,14,15 and Northrop Grumman Oberthur card were detected by ESC and certs were listed. Certs were detected by firefox and smartcard coolkey test program. Green light blinks when inserted in the front slot and blue light blinks when inserted in the rear slot. Multiple attempts where required for most of the cards.

PIV card 1 - Even after multiple attempts the certs on this card were not detected. Using Omnikey reader the certs are being detected.

PIV card 6 - There are no certs on the card and the CAC ID cert is detected when inserted in the rear slot.

PIV card 16 - When inserted in the front slot blinks green but certs on the card are not being detected. Using Omnikey reader there is one cert on the card detected by ESC and it is not the CAC ID cert.

Comment 9 Bob Relyea 2015-04-14 16:17:19 UTC
I've noticed the reader isn't exactly solid as my comments indicate. 

My PIV Card 1 words (mostly), but my PIV Card 3 never works (detected, but never any certs). It may be an issue with a he reliability of contactless.

My PIV card 6 is never detected.

My PIV card 16 does works.

NOTE: this is about the contactless interface, slide the card in the back slot of the reader and you should get blue lights (never any green lights). The green will still be flaky because the reader has a hard time not trying to talk to the contactless. That's an issue with the reader which we can't do much about.

bob

Comment 10 Roshni 2015-04-14 16:46:40 UTC
All the PIV cards and Oberthur card were detected in the rear slot of the reader. The blue light was blinking that the CAC ID cert was detected. Most of the cards were detected when inserted in the fron slot of the reader.

Verfication steps as explained in comment 8.

Comment 12 errata-xmlrpc 2015-07-22 07:06:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1370.html


Note You need to log in before you can comment on or make changes to this bug.