Bug 1331471 - Cannot get coolkey working with Windows 7
Summary: Cannot get coolkey working with Windows 7
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libcacard
Version: 6.7
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Default Assignee for SPICE Bugs
QA Contact: SPICE QE bug list
Jiri Herrmann
URL:
Whiteboard:
Depends On: 917867
Blocks: 1269194 1356656
TreeView+ depends on / blocked
 
Reported: 2016-04-28 14:58 UTC by Frank DeLorey
Modified: 2021-08-30 11:45 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
*Coolkey* does not load on Windows 7 guests Loading the *Coolkey* module on Windows 7 guest virtual machines currently fails, which prevents smart card redirection from working properly on these guests.
Clone Of:
Environment:
Last Closed: 2017-02-14 17:52:07 UTC
Target Upstream Version:


Attachments (Terms of Use)
Version of coolkey being used. (5.66 MB, application/x-ms-dos-executable)
2016-04-28 14:58 UTC, Frank DeLorey
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3378661 0 None None None 2018-03-23 13:07:35 UTC

Description Frank DeLorey 2016-04-28 14:58:59 UTC
Created attachment 1151937 [details]
Version of coolkey being used.

Description of problem:Customer trying to get coolkey working in Windows 7 VM as ActivClient in a guest is not supported.
 

Version-Release number of selected component (if applicable):

Client RHEL 6.7
Guest Windows 7
RHEV 3.6

How reproducible:

Everytime


Steps to Reproduce:
1.Customer downloads coolkey for Windows
2.Tries to load coolkey: modutil -dbdir %PROGRAMDATA%\pki\nssdb -add CoolKey -libfile coolkeypkcs11.dll


Actual results:
Reports error: ERROR: Failed to add module "CoolKey". Probable cause : "Unknown error".

Expected results:
 Should load

Additional info:

Checked to see what is loaded:

C:\>"C:\Program Files\VirtViewer v2.0-128\bin\modutil.exe" -dbdir "C:\ProgramData\pki\nssdb" -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
-----------------------------------------------------------

No coolkey provider is reported.

They are using coolkey version 1.0.1-6-2

Comment 1 Marc-Andre Lureau 2016-04-28 15:52:22 UTC
It may help to configure coolkey in a Linux VM first. I am not really familiar with Windows support, David Jasa could perhaps help.

On Linux/Fedora, you can do sudo modutil -add "coolkey" -dbdir sql:/etc/pki/nssdb -libfile /usr/lib64/pkcs11/libcoolkeypk11.so.

I suppose on Windows, it should work similarly. Make sure you have permissions to modify the file too.

Btw, the path is likely  C:\Documents and Settings\All Users\Application Data\pki\nssdb. (CSIDL_COMMON_APPDATA\pki\nss)

Comment 2 Frank DeLorey 2016-04-28 16:15:07 UTC
The customer has been able to successfully do the following:

RHEL 6.7 client to RHEL 6.7 guest. Both client and guest using coolkey.
On Windows they typically use ActivClient which would be OK if the client was Windows however it is not the Guest is Windows so according to BZ 961964 they cannot use ActivClient in a guest so we recommend using coolkey. The problem is that we have no real documentation for setting up coolkey in Windows. I could not find any examples of this actually working so I am not sure if we have tested it or not. 

Frank

Comment 3 Frank DeLorey 2016-04-28 16:16:57 UTC
This is the actual command they used:

C:\>"C:\Program Files\VirtViewer v2.0-128\bin\modutil.exe" -add "Coolkey" -libfi
le "C:\Windows\System32\libcoolkeypk11.dll" -dbdir "C:\ProgramData\pki\nssdb"

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

ERROR: Failed to add module "Coolkey". Probable cause : "Unknown error".

Comment 5 David Jaša 2016-05-04 09:53:27 UTC
Frank, just to make sure, is the system they're using 64bit or 32bit? If 64bit, is coolkey 64bit as well as virt-viewer (paths suggest that this should be the case).

Could they get debug output (by setting NSPR_LOG_MODULES=all:5 before running modutil)? Can they add ActivClient dll to the database (IOW is the problem with nss/modutil or in coolkey)?

I'm afraid that we'll have to defer to NSS people here if none of suggestions above help...

Comment 6 Frank DeLorey 2016-05-04 17:23:22 UTC
The system is 64 bit and installed virt viewer is 64 bit. The coolkey files seem to only be available in 32 bit, if you look at the download page (win32).

https://www.nabber.org/download/?file=coolkey-

Here is the debug output from modutil:
C:\>"C:\Program Files\VirtViewer v2.0-128\bin\modutil.exe" -dbdir %PROGRAMDATA%\pki\nssdb -add CoolKey -libfile "C:\Windows\System32\libcoolkeypk11.dll"
0[3b7260]: Loaded library Executable (init)

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue: 3[3b7940]: ExpireWaits: elapsed=2
usec
3[3b7940]: switching to 4[453fe0]
4[453fe0]: PR_Wait: cvar=3baf80 waiting for -1
4[453fe0]: pausing
0[3b7260]: write -> 263
4[453fe0]: switching to 3[3b7940]
3[3b7940]: ExpireWaits: elapsed=5004 usec
3[3b7940]: pausing
3[3b7940]: switching to 3[3b7940]

0[3b7260]: read -> 1
0[3b7260]: read -> 1

0[3b7260]: write -> 1
0[3b7260]: Loaded library C:\Program Files\VirtViewer v2.0-128\bin\softokn3.dll (load lib)
0[3b7260]: Loaded library C:\Program Files\VirtViewer v2.0-128\bin\nssdbm3.dll (load lib)
0[3b7260]: Loaded library C:\Program Files\VirtViewer v2.0-128\bin\freebl3.dll (load lib)
ERROR: Failed to add module "CoolKey". Probable cause : "Unknown error".
0[3b7260]: write -> 73
0[3b7260]: Unloaded library C:\Program Files\VirtViewer v2.0-128\bin\nssdbm3.dll

0[3b7260]: Unloaded library C:\Program Files\VirtViewer v2.0-128\bin\freebl3.dll

0[3b7260]: Unloaded library C:\Program Files\VirtViewer v2.0-128\bin\softokn3.dll
0[3b7260]: PR_Cleanup: shutting down NSPR
0[3b7260]: PR_Cleanup: clean up before destroying thread


I tried adding ActivClient to nssdb and it worked:
C:\>"C:\Program Files\VirtViewer v2.0-128\bin\modutil.exe" -dbdir %PROGRAMDATA%\pki\nssdb -add ActivClient -libfile "C:\Program Files\ActivIdentity\ActivClient\acpkcs211.dll"

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Module "ActivClient" added to database.

C:\>"C:\Program Files\VirtViewer v2.0-128\bin\modutil.exe" -dbdir C:\ProgramData\pki\nssdb -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. ActivClient
        library name: C:\Program Files\ActivIdentity\ActivClient\acpkcs211.dll
         slots: 1 slot attached
        status: loaded

         slot: QEMU QEMU USB CCID 0
        token:
-----------------------------------------------------------

Comment 7 David Jaša 2016-05-05 11:43:09 UTC
nabber.org seems to redistribute RH binaries but can you be absolutely sure they're intact? We do distribute the binaries ourselves in Customer Portal, here:
https://access.redhat.com/downloads/content/216/ver=8/rhel---5/8.0/i386/product-software

CoolKey for both architectures is available there. IMO that should resolve your problem.

----

I'm actually suprised in two ways:
  * that 32b library wasn't installed to %WINDIR%\SysWOW64 directory
  * modutil had issues adding library to db. It didn't care about architecture
I'd expect that the module was added fine but then it would be unusable by 64b virt-viewer.

Comment 9 David Jaša 2016-05-18 14:00:57 UTC
Sachin, Frank,

does this customer need card in both client and guest? If not, they could redirect whole reader using USB redirection and use ActivClient-compatible smartcard as in physical Windows 7


Frank,

Could your draw some comparisons with situation in solution to your "inverse" bug 1297533 comment 31? Does the same card work in Windows/ActivClient client and Linux/coolkey guest? If so, details about smartcard setup would be valuable to avoid compatibility issues elsewhere.

Comment 17 Frank DeLorey 2016-07-25 11:09:27 UTC
What info is required from me? I see the flag was set?

Frank

Comment 18 Andrei Stepanov 2016-07-27 09:10:03 UTC
A "short" comment from SpiceQE. We also have problems with Windows guest and QEMU USB CCID: https://bugzilla.redhat.com/show_bug.cgi?id=1356656

We have IDBridge CT40 http://support.gemalto.com/?id=pc_usb_sl It is a quite popular device. It is well supported in Linux. Manufacturer provides official drivers for all Windows versions. 

We cannot get it worked in Windows guests.

https://access.redhat.com/downloads/content/216/ver=8/rhel---5/8.0/x86_64/product-downloads  provides coolkey for Windows x64 

It is not clear what drivers we should use for Windows for our tests:
* Unsupported ESC (https://bugzilla.redhat.com/show_bug.cgi?id=1356656#c4)
* Unsupported coolkey from http://www.nabber.org/projects/coolkey
* PC/SC from Gemalto.

We tried all above methods. All of them have some problems.

If we had a clear & "official" test-case we would be able to provide more logs.

What drivers we should use and how to make sure that our smartcard is passed successfully?

Comment 24 Frank DeLorey 2017-02-14 17:52:07 UTC
The real problem is that ActivClient, which is the correct tool for Windows, does not work correctly. I have moved the customer's case from this BZ to the BZ for ActivClient support.


Note You need to log in before you can comment on or make changes to this bug.