RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1345849 - [RFE] Provide support for ATOS (Siemens) CardOS 5.0 in RHEL
Summary: [RFE] Provide support for ATOS (Siemens) CardOS 5.0 in RHEL
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: coolkey
Version: 7.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks: 1298243 1411829
TreeView+ depends on / blocked
 
Reported: 2016-06-13 10:18 UTC by Steffen Froemer
Modified: 2021-03-11 14:35 UTC (History)
8 users (show)

Fixed In Version: coolkey-1.1.0-37.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1411829 (view as bug list)
Environment:
Last Closed: 2017-08-01 21:45:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:2194 0 normal SHIPPED_LIVE coolkey bug fix and enhancement update 2017-08-01 18:42:11 UTC

Description Steffen Froemer 2016-06-13 10:18:51 UTC 
1. Proposed title of this feature request
  Provide support for ATOS (Siemens) CardOS 5.0 in RHEL

3. What is the nature and description of the request?  
Customer is using USB Smartcard reader and Smartcards with Certificates for authentication purpose. With RHEL 7.2 the Support of ATOS (Siemens) CardOS 4.4 is given, but by the end of Year 2016 they will use ATOS CardOS 5.0 and they need support of this CardOS too. So we need to enhance the coolkey framework to support this Version as well.
      
4. Why does the customer need this? (List the business requirements here)  
Customer uses Smartcard as two-factor authentication method for Single-Sign-On, email signing.
      
5. How would the customer like to achieve this? (List the functional requirements here)  
Enhance the coolkey framwork for supporting ATOS (Siemens) CardOS 5.0
      
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  
The Customer will provide some DEMO cards, when available.
      
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
found none      

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  
Support in RHEL7 by end of this Year.
    
9. Is the sales team involved in this request and do they have any additional input? 
not yet 
      
10. List any affected packages or components.  
  coolkey, ESC

11. Would the customer be able to assist in testing this functionality if implemented?  
  Yes
Comment 2 Bob Relyea 2016-09-22 22:48:57 UTC 
We need sample cards for devel and QA. We have samples for TOS 4.0.

NOTE: if we make opensc a supported option in 7.4, then this bug becomes moot.
Comment 3 Steffen Froemer 2016-09-23 08:15:41 UTC 
I have a set of cards available, but only one. I''l ask the customer for an additional same set of cards and than I can send them to devel and QA.

What do you mean by opensc support? Wil opensc completely replace the coolkey framework? Especially sharing the card with virtual guests is one of the needs of my customer.
Comment 4 Bob Relyea 2016-09-28 22:28:21 UTC 
Thet's the long term plan. The time table is still open for when that happens. At the most we will have both coolkey and openSC support in RHEL 7.4. It should support virtual CAC card on guests.

bob
Comment 5 Steffen Froemer 2016-10-10 20:22:40 UTC 
Hi, as I currently have a set of sample cards, I would like to send these to the development. Can you give me the address, where I should send the cards to?

When I get the second one, I would send these to QA. With the first cards, you can start developing.
Comment 6 Steffen Froemer 2016-10-19 08:04:09 UTC 
Hi, I'm able to send the cards to engineering and QA, if someone can tell me the address.
Comment 7 Bob Relyea 2016-10-21 00:14:08 UTC 
Engineering:

Bob Relyea
Red Hat
444 Castro Street Suite 500
Mountain View, CA


QA
Asha Akkiangady
Red Hat Tower
100 E. Davie Street
Raleigh, NC 27601
Comment 8 Steffen Froemer 2016-12-06 15:58:35 UTC 
Hello Bob,
Cards should be shipped to you. Can you confirm?
Comment 11 Steffen Froemer 2016-12-13 16:16:20 UTC 
Hi, some additional information. I ran using 'pcsc_scan' of package 'pcsc-tools' @ Arch-linux with inserted M5.3 smartcard.

  -> pcsc_scan is not able to identify the correct card

The output of pcsc_scan was following:

PC/SC device scanner
V 1.4.27 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau>
Compiled with PC/SC lite version: 1.8.16
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto PC Twin Reader (049A8E6E) 00 00

Tue Sep 20 17:13:23 2016
Reader 0: Gemalto PC Twin Reader (049A8E6E) 00 00
  Card state: Card inserted, 
  ATR: 3B D2 18 00 81 31 FE 58 C9 03 16
ATR: 3B D2 18 00 81 31 FE 58 C9 03 16
+ TS = 3B --> Direct Convention
+ T0 = D2, Y(1): 1101, K: 2 (historical bytes)
  TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
    129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 58 --> Block Waiting Integer: 5 - Character Waiting Integer: 8
+ Historical bytes: C9 03
  Category indicator byte: C9 (proprietary format)
+ TCK = 16 (correct checksum)

Possibly identified card (using /root/.cache/smartcard_list.txt):
        NONE
                                                                             
Your card is not present in the database.                                    
Please submit your unknown card at:                                                
http://smartcard-atr.appspot.com/parse?ATR=3BD218008131FE58C90316


==> and the appropriated parts in 'messages'
gdm-smartcard][13744]: sign_value() failed:
gdm-smartcard][13744]: pam_pkcs11(gdm-smartcard:auth): sign_value() failed:
pcscd[13679]: 53619749 openct/proto-t1.c:379:t1_transceive() buffer overrun by 125 bytes
pcscd[13679]: 00000036 ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
pcscd[13679]: 00000005 winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
pcscd[13679]: 00000068 openct/proto-t1.c:170:t1_transceive() T=1 state machine is DEAD. Reset the card first.
pcscd[13679]: 00000005 ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
pcscd[13679]: 00000003 winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
[...]
gdm-smartcard][13749]: no valid certificate which meets all requirements found
gdm-smartcard][13749]: pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all requirements found
pcscd[13679]: 01109587 openct/proto-t1.c:170:t1_transceive() T=1 state machine is DEAD. Reset the card first.
pcscd[13679]: 00000022 ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
pcscd[13679]: 00000005 winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
pcscd[13679]: 00000037 openct/proto-t1.c:170:t1_transceive() T=1 state machine is DEAD. Reset the card first.
pcscd[13679]: 00000004 ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
pcscd[13679]: 00000002 winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
pcscd[13679]: 00000032 openct/proto-t1.c:170:t1_transceive() T=1 state machine is DEAD. Reset the card first.
pcscd[13679]: 00000003 ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
pcscd[13679]: 00000003 winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
[...]
Comment 21 Bob Relyea 2017-01-10 19:47:06 UTC 
This is a dup of bug 1272186

*** This bug has been marked as a duplicate of bug 1272186 ***
Comment 22 Bob Relyea 2017-02-06 22:26:01 UTC 
oops, This was the wrong bug to close as a dup.
Comment 26 Steffen Froemer 2017-02-08 14:52:35 UTC 
Hi Asha, I sent them this morning. Should be on your side next week lately.
Just a short note. I only send 3 of 5 cards to you, as I would like to have 2 available locally, to do some further tests too.
The cards, which I sent over to you, should fit every use case as well. Not sure, what Bob has implemented. In first, the main problem was supporting the card as is. And this should be checked and verified with any of them, as every card is based on same hardware. Only the amount of Certificates and Root-CA are different on each.

Cheers, Steffen
Comment 27 Asha Akkiangady 2017-02-21 20:13:26 UTC 
Hi Steffen,
I haven't received the cards, could you please give me shipment tracker url?
Thanks,
Asha
Comment 28 Steffen Froemer 2017-02-21 20:21:14 UTC 
Damn, now you got me. I didn't thought about choosing a trackable shipment.
Ok, as I still have two cards available here, I will send these to you again.

This time with trackable shipment. 
I'll do this by tomorrow.

Sorry for convenience.
Cheers, Steffen
Comment 29 Steffen Froemer 2017-02-25 10:13:05 UTC 
Hi Asha,
I shipped the cards to you.

Tracking ID: RH064007315DE
Tracking URL: https://www.deutschepost.de/sendung/simpleQuery.html
Date of Shipment 24.02.2017

Cheers, Steffen
Comment 30 Asha Akkiangady 2017-03-01 18:02:39 UTC 
Thanks Steffen. Today I received the first shipment of 3 cards. Providing qa_ack.
Comment 32 Bob Relyea 2017-03-18 01:05:15 UTC 
fixed in coolkey-1.1.0-37.el7
Comment 34 Roshni 2017-04-11 15:45:25 UTC 
Steffen,

I will need the CA certs associated with the cards to test smartcard login. Will you be able to provide them?

Thanks
Roshni
Comment 36 Roshni 2017-05-01 17:14:11 UTC 
Bob,

I see [root@dhcp129-77 ~]# pkcs11-tool -O --module=/usr/lib64/opensc-pkcs11.soUsing slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      Digital Signature
  ID:         11
Public Key Object; RSA 2048 bits
  label:      Digital Signature
  ID:         11
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      
  ID:         2d363034343935343531333335303638333134
Public Key Object; RSA 4096 bits
  label:      
  ID:         2d363034343935343531333335303638333134
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      
  ID:         2d34393634343439353433363734363530353634
Public Key Object; RSA 4096 bits
  label:      
  ID:         2d34393634343439353433363734363530353634
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      Encryption
  ID:         58
Public Key Object; RSA 2048 bits
  label:      Encryption
  ID:         58
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      
  ID:         2d38393730353830333738343337323736343737
Public Key Object; RSA 4096 bits
  label:      
  ID:         2d38393730353830333738343337323736343737
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      Non Repudiation
  ID:         33
Public Key Object; RSA 2048 bits
  label:      Non Repudiation
  ID:         33
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      
  ID:         2d31353437323132373237323537313430323734
Public Key Object; RSA 4096 bits
  label:      
  ID:         2d31353437323132373237323537313430323734
  Usage:      encrypt, verify
Data object 15748320
  label:          'ProfileId'
  application:    ''
  app_id:         <empty>
  flags:          <empty>

but Firefox lists pnly 4 certs
Comment 37 Bob Relyea 2017-05-03 18:04:23 UTC 
Firefox only shows the user certs.
Comment 38 Roshni 2017-05-03 19:08:00 UTC 
[root@dhcp129-77 ~]# rpm -qi coolkey
Name        : coolkey
Version     : 1.1.0
Release     : 37.el7
Architecture: x86_64
Install Date: Wed 19 Apr 2017 01:47:29 PM EDT
Group       : System Environment/Libraries
Size        : 304340
License     : LGPLv2
Signature   : RSA/SHA256, Wed 22 Mar 2017 07:09:51 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : coolkey-1.1.0-37.el7.src.rpm
Build Date  : Fri 17 Mar 2017 09:08:23 PM EDT
Build Host  : x86-038.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://directory.fedora.redhat.com/wiki/CoolKey

The certs on the card were detected successfully by firefox and cooleky test tool. GDM login and pklogin_finder were successful
Comment 39 errata-xmlrpc 2017-08-01 21:45:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2194
Note You need to log in before you can comment on or make changes to this bug.