Bug 1345849
| Summary: | [RFE] Provide support for ATOS (Siemens) CardOS 5.0 in RHEL | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Steffen Froemer <sfroemer> | |
| Component: | coolkey | Assignee: | Bob Relyea <rrelyea> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.3 | CC: | arubin, cww, mgrepl, nmavrogi, rpattath, rrelyea, sfroemer, tscherf | |
| Target Milestone: | rc | Keywords: | FutureFeature, Reopened | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | coolkey-1.1.0-37.el7 | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1411829 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 21:45:22 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1298243, 1411829 | |||
We need sample cards for devel and QA. We have samples for TOS 4.0. NOTE: if we make opensc a supported option in 7.4, then this bug becomes moot. I have a set of cards available, but only one. I''l ask the customer for an additional same set of cards and than I can send them to devel and QA. What do you mean by opensc support? Wil opensc completely replace the coolkey framework? Especially sharing the card with virtual guests is one of the needs of my customer. Thet's the long term plan. The time table is still open for when that happens. At the most we will have both coolkey and openSC support in RHEL 7.4. It should support virtual CAC card on guests. bob Hi, as I currently have a set of sample cards, I would like to send these to the development. Can you give me the address, where I should send the cards to? When I get the second one, I would send these to QA. With the first cards, you can start developing. Hi, I'm able to send the cards to engineering and QA, if someone can tell me the address. Engineering: Bob Relyea Red Hat 444 Castro Street Suite 500 Mountain View, CA QA Asha Akkiangady Red Hat Tower 100 E. Davie Street Raleigh, NC 27601 Hello Bob, Cards should be shipped to you. Can you confirm? Hi, some additional information. I ran using 'pcsc_scan' of package 'pcsc-tools' @ Arch-linux with inserted M5.3 smartcard.
-> pcsc_scan is not able to identify the correct card
The output of pcsc_scan was following:
PC/SC device scanner
V 1.4.27 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau>
Compiled with PC/SC lite version: 1.8.16
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto PC Twin Reader (049A8E6E) 00 00
Tue Sep 20 17:13:23 2016
Reader 0: Gemalto PC Twin Reader (049A8E6E) 00 00
Card state: Card inserted,
ATR: 3B D2 18 00 81 31 FE 58 C9 03 16
ATR: 3B D2 18 00 81 31 FE 58 C9 03 16
+ TS = 3B --> Direct Convention
+ T0 = D2, Y(1): 1101, K: 2 (historical bytes)
TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
TC(1) = 00 --> Extra guard time: 0
TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
-----
TA(3) = FE --> IFSC: 254
TB(3) = 58 --> Block Waiting Integer: 5 - Character Waiting Integer: 8
+ Historical bytes: C9 03
Category indicator byte: C9 (proprietary format)
+ TCK = 16 (correct checksum)
Possibly identified card (using /root/.cache/smartcard_list.txt):
NONE
Your card is not present in the database.
Please submit your unknown card at:
http://smartcard-atr.appspot.com/parse?ATR=3BD218008131FE58C90316
==> and the appropriated parts in 'messages'
gdm-smartcard][13744]: sign_value() failed:
gdm-smartcard][13744]: pam_pkcs11(gdm-smartcard:auth): sign_value() failed:
pcscd[13679]: 53619749 openct/proto-t1.c:379:t1_transceive() buffer overrun by 125 bytes
pcscd[13679]: 00000036 ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
pcscd[13679]: 00000005 winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
pcscd[13679]: 00000068 openct/proto-t1.c:170:t1_transceive() T=1 state machine is DEAD. Reset the card first.
pcscd[13679]: 00000005 ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
pcscd[13679]: 00000003 winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
[...]
gdm-smartcard][13749]: no valid certificate which meets all requirements found
gdm-smartcard][13749]: pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all requirements found
pcscd[13679]: 01109587 openct/proto-t1.c:170:t1_transceive() T=1 state machine is DEAD. Reset the card first.
pcscd[13679]: 00000022 ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
pcscd[13679]: 00000005 winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
pcscd[13679]: 00000037 openct/proto-t1.c:170:t1_transceive() T=1 state machine is DEAD. Reset the card first.
pcscd[13679]: 00000004 ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
pcscd[13679]: 00000002 winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
pcscd[13679]: 00000032 openct/proto-t1.c:170:t1_transceive() T=1 state machine is DEAD. Reset the card first.
pcscd[13679]: 00000003 ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
pcscd[13679]: 00000003 winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
[...]
This is a dup of bug 1272186 *** This bug has been marked as a duplicate of bug 1272186 *** oops, This was the wrong bug to close as a dup. Hi Asha, I sent them this morning. Should be on your side next week lately. Just a short note. I only send 3 of 5 cards to you, as I would like to have 2 available locally, to do some further tests too. The cards, which I sent over to you, should fit every use case as well. Not sure, what Bob has implemented. In first, the main problem was supporting the card as is. And this should be checked and verified with any of them, as every card is based on same hardware. Only the amount of Certificates and Root-CA are different on each. Cheers, Steffen Hi Steffen, I haven't received the cards, could you please give me shipment tracker url? Thanks, Asha Damn, now you got me. I didn't thought about choosing a trackable shipment. Ok, as I still have two cards available here, I will send these to you again. This time with trackable shipment. I'll do this by tomorrow. Sorry for convenience. Cheers, Steffen Hi Asha, I shipped the cards to you. Tracking ID: RH064007315DE Tracking URL: https://www.deutschepost.de/sendung/simpleQuery.html Date of Shipment 24.02.2017 Cheers, Steffen Thanks Steffen. Today I received the first shipment of 3 cards. Providing qa_ack. fixed in coolkey-1.1.0-37.el7 Steffen, I will need the CA certs associated with the cards to test smartcard login. Will you be able to provide them? Thanks Roshni Bob, I see [root@dhcp129-77 ~]# pkcs11-tool -O --module=/usr/lib64/opensc-pkcs11.soUsing slot 0 with a present token (0x0) Certificate Object; type = X.509 cert label: Digital Signature ID: 11 Public Key Object; RSA 2048 bits label: Digital Signature ID: 11 Usage: encrypt, verify Certificate Object; type = X.509 cert label: ID: 2d363034343935343531333335303638333134 Public Key Object; RSA 4096 bits label: ID: 2d363034343935343531333335303638333134 Usage: encrypt, verify Certificate Object; type = X.509 cert label: ID: 2d34393634343439353433363734363530353634 Public Key Object; RSA 4096 bits label: ID: 2d34393634343439353433363734363530353634 Usage: encrypt, verify Certificate Object; type = X.509 cert label: Encryption ID: 58 Public Key Object; RSA 2048 bits label: Encryption ID: 58 Usage: encrypt, verify Certificate Object; type = X.509 cert label: ID: 2d38393730353830333738343337323736343737 Public Key Object; RSA 4096 bits label: ID: 2d38393730353830333738343337323736343737 Usage: encrypt, verify Certificate Object; type = X.509 cert label: Non Repudiation ID: 33 Public Key Object; RSA 2048 bits label: Non Repudiation ID: 33 Usage: encrypt, verify Certificate Object; type = X.509 cert label: ID: 2d31353437323132373237323537313430323734 Public Key Object; RSA 4096 bits label: ID: 2d31353437323132373237323537313430323734 Usage: encrypt, verify Data object 15748320 label: 'ProfileId' application: '' app_id: <empty> flags: <empty> but Firefox lists pnly 4 certs Firefox only shows the user certs. [root@dhcp129-77 ~]# rpm -qi coolkey Name : coolkey Version : 1.1.0 Release : 37.el7 Architecture: x86_64 Install Date: Wed 19 Apr 2017 01:47:29 PM EDT Group : System Environment/Libraries Size : 304340 License : LGPLv2 Signature : RSA/SHA256, Wed 22 Mar 2017 07:09:51 PM EDT, Key ID 199e2f91fd431d51 Source RPM : coolkey-1.1.0-37.el7.src.rpm Build Date : Fri 17 Mar 2017 09:08:23 PM EDT Build Host : x86-038.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://directory.fedora.redhat.com/wiki/CoolKey The certs on the card were detected successfully by firefox and cooleky test tool. GDM login and pklogin_finder were successful Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2194 |
1. Proposed title of this feature request Provide support for ATOS (Siemens) CardOS 5.0 in RHEL 3. What is the nature and description of the request? Customer is using USB Smartcard reader and Smartcards with Certificates for authentication purpose. With RHEL 7.2 the Support of ATOS (Siemens) CardOS 4.4 is given, but by the end of Year 2016 they will use ATOS CardOS 5.0 and they need support of this CardOS too. So we need to enhance the coolkey framework to support this Version as well. 4. Why does the customer need this? (List the business requirements here) Customer uses Smartcard as two-factor authentication method for Single-Sign-On, email signing. 5. How would the customer like to achieve this? (List the functional requirements here) Enhance the coolkey framwork for supporting ATOS (Siemens) CardOS 5.0 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. The Customer will provide some DEMO cards, when available. 7. Is there already an existing RFE upstream or in Red Hat Bugzilla? found none 8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)? Support in RHEL7 by end of this Year. 9. Is the sales team involved in this request and do they have any additional input? not yet 10. List any affected packages or components. coolkey, ESC 11. Would the customer be able to assist in testing this functionality if implemented? Yes