Hide Forgot
Currently we support smart cards in RHEL via the coolkey module which supports Coolkey cards, CAC and PIV cards. There are customers which ask for opensc module support which supports PIV and other cards. To simplify work-flows we should avoid having multiple PKCS#11 libraries, and provide one which can be used with all the cards we support. For that we should combine all the drivers to a single package, opensc, and as such we need to bring CAC and coolkey support to opensc. For more information see http://wiki.brq.redhat.com/SecurityTechnologies/CryptoTeam/CoolkeyToOpenSCTransition
[root@dhcp129-77 ~]# rpm -qi opensc Name : opensc Version : 0.16.0 Release : 4.20170227git777e2a3.el7 Architecture: x86_64 Install Date: Mon 01 May 2017 01:34:30 PM EDT Group : System Environment/Libraries Size : 3256689 License : LGPLv2+ Signature : RSA/SHA256, Thu 13 Apr 2017 04:32:48 AM EDT, Key ID 199e2f91fd431d51 Source RPM : opensc-0.16.0-4.20170227git777e2a3.el7.src.rpm Build Date : Thu 13 Apr 2017 04:04:15 AM EDT Build Host : x86-017.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/OpenSC/OpenSC/wiki Summary : Smart card library and applications All cards were detected by Firefox, esc and pkcs11-tool. Noticed this issue for coolkey cards https://bugzilla.redhat.com/show_bug.cgi?id=1448555
Jakub, I had 1 question about PIV cards. Certain PIV cards have an application PIN and a global PIN, coolkey on firefox prompts for application pin for those cards whereas opensc with firefox prompts for global pin. Why is this difference?
That is very good question! I never used Coolkey properly so I noticed only that it asked for various pins, but never noticed that it is different on coolkey. I believe the PIV documents should be able to answer that: http://csrc.nist.gov/groups/SNS/piv/documents/test-piv-card-data-specifications.pdf On Page 4 we can see what are the PINs and which one is the default. It also says it is not so easy when one or the other should be used for which card. What PIV Test card were you using to notice this behavior? Does it work according this table? OpenSC should be reading this preference from Discovery object as described in the document above. If it does not, it is a bug. If coolkey ignores this it is a bug in Coolkey (but probably not serious since it didn't matter for years).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1989