RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1373164 (rhel7-opensc-with-cac) - opensc: include support for CAC and coolkey (and rebase to 0.16 or newer)
Summary: opensc: include support for CAC and coolkey (and rebase to 0.16 or newer)
Keywords:
Status: CLOSED ERRATA
Alias: rhel7-opensc-with-cac
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Asha Akkiangady
Mirek Jahoda
URL:
Whiteboard:
Depends On: 1081088 1380615 1411826 1411829
Blocks: 1367919 1371038 1377248
TreeView+ depends on / blocked
 
Reported: 2016-09-05 11:48 UTC by Nikos Mavrogiannopoulos
Modified: 2021-03-11 14:41 UTC (History)
7 users (show)

Fixed In Version: opensc-0.16.0-1.20170227git777e2a3.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_opensc_ rebased to version 0.16.0 The _opensc_ package has been upgraded to upstream version 0.16.0, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include: * Added support for CoolKey applets. * Added support for Common Access Card (CAC) cards.
Clone Of:
Environment:
Last Closed: 2017-08-01 20:49:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1989 0 normal SHIPPED_LIVE opensc bug fix and enhancement update 2017-08-01 18:32:58 UTC

Description Nikos Mavrogiannopoulos 2016-09-05 11:48:53 UTC 
Currently we support smart cards in RHEL via the coolkey module which supports Coolkey cards, CAC and PIV cards. There are customers which ask for opensc module support which supports PIV and other cards. 

To simplify work-flows we should avoid having multiple PKCS#11 libraries, and provide one which can be used with all the cards we support. For that we should combine all the drivers to a single package, opensc, and as such we need to bring CAC and coolkey support to opensc.

For more information see http://wiki.brq.redhat.com/SecurityTechnologies/CryptoTeam/CoolkeyToOpenSCTransition
Comment 6 Roshni 2017-05-12 14:25:03 UTC 
[root@dhcp129-77 ~]# rpm -qi opensc
Name        : opensc
Version     : 0.16.0
Release     : 4.20170227git777e2a3.el7
Architecture: x86_64
Install Date: Mon 01 May 2017 01:34:30 PM EDT
Group       : System Environment/Libraries
Size        : 3256689
License     : LGPLv2+
Signature   : RSA/SHA256, Thu 13 Apr 2017 04:32:48 AM EDT, Key ID 199e2f91fd431d51
Source RPM  : opensc-0.16.0-4.20170227git777e2a3.el7.src.rpm
Build Date  : Thu 13 Apr 2017 04:04:15 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/OpenSC/OpenSC/wiki
Summary     : Smart card library and applications

All cards were detected by Firefox, esc and pkcs11-tool. Noticed this issue for coolkey cards https://bugzilla.redhat.com/show_bug.cgi?id=1448555
Comment 7 Roshni 2017-05-15 15:32:52 UTC 
Jakub,

I had 1 question about PIV cards. Certain PIV cards have an application PIN and a global PIN, coolkey on firefox prompts for application pin for those cards whereas opensc with firefox prompts for global pin. Why is this difference?
Comment 8 Jakub Jelen 2017-05-16 11:32:05 UTC 
That is very good question! I never used Coolkey properly so I noticed only that it asked for various pins, but never noticed that it is different on coolkey. I believe the PIV documents should be able to answer that:

http://csrc.nist.gov/groups/SNS/piv/documents/test-piv-card-data-specifications.pdf

On Page 4 we can see what are the PINs and which one is the default. It also says it is not so easy when one or the other should be used for which card. What PIV Test card were you using to notice this behavior? Does it work according this table?

OpenSC should be reading this preference from Discovery object as described in the document above. If it does not, it is a bug. If coolkey ignores this it is a bug in Coolkey (but probably not serious since it didn't matter for years).
Comment 10 errata-xmlrpc 2017-08-01 20:49:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1989
Note You need to log in before you can comment on or make changes to this bug.