Bug 1373164 (rhel7-opensc-with-cac) - opensc: include support for CAC and coolkey (and rebase to 0.16 or newer)
Summary: opensc: include support for CAC and coolkey (and rebase to 0.16 or newer)
Status: CLOSED ERRATA
Alias: rhel7-opensc-with-cac
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Asha Akkiangady
Mirek Jahoda
URL:
Whiteboard:
Keywords: HardwareEnablement, Rebase
Depends On: 1081088 1380615 1411826 1411829
Blocks: 1377248 1367919 1371038
TreeView+ depends on / blocked
 
Reported: 2016-09-05 11:48 UTC by Nikos Mavrogiannopoulos
Modified: 2018-12-12 12:48 UTC (History)
7 users (show)

(edit)
_opensc_ rebased to version 0.16.0

The _opensc_ package has been upgraded to upstream version 0.16.0, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include: 

 * Added support for CoolKey applets.

 * Added support for Common Access Card (CAC) cards.
Clone Of:
(edit)
Last Closed: 2017-08-01 20:49:06 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1989 normal SHIPPED_LIVE opensc bug fix and enhancement update 2017-08-01 18:32:58 UTC

Description Nikos Mavrogiannopoulos 2016-09-05 11:48:53 UTC
Currently we support smart cards in RHEL via the coolkey module which supports Coolkey cards, CAC and PIV cards. There are customers which ask for opensc module support which supports PIV and other cards. 

To simplify work-flows we should avoid having multiple PKCS#11 libraries, and provide one which can be used with all the cards we support. For that we should combine all the drivers to a single package, opensc, and as such we need to bring CAC and coolkey support to opensc.

For more information see http://wiki.brq.redhat.com/SecurityTechnologies/CryptoTeam/CoolkeyToOpenSCTransition

Comment 6 Roshni 2017-05-12 14:25:03 UTC
[root@dhcp129-77 ~]# rpm -qi opensc
Name        : opensc
Version     : 0.16.0
Release     : 4.20170227git777e2a3.el7
Architecture: x86_64
Install Date: Mon 01 May 2017 01:34:30 PM EDT
Group       : System Environment/Libraries
Size        : 3256689
License     : LGPLv2+
Signature   : RSA/SHA256, Thu 13 Apr 2017 04:32:48 AM EDT, Key ID 199e2f91fd431d51
Source RPM  : opensc-0.16.0-4.20170227git777e2a3.el7.src.rpm
Build Date  : Thu 13 Apr 2017 04:04:15 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/OpenSC/OpenSC/wiki
Summary     : Smart card library and applications

All cards were detected by Firefox, esc and pkcs11-tool. Noticed this issue for coolkey cards https://bugzilla.redhat.com/show_bug.cgi?id=1448555

Comment 7 Roshni 2017-05-15 15:32:52 UTC
Jakub,

I had 1 question about PIV cards. Certain PIV cards have an application PIN and a global PIN, coolkey on firefox prompts for application pin for those cards whereas opensc with firefox prompts for global pin. Why is this difference?

Comment 8 Jakub Jelen 2017-05-16 11:32:05 UTC
That is very good question! I never used Coolkey properly so I noticed only that it asked for various pins, but never noticed that it is different on coolkey. I believe the PIV documents should be able to answer that:

http://csrc.nist.gov/groups/SNS/piv/documents/test-piv-card-data-specifications.pdf

On Page 4 we can see what are the PINs and which one is the default. It also says it is not so easy when one or the other should be used for which card. What PIV Test card were you using to notice this behavior? Does it work according this table?

OpenSC should be reading this preference from Discovery object as described in the document above. If it does not, it is a bug. If coolkey ignores this it is a bug in Coolkey (but probably not serious since it didn't matter for years).

Comment 10 errata-xmlrpc 2017-08-01 20:49:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1989


Note You need to log in before you can comment on or make changes to this bug.