RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1411829 - [RFE] Provide support for ATOS (Siemens) CardOS 5.0 in RHEL
Summary: [RFE] Provide support for ATOS (Siemens) CardOS 5.0 in RHEL
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc
Version: 7.4
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On: 1272186 1345849 1478795
Blocks: rhel7-opensc-with-cac
TreeView+ depends on / blocked
 
Reported: 2017-01-10 15:10 UTC by Nikos Mavrogiannopoulos
Modified: 2021-03-11 14:53 UTC (History)
11 users (show)

Fixed In Version: opensc-0.16.0-1.20170227git777e2a3.el7
Doc Type: Enhancement
Doc Text:
Clone Of: 1345849
Environment:
Last Closed: 2017-08-01 20:49:06 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1989 0 normal SHIPPED_LIVE opensc bug fix and enhancement update 2017-08-01 18:32:58 UTC

Comment 2 Roshni 2017-04-17 15:09:13 UTC
Jakub,

Could you provide the commands to run that will list the certificates on the smartcard when using opensc.

Comment 3 Roshni 2017-04-17 15:34:53 UTC
When smart login is configured using authconfig, smartcard inserted before gdm login after a reboot, gdm does not prompt for smartcard pin. I also see the following

[rpattath@localhost ~]$ pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:201: NSS_Initialize faile: (null)
DEBUG:pklogin_finder.c:66: Couldn't initialize crypto module

Comment 4 Jakub Jelen 2017-04-18 08:02:40 UTC
We should be able to list all the objects on the card including certificates using pkcs11-tool -O --module=/usr/lib64/pkcs11/opensc-pkcs11.so

If I remember well, we discussed something related to these events with Bob last year and he pointed out that it can be problem in some cases because of some false expectation of some software.

1) Does it work with Coolkey?
2) Is pam_pkcs11 correctly configured to use OpenSC?

Looking to my tests for interactive wait, I seems to be able to make it work only if I specify the slot where I expect the card to appear, but Bob's one does it without it using NSS. Whole trace of what is going on there on PKCS11 level would be useful (running with PKCS11SPY for example).

Comment 5 Jakub Jelen 2017-04-18 08:07:49 UTC
Also to pinpoint the problem

3) Does it work with PIV and OpenSC?

Comment 6 Roshni 2017-04-18 19:20:19 UTC
(In reply to Jakub Jelen from comment #4)
> We should be able to list all the objects on the card including certificates
> using pkcs11-tool -O --module=/usr/lib64/pkcs11/opensc-pkcs11.so
> 
> If I remember well, we discussed something related to these events with Bob
> last year and he pointed out that it can be problem in some cases because of
> some false expectation of some software.
> 
> 1) Does it work with Coolkey?
Yes it does work with coolkey
> 2) Is pam_pkcs11 correctly configured to use OpenSC?
I made this change to pam_pkcs11.conf

use_pkcs11_module = opensc;
> 
> Looking to my tests for interactive wait, I seems to be able to make it work
> only if I specify the slot where I expect the card to appear, but Bob's one
> does it without it using NSS. Whole trace of what is going on there on
> PKCS11 level would be useful (running with PKCS11SPY for example).

Would provide more information on how this can be run?

Comment 7 Roshni 2017-04-18 19:21:48 UTC
(In reply to Jakub Jelen from comment #5)
> Also to pinpoint the problem
> 
> 3) Does it work with PIV and OpenSC?

Since the PIV cards we use for testing does not have the assiciated Ca information, pklogin_finder cannot be tested. I tried using a Gemalto 64K card and I see the same output as in comment 3

Comment 8 Jakub Jelen 2017-04-19 08:00:53 UTC
Looking through the logs and playing around in my Fedora, it looks like pam_pkcs11 default configuration does not change the default nss_db to /etc/pki/nssdb (as coolkey does) so there are two possibilities how to make it work:

 * set nss_db=/etc/pki/nssdb (and also make sure this DB has OpenSC PKCS#11 module)

 * initialize new NSS DB in the existing path /etc/pam_pkcs11/nssdb

I went the second way and I was able to initialize the NSS db and move further (though I don't have the CAs set up so I didn't verify it worked completely). Let me know if there will be some other issues.

I guess we should either change the configuration shipped in the pam_pkcs11 or document it somewhere.

Comment 12 Jakub Jelen 2017-05-04 07:55:12 UTC
It looks like Coolkey is picking up the label not from PKCS#15 structures, but from the CN of the certificate itself.

Browsing through the code, it is implemented in src/coolkey/object.cpp:2525

    /* if we didn't get a label, set one based on the CN */

This can be useful feature worth implementing in OpenSC, but it does not look like something that would be a blocker for RHEL7.4. I added a note for future plans.

Thanks for pointing to the correct doc. I added a note to the bug #1425712 to make sure it will get updated.

Comment 13 Roshni 2017-05-05 18:05:40 UTC
[root@dhcp129-77 ~]# rpm -qi opensc
Name        : opensc
Version     : 0.16.0
Release     : 4.20170227git777e2a3.el7
Architecture: x86_64
Install Date: Mon 01 May 2017 01:34:30 PM EDT
Group       : System Environment/Libraries
Size        : 3256689
License     : LGPLv2+
Signature   : RSA/SHA256, Thu 13 Apr 2017 04:32:48 AM EDT, Key ID 199e2f91fd431d51
Source RPM  : opensc-0.16.0-4.20170227git777e2a3.el7.src.rpm
Build Date  : Thu 13 Apr 2017 04:04:15 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/OpenSC/OpenSC/wiki
Summary     : Smart card library and applications

Certificates were detected by firefox. gdm login and pklogin_finder were successful

Comment 14 errata-xmlrpc 2017-08-01 20:49:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1989


Note You need to log in before you can comment on or make changes to this bug.