1455518 – nss-based apps can't establish ssl connections when coolkey module is in nssdb but pcscd can't run (e.g. is masked)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1455518 - nss-based apps can't establish ssl connections when coolkey module is in nssdb but pcscd can't run (e.g. is masked)

Summary: nss-based apps can't establish ssl connections when coolkey module is in nssd...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pcsc-lite
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Bob Relyea
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-25 12:01 UTC by David Jaša
Modified:	2018-04-10 18:00 UTC (History)
CC List:	2 users (show)
Fixed In Version:	pcsc-lite-1.8.8-7.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 18:00:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0962	0	None	None	None	2018-04-10 18:00:13 UTC

Description David Jaša 2017-05-25 12:01:52 UTC

Description of problem:
nss apps can't establish ssl connections when coolkey module is active but pcscd can't run (e.g. is masked).

Version-Release number of selected component (if applicable):
nss-3.28.4-8.el7.x86_64
coolkey-1.1.0-37.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. install pcsc-lite and coolkey
2. verify you have coolkey module in nssdb: modutil -dbdir /etc/pki/nssdb -list
3. make pcscd unavailable: systemctl mask pcscd && systemctl stop pcscd
4. start evolution / refresh cache of https repository in dnf / curl https://...

Actual results:
all the programs hang without any message that would explain what's going on

Expected results:
smart card actions won't be available but apps will work normally 

Additional info:

Comment 1 Bob Relyea 2017-09-13 00:29:06 UTC

This hang happens in both coolkey and opensc. I've included the stack traceback.

SCardEstablishContext needs to time out or detect pcsc-lite is not running and error out. I'm changing the component to pcsc-lite (doesn't change much else, same owner, qa and pm).


Stack when using coolkey:

#0  0x00007ffff66d6783 in __select_nocancel ()
    at ../sysdeps/unix/syscall-template.S:81
#1  0x00007ffff49ea011 in MessageReceive () from /lib64/libpcsclite.so.1
#2  0x00007ffff49e7c40 in SCardEstablishContext () from /lib64/libpcsclite.so.1
#3  0x00007ffff54181d4 in ckyCardContext_establish (ctx=ctx@entry=0x6b9520, 
    scope=scope@entry=0) at cky_card.c:465
#4  0x00007ffff5418781 in CKYCardContext_Create (scope=0) at cky_card.c:489
#5  0x00007ffff5640d20 in SlotList::SlotList (this=0x614270, 
    log_=<optimized out>) at slot.cpp:104
#6  0x00007ffff562f5c2 in C_Initialize (pInitArgs=<optimized out>)
    at coolkey.cpp:271
#7  0x00007ffff767e37f in secmod_ModuleInit (mod=mod@entry=0x6b9a80, 
    reload=reload@entry=0x7fffffffdcb0, 
    alreadyLoaded=alreadyLoaded@entry=0x7fffffffdbd4) at pk11load.c:241
#8  0x00007ffff767e9aa in secmod_LoadPKCS11Module (mod=mod@entry=0x6b9a80, 
    oldModule=oldModule@entry=0x7fffffffdcb0) at pk11load.c:492
#9  0x00007ffff768b408 in SECMOD_LoadModule (
    modulespec=modulespec@entry=0x612580 "name=\"CoolKey PKCS #11 Module\" library=\"libcoolkeypk11.so\"", parent=parent@entry=0x60a9e0, 
    recurse=recurse@entry=1) at pk11pars.c:1694



Stack when using opensc:

#0  0x00007ffff66d6783 in __select_nocancel ()
    at ../sysdeps/unix/syscall-template.S:81
#1  0x00007ffff4d92011 in MessageReceive () from /lib64/libpcsclite.so.1
#2  0x00007ffff4d8fc40 in SCardEstablishContext () from /lib64/libpcsclite.so.1
#3  0x00007ffff5456d18 in pcsc_detect_readers (ctx=0x6469e0)
    at reader-pcsc.c:1158
#4  0x00007ffff541671f in sc_ctx_detect_readers (ctx=0x6469e0) at ctx.c:679
#5  0x00007ffff5416b1b in sc_context_create (ctx_out=0x7ffff5a52568 <context>, 
    parm=0x7fffffffdaa0) at ctx.c:803
#6  0x00007ffff5825247 in C_Initialize (
    pInitArgs=0x7ffff7962140 <secmodLockFunctions>) at pkcs11-global.c:250
#7  0x00007ffff767e37f in secmod_ModuleInit (mod=mod@entry=0x640430, 
    reload=reload@entry=0x7fffffffdc90, 
    alreadyLoaded=alreadyLoaded@entry=0x7fffffffdbb4) at pk11load.c:241
#8  0x00007ffff767e9aa in secmod_LoadPKCS11Module (mod=mod@entry=0x640430, 
    oldModule=oldModule@entry=0x7fffffffdc90) at pk11load.c:492
#9  0x00007ffff768b408 in SECMOD_LoadModule (
    modulespec=modulespec@entry=0x612290 "library=\"/home/bob/OpenSC/src/pkcs11/.libs/opensc-pkcs11.so\" name=\"Opensc\"", parent=parent@entry=0x60a9e0, 
    recurse=recurse@entry=1) at pk11pars.c:1694

Comment 3 Bob Relyea 2017-11-01 22:53:20 UTC

fixed in pcsc-lite-1.8.8-7.el7.src.rpm

Comment 5 Roshni 2017-11-29 19:37:59 UTC

[root@dhcp129-107 ~]# rpm -qi pcsc-lite
Name        : pcsc-lite
Version     : 1.8.8
Release     : 7.el7
Architecture: x86_64
Install Date: Tue 28 Nov 2017 04:06:45 PM EST
Group       : System Environment/Daemons
Size        : 634433
License     : BSD
Signature   : RSA/SHA256, Wed 01 Nov 2017 08:34:44 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : pcsc-lite-1.8.8-7.el7.src.rpm
Build Date  : Wed 01 Nov 2017 06:46:29 PM EDT
Build Host  : x86-020.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pcsclite.alioth.debian.org/
Summary     : PC/SC Lite smart card framework and applications

[root@dhcp129-107 ~]# modutil -list -dbdir /etc/pki/nssdb/

Verification steps:



1. Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	   uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services
	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. CoolKey PKCS #11 Module
	library name: libcoolkeypk11.so
	   uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20;library-version=1.0
	 slots: 1 slot attached
	status: loaded

	 slot: OMNIKEY AG CardMan 3021 00 00
	token: alt.Gonzales.Speedy.E.0987654321
	  uri: pkcs11:token=alt.Gonzales.Speedy.E.0987654321
-----------------------------------------------------------


2. [root@dhcp129-107 ~]# systemctl unmask pcscd
Removed symlink /etc/systemd/system/pcscd.service.
[root@dhcp129-107 ~]# systemctl start pcscd

[root@dhcp129-107 ~]# modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	   uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services
	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. CoolKey PKCS #11 Module
	library name: libcoolkeypk11.so
	 slots: There are no slots attached to this module
	status: Not loaded
-----------------------------------------------------------

Also I was not able to load the coolkey security token module to firefox and smartcard was not detected. Firefox and evolution were working as expected and curl command was giving the expected output.

Comment 8 errata-xmlrpc 2018-04-10 18:00:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0962

Note You need to log in before you can comment on or make changes to this bug.