Bug 1473335 - infinite loop when reading card with cac driver
infinite loop when reading card with cac driver
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Jelen
Release Test Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-20 10:00 EDT by Scott Poore
Modified: 2017-08-09 06:36 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
opensc debug log with loop (477.77 KB, text/plain)
2017-07-20 10:01 EDT, Scott Poore
no flags Details
opensc debug log from sssd failure (1.63 MB, text/plain)
2017-07-20 11:20 EDT, Scott Poore
no flags Details

  None (edit)
Description Scott Poore 2017-07-20 10:00:59 EDT
Description of problem:

While trying to test a GSC-IS Smart Card, I configured opensc to use the cac driver. I hit a problem where commands were running/hanging indefinitely.  When looking at the debug logging output, it looks like we've hit an infinite loop.

Version-Release number of selected component (if applicable):
opensc-0.16.0-5.20170227git777e2a3.el7.x86_64

How reproducible:
It is happening consistently now in my test environment and Dev was able to reproduce it.

Steps to Reproduce:
1.  Setup client to be able to read smart card

yum install opensc gnutls-utils

2.  Configure opensc to use cac driver

vi /etc/opensc-x86_64.conf
# Set the following:
card_drivers = cac, PIV-II;

3.  Try to read the card

p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all

Actual results:

hangs indefinitely

Expected results:

returns data from card

Additional info:

To determine loop, set debugging in config

vi /etc/opensc-x86_64.conf

app default {
...
        debug = 9;
        debug_file = /tmp/opensc-debug.log
...
Comment 2 Scott Poore 2017-07-20 10:01 EDT
Created attachment 1301761 [details]
opensc debug log with loop
Comment 3 Jakub Jelen 2017-07-20 10:20:17 EDT
Explanation of the error from earlier email discussion:

What is going on there, is that the driver tries to read the files on
the card, but card returns status words SW are 69:82, which means
"Security status not satisfied". This means that we can not read this
data (even after login). But the endless loop is certainly bug and
should be fixed

From what I see in the log, it is the p11tool trying to get attribute
CKA_VALUE of "PKI Credential" data object and it never returns.

The loop is there because the cac_apdu_io() does not check for the SW
(unless SW1=61), the error is not visible from cac_read_file() and we
cycle until we load all data we expect. Proper fix would be to check
for the SW in every case and return appropriate error.
Comment 4 Scott Poore 2017-07-20 11:20 EDT
Created attachment 1301817 [details]
opensc debug log from sssd failure

This is the debug log from an attempted failure as hit by SSSD.
Comment 5 Jakub Jelen 2017-07-20 11:27:11 EDT
This is the same error. But triggered by the search for the objects with given CKA_VALUE over PKCS#11. I don't see how we could workaround this problem for SSSD without rebuilding the package and fixing this problem.
Comment 6 Sumit Bose 2017-07-20 11:51:19 EDT
I wonder if coolkey still handles this case correctly? Scott, can you try to remove OpenSC and add coolkey to /etc/pki/nssdb and check if authentication with SSSD work with the expected certificates?
Comment 7 Jakub Jelen 2017-07-20 12:00:16 EDT
Coolkey should work as before (if not, then it is a regression). There were not dramatic changes in the code related to CAC.
Comment 8 Sumit Bose 2017-07-20 12:34:21 EDT
Then I think we should add this ticket at least to the Known Issues of 7.4 and recommend to use coolkey if customers have issues using OpenSC cac card driver.

Nevertheless I think it would be good to have a fix which can be released in one of the 7.4 batch updates.

Note You need to log in before you can comment on or make changes to this bug.