1518348 – thunderbird 52.4 with OpenSC 0.16 and PIV cards ALWAYS_AUTHENTICATE fail

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1518348 - thunderbird 52.4 with OpenSC 0.16 and PIV cards ALWAYS_AUTHENTICATE fail

Summary: thunderbird 52.4 with OpenSC 0.16 and PIV cards ALWAYS_AUTHENTICATE fail

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	opensc
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Jelen
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1477664 1563596
TreeView+	depends on / blocked

Reported:	2017-11-28 16:50 UTC by aheverle
Modified:	2020-12-14 10:55 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-05-23 16:49:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description aheverle 2017-11-28 16:50:34 UTC

Description of problem:
thunderbird 52.4 with OpenSC 0.16 returns an error:
"Sending of the message failed.
Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail."

Version-Release number of selected component (if applicable):
OpenSC 0.16

How reproducible:
Everytime

Steps to Reproduce:
1.  Any attempt to sign with pkcs11 opensc-pkcs11.so module and smartcard


Additional info:
workaround is to use libcoolkeypk11.so, acceptable impact currently.

Comment 8 Jakub Jelen 2017-11-29 08:37:41 UTC

What card is that? Is is standard PIV, or dual CAC card? If it is CAC, can you try the CAC driver directly as described in the following article:

https://access.redhat.com/articles/3034441

These logs do not say anything useful, can you reproduce the issue solemnly with the pkcs11-tool as described in the following article and attach the logs (note that it might contain PIN so the logs should be redacted before sharing!):

https://github.com/OpenSC/OpenSC/wiki/Using-pkcs11-tool-and-OpenSSL

Can you try with latest build for RHEL7.5, if it will change anything?

https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=622948

Comment 17 Jakub Jelen 2018-04-26 08:15:43 UTC

To summarize the status of this bug, the issue with ALWAYS_AUTHENTICATE keys can be reproduced with any PIV Test card and with any NSS application.

It is a combination of NSS wrongly issuing the PKCS#11 commands out of the order (fixed in NSS 3.36) [1] and OpenSC resetting the login state in case this happens (fixed in OpenSC 0.17.0) [2]. Either of these changes fixes the issue.

For demonstation, I am using the Bob's smartcard test (let me know if you don't have that -- I don't think it is somewhere public). Once I reverted the patch [2] and downgraded NSS to 3.33 in Fedora, I am able to get errors such as the following:

-----Found Cert 2: CN=Test Cardholder XIII,OU=Test Agency,OU=Test Department,O=Test Government,C=US
  KeyType: RSA
  CertID [1] =  02
  KeyID [1] =  02
 Key can encipher... Testing enciphering
Password for Test Cardholder XIII? 
>failed to decrypt message with private key: The operation failed because the PKCS#11 token is not logged in.
-----Found Cert 3: CN=Test Cardholder XIII,OU=Test Agency,OU=Test Department,O=Test Government,C=US
>failed to find private key: Unknown code ___P 3

Updating either NSS or OpenSC fixes the issue and the tests pass.

The NSS is already updated in RHEL7.5 so the fix in OpenSC is not completely necessary (as it was when the bug was reported), but I would be for including the fix to make sure both with older NSS or even if there will be similar regression or some other libraries or tools would use the PKCS#11 interface wrongly.

Asha, Roshni, is this summary enough for you to verify this bug?

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1333725
[2] https://github.com/OpenSC/OpenSC/pull/1084

Comment 18 Roshni 2018-05-07 17:02:51 UTC

I was not able to see any error messages as in comment 17 when the smartcard test tool was run using PIV cards with the latest nss packages

Comment 19 Jakub Jelen 2018-05-23 16:49:38 UTC

This issue was resolved with the latest NSS update and there is no need to fix it again in OpenSC (and introduce other complexity).

Note You need to log in before you can comment on or make changes to this bug.