RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1562277 - RFE: add support to OpenSC for CardOS 5.3 cards
Summary: RFE: add support to OpenSC for CardOS 5.3 cards
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc
Version: 7.4
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1563596
TreeView+ depends on / blocked
 
Reported: 2018-03-30 00:49 UTC by Josip Vilicic
Modified: 2021-12-10 15:53 UTC (History)
9 users (show)

Fixed In Version: opensc-0.19.0-1.el7
Doc Type: Bug Fix
Doc Text:
CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC Previously, OpenSC did not correctly parse the ECDSA algorithm in the *TokenInfo* information provided by CardOS 5.3 smart cards. As a consequence, OpenSC did not detect these cards. The *TokenInfo* parser has been updated and now complies with the PKCS #15 specification. As a result, CardOS 5.3 smart cards with ECDSA support work correctly in OpenSC.
Clone Of:
Environment:
Last Closed: 2018-10-30 11:24:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
pkcs11-tool -L in debug mode with CardOS 5.3 inserted. (449.37 KB, text/plain)
2018-04-13 16:27 UTC, Josip Vilicic 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github OpenSC OpenSC issues 1134 0 None closed New CardOS 5.3 not working 2020-06-29 11:40:50 UTC
Red Hat Product Errata RHBA-2018:3224 0 None None None 2018-10-30 11:25:07 UTC

Description Josip Vilicic 2018-03-30 00:49:18 UTC 
Description of problem:
OpenSC doesn't work with CardOS 5.3 cards.  In an orgnization that's been configured to authenticate users using CardOS v4.2C cards, new employees being given CardOS v5.3 cards cannot authenticate.


Version-Release number of selected component (if applicable):
opensc-0.16.0-5.20170227git777e2a3.el7.x86_64


How reproducible:
Consistent with CardOS v5.3 cards, not a problem with CardOS v4.2C cards


Steps to Reproduce:
1. Configure a RHEL 7.4 server to authenticate CardOS v4.2C cards
2. Update to CardOS v5.3 cards


Actual results:
Cards no longer work.  Customer has tried with HP Smartcard Keyboard card readers, and also an Omnikey reader which is known to work with older CardOS v4.2C cards


Expected results:
Newer cards to work


Additional info:

=== Non-working Cardos 5.3 card ===

$ opensc-tool --atr
Using reader with a card: Hewlett-Packard Company HP Smart Card Terminal KUS1206 [HP Smartcard Keyboard] (00000741000006) 00 00
3b:d2:18:00:81:31:fe:58:c9:03:16

$ pkcs11-tool -L

Available slots:
Slot 0 (0x0): HP RGS Remote Smart Card Reader 00 00
  (empty)
Slot 1 (0x4): Hewlett-Packard Company HP Smart Card Terminal KUS1206 [HP Smart
C_GetTokenInfo() failed: rv = CKR_TOKEN_NOT_PRESENT

$ cardos-tool -i 

Using reader with a card: Hewlett-Packard Company HP Smart Card Terminal KUS1206 [HP Smartcard Keyboard] (00000741000006) 00 00
3b:d2:18:00:81:31:fe:58:c9:03:16
Info : CardOS V5.3, 2014
Serial number: 02 06 95 0d 00 05 45 2c
OS Version: 201.3 (unknown Version)
Current life cycle: 16 (operational)
Security Status of current DF:
Free memory : 507
ATR Status: 0x0 ROM-ATR
Packages installed:
E1 0B 53 06 11 04 09 01 C9 03 8F 01 01 E1 0B 53 ..S............S
06 03 04 13 02 C9 03 8F 01 01                   ..........
Ram size: 7, Eeprom size: 83, cpu type: 78, chip config: 63, chip manufacturer: 5
Free eeprom memory: 56732
Current Maximum Data Field Length: 640
Complete chip production data:
CC 78 33 CE 01 00 01 00 0E 00 00 01 0B 02 00 00 .x3.............
00 00 00 00 00 00 00 61 75 38 30 FF FF FF FF 78 .......au80....x
01 51 41 78 05 16 07 00 00 83 12 05 E7 55 21 02 .QAx.........U!.
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00             ............
System keys: PackageLoadKey (version 0x00, retries 10)
System keys: StartKey (version 0xff, retries 10)
Path to current DF:



=== Comparison with  a working v4.2C Smart Card is below ===
$ opensc-tool --atr
Using reader with a card: Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB CCID Keyboard Smartcard Reader] (13072700000922) 00 00
3b:f2:18:00:02:c1:0a:31:fe:58:c8:0b:77

$ cardos-tool -i
Using reader with a card: Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB CCID Keyboard Smartcard Reader] (13072700000922) 00 00
3b:f2:18:00:02:c1:0a:31:fe:58:c8:0b:77
Info : CardOS V4.2C (C) Siemens AG 1994-2006
Chip type: 147
Serial number: 21 20 91 09 32 35
Full prom dump:
33 66 00 16 A5 4B 00 00 93 0D 21 20 91 09 32 35 3f...K....! ..25
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.11 (that's CardOS M4.2C)
Current life cycle: 16 (operational)
Security Status of current DF:
Free memory : 82
ATR Status: 0x0 ROM-ATR
Packages installed:
Ram size: 6, Eeprom size: 36, cpu type: 66, chip config: 63
Free eeprom memory: 15535
Current Maximum Data Field Length: 300
System keys: PackageLoadKey (version 0x00, retries 10)
System keys: StartKey (version 0x02, retries 10)
Path to current DF:
50 15 P.

$ pkcs11-tool -L
Available slots:
Slot 0 (0x0): HP RGS Remote Smart Card Reader 00 00
  (empty)
Slot 1 (0x4): Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB C
  token label        : PIN (Siemens Corporate ID Card)
  token manufacturer : Siemens AG (C)
  token model        : PKCS#15
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 3153393842535144
Comment 2 Jakub Jelen 2018-04-04 08:01:38 UTC 
The ATR of the listed card is already in the card driver in RHEL7 and cardos-tool looks like recognizing the card correctly. Though the error will be probably later. Can you run the OpenSC in debug mode to gather more information what went wrong?

    OPENSC_DEBUG=9 pkcs11-tool -L

I suspect these new cards have EC keys on them and it will be solved by the following change in upstream:

https://github.com/OpenSC/OpenSC/issues/1134

Can you try if the following build resolves the issues (it is latest RHEL7.5 with the above patch)?

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=15699214
Comment 4 Josip Vilicic 2018-04-11 17:44:17 UTC 
Customer confirmed that the latest OpenSC package from RHEL 7.5 fixed the issue.

We are quoting the customer below:



---------------------------------------
   After upgrading to opensc-0.16.0-8.2.20170227git777e2a3.el7.x86_64.rpm, all card versions tested work correctly (v5.3, v4.2).

   The person who has this card did not turn on debug as requested when running pkcs11-tool, but here is the output he sent us. Let us know if you still need the debug knowing that the above RPM fixes the issue.

Available slots:
Slot 0 (0x0): HP RGS Remote Smart Card Reader 00 00
  (empty)
Slot 1 (0x4): OMNIKEY AG CardMan 3021 00 00
  token label        : Siemens Corporate ID Card (V8)
  token manufacturer : www.atos.net/cardos
  token model        : PKCS#15
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 324952464D355556
Slot 2 (0x5): OMNIKEY AG CardMan 3021 00 00
  token label        : Extra PIN #1 (Siemens Corporate
  token manufacturer : www.atos.net/cardos
  token model        : PKCS#15
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 324952464D355556
Slot 3 (0x6): OMNIKEY AG CardMan 3021 00 00
  token label        : Extra PIN #0 (Siemens Corporate
  token manufacturer : www.atos.net/cardos
  token model        : PKCS#15
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 324952464D355556
Comment 5 Jakub Jelen 2018-04-12 07:02:54 UTC 
Thank you for verification. Can you also clarify if the tested package was the one provided in the comment #2 or from standard RHEL7.5 update?

I assume the first, but your comment does not make it clear.
Comment 6 Josip Vilicic 2018-04-13 16:27:06 UTC 
Hi Jakub,

1) My apologies -- the customer only installed the package you provided, described as being the same as RHEL 7.5 packages:

      "Can you try if the following build resolves the issues (it is latest RHEL7.5 with the above patch)?  https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=15699214"


2) So no, they haven't fully updated to 7.5, which they mention here:

      "FYI only: debug info originally requested is attached, but as we mentioned the test package resolved the issue.

      We haven't tried If RHEL 7.5 yet, but if contains the same fix, you can close this case."

   Since it does, I'll be closing that case.


3) Attaching "pkcs11-tool -L in debug mode with CardOS 5.3 inserted" debug info as a final follow-up.
Comment 7 Josip Vilicic 2018-04-13 16:27:43 UTC 
Created attachment 1421438 [details]
pkcs11-tool -L in debug mode with CardOS 5.3 inserted.
Comment 8 Jakub Jelen 2018-04-16 11:59:09 UTC 
Thank you for clarification. No, the RHEL7.5 does not contain this fix. It was fixed. I will make sure this will get fixed in RHEL7.6. Let me know if you will need an official hotfix earlier, or if this will be needed to be fixed in Z-stream earlier.
Comment 24 Roshni 2018-08-17 21:12:17 UTC 
[root@dhcp129-188 ~]# rpm -qi opensc
Name        : opensc
Version     : 0.16.0
Release     : 10.20170227git777e2a3.el7
Architecture: x86_64
Install Date: Tue 31 Jul 2018 10:10:39 AM EDT
Group       : System Environment/Libraries
Size        : 3260617
License     : LGPLv2+
Signature   : RSA/SHA256, Tue 03 Jul 2018 04:12:33 AM EDT, Key ID 199e2f91fd431d51
Source RPM  : opensc-0.16.0-10.20170227git777e2a3.el7.src.rpm
Build Date  : Tue 03 Jul 2018 03:59:44 AM EDT
Build Host  : x86-019.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/OpenSC/OpenSC/wiki
Summary     : Smart card library and applications

Sanity tests look good.
Comment 26 errata-xmlrpc 2018-10-30 11:24:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3224
Note You need to log in before you can comment on or make changes to this bug.