Hide Forgot
Description of problem: OpenSC doesn't work with CardOS 5.3 cards. In an orgnization that's been configured to authenticate users using CardOS v4.2C cards, new employees being given CardOS v5.3 cards cannot authenticate. Version-Release number of selected component (if applicable): opensc-0.16.0-5.20170227git777e2a3.el7.x86_64 How reproducible: Consistent with CardOS v5.3 cards, not a problem with CardOS v4.2C cards Steps to Reproduce: 1. Configure a RHEL 7.4 server to authenticate CardOS v4.2C cards 2. Update to CardOS v5.3 cards Actual results: Cards no longer work. Customer has tried with HP Smartcard Keyboard card readers, and also an Omnikey reader which is known to work with older CardOS v4.2C cards Expected results: Newer cards to work Additional info: === Non-working Cardos 5.3 card === $ opensc-tool --atr Using reader with a card: Hewlett-Packard Company HP Smart Card Terminal KUS1206 [HP Smartcard Keyboard] (00000741000006) 00 00 3b:d2:18:00:81:31:fe:58:c9:03:16 $ pkcs11-tool -L Available slots: Slot 0 (0x0): HP RGS Remote Smart Card Reader 00 00 (empty) Slot 1 (0x4): Hewlett-Packard Company HP Smart Card Terminal KUS1206 [HP Smart C_GetTokenInfo() failed: rv = CKR_TOKEN_NOT_PRESENT $ cardos-tool -i Using reader with a card: Hewlett-Packard Company HP Smart Card Terminal KUS1206 [HP Smartcard Keyboard] (00000741000006) 00 00 3b:d2:18:00:81:31:fe:58:c9:03:16 Info : CardOS V5.3, 2014 Serial number: 02 06 95 0d 00 05 45 2c OS Version: 201.3 (unknown Version) Current life cycle: 16 (operational) Security Status of current DF: Free memory : 507 ATR Status: 0x0 ROM-ATR Packages installed: E1 0B 53 06 11 04 09 01 C9 03 8F 01 01 E1 0B 53 ..S............S 06 03 04 13 02 C9 03 8F 01 01 .......... Ram size: 7, Eeprom size: 83, cpu type: 78, chip config: 63, chip manufacturer: 5 Free eeprom memory: 56732 Current Maximum Data Field Length: 640 Complete chip production data: CC 78 33 CE 01 00 01 00 0E 00 00 01 0B 02 00 00 .x3............. 00 00 00 00 00 00 00 61 75 38 30 FF FF FF FF 78 .......au80....x 01 51 41 78 05 16 07 00 00 83 12 05 E7 55 21 02 .QAx.........U!. 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 ............ System keys: PackageLoadKey (version 0x00, retries 10) System keys: StartKey (version 0xff, retries 10) Path to current DF: === Comparison with a working v4.2C Smart Card is below === $ opensc-tool --atr Using reader with a card: Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB CCID Keyboard Smartcard Reader] (13072700000922) 00 00 3b:f2:18:00:02:c1:0a:31:fe:58:c8:0b:77 $ cardos-tool -i Using reader with a card: Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB CCID Keyboard Smartcard Reader] (13072700000922) 00 00 3b:f2:18:00:02:c1:0a:31:fe:58:c8:0b:77 Info : CardOS V4.2C (C) Siemens AG 1994-2006 Chip type: 147 Serial number: 21 20 91 09 32 35 Full prom dump: 33 66 00 16 A5 4B 00 00 93 0D 21 20 91 09 32 35 3f...K....! ..25 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ OS Version: 200.11 (that's CardOS M4.2C) Current life cycle: 16 (operational) Security Status of current DF: Free memory : 82 ATR Status: 0x0 ROM-ATR Packages installed: Ram size: 6, Eeprom size: 36, cpu type: 66, chip config: 63 Free eeprom memory: 15535 Current Maximum Data Field Length: 300 System keys: PackageLoadKey (version 0x00, retries 10) System keys: StartKey (version 0x02, retries 10) Path to current DF: 50 15 P. $ pkcs11-tool -L Available slots: Slot 0 (0x0): HP RGS Remote Smart Card Reader 00 00 (empty) Slot 1 (0x4): Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB C token label : PIN (Siemens Corporate ID Card) token manufacturer : Siemens AG (C) token model : PKCS#15 token flags : login required, token initialized, PIN initialized hardware version : 0.0 firmware version : 0.0 serial num : 3153393842535144
The ATR of the listed card is already in the card driver in RHEL7 and cardos-tool looks like recognizing the card correctly. Though the error will be probably later. Can you run the OpenSC in debug mode to gather more information what went wrong? OPENSC_DEBUG=9 pkcs11-tool -L I suspect these new cards have EC keys on them and it will be solved by the following change in upstream: https://github.com/OpenSC/OpenSC/issues/1134 Can you try if the following build resolves the issues (it is latest RHEL7.5 with the above patch)? https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=15699214
Customer confirmed that the latest OpenSC package from RHEL 7.5 fixed the issue. We are quoting the customer below: --------------------------------------- After upgrading to opensc-0.16.0-8.2.20170227git777e2a3.el7.x86_64.rpm, all card versions tested work correctly (v5.3, v4.2). The person who has this card did not turn on debug as requested when running pkcs11-tool, but here is the output he sent us. Let us know if you still need the debug knowing that the above RPM fixes the issue. Available slots: Slot 0 (0x0): HP RGS Remote Smart Card Reader 00 00 (empty) Slot 1 (0x4): OMNIKEY AG CardMan 3021 00 00 token label : Siemens Corporate ID Card (V8) token manufacturer : www.atos.net/cardos token model : PKCS#15 token flags : login required, token initialized, PIN initialized hardware version : 0.0 firmware version : 0.0 serial num : 324952464D355556 Slot 2 (0x5): OMNIKEY AG CardMan 3021 00 00 token label : Extra PIN #1 (Siemens Corporate token manufacturer : www.atos.net/cardos token model : PKCS#15 token flags : login required, token initialized, PIN initialized hardware version : 0.0 firmware version : 0.0 serial num : 324952464D355556 Slot 3 (0x6): OMNIKEY AG CardMan 3021 00 00 token label : Extra PIN #0 (Siemens Corporate token manufacturer : www.atos.net/cardos token model : PKCS#15 token flags : login required, token initialized, PIN initialized hardware version : 0.0 firmware version : 0.0 serial num : 324952464D355556
Thank you for verification. Can you also clarify if the tested package was the one provided in the comment #2 or from standard RHEL7.5 update? I assume the first, but your comment does not make it clear.
Hi Jakub, 1) My apologies -- the customer only installed the package you provided, described as being the same as RHEL 7.5 packages: "Can you try if the following build resolves the issues (it is latest RHEL7.5 with the above patch)? https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=15699214" 2) So no, they haven't fully updated to 7.5, which they mention here: "FYI only: debug info originally requested is attached, but as we mentioned the test package resolved the issue. We haven't tried If RHEL 7.5 yet, but if contains the same fix, you can close this case." Since it does, I'll be closing that case. 3) Attaching "pkcs11-tool -L in debug mode with CardOS 5.3 inserted" debug info as a final follow-up.
Created attachment 1421438 [details] pkcs11-tool -L in debug mode with CardOS 5.3 inserted.
Thank you for clarification. No, the RHEL7.5 does not contain this fix. It was fixed. I will make sure this will get fixed in RHEL7.6. Let me know if you will need an official hotfix earlier, or if this will be needed to be fixed in Z-stream earlier.
[root@dhcp129-188 ~]# rpm -qi opensc Name : opensc Version : 0.16.0 Release : 10.20170227git777e2a3.el7 Architecture: x86_64 Install Date: Tue 31 Jul 2018 10:10:39 AM EDT Group : System Environment/Libraries Size : 3260617 License : LGPLv2+ Signature : RSA/SHA256, Tue 03 Jul 2018 04:12:33 AM EDT, Key ID 199e2f91fd431d51 Source RPM : opensc-0.16.0-10.20170227git777e2a3.el7.src.rpm Build Date : Tue 03 Jul 2018 03:59:44 AM EDT Build Host : x86-019.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/OpenSC/OpenSC/wiki Summary : Smart card library and applications Sanity tests look good.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3224