1566675 – CAC card no longer unlocks server after update to RHEL 7.5

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1566675 - CAC card no longer unlocks server after update to RHEL 7.5

Summary: CAC card no longer unlocks server after update to RHEL 7.5

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	opensc
Sub Component:
Version:	7.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Jelen
QA Contact:	Asha Akkiangady
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-12 18:46 UTC by Josip Vilicic
Modified:	2021-06-10 15:47 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-05-04 13:26:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
output of command `LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color \| tee pcscd_log.txt` (241.47 KB, text/plain) 2018-04-12 18:46 UTC, Josip Vilicic	no flags	Details
opensc debug 9 (1.18 MB, text/plain) 2018-04-23 14:28 UTC, Dan	no flags	Details
opensc debug 9 (old version) (774.83 KB, text/plain) 2018-04-23 15:58 UTC, Dan	no flags	Details
View All

Description Josip Vilicic 2018-04-12 18:46:42 UTC

Created attachment 1421025 [details]
output of command  `LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color | tee pcscd_log.txt`

Description of problem:
After updating server to RHEL 7.5, CAC card no longer works


Version-Release number of selected component (if applicable):
opensc-0.16.0-8.20170227git777e2a3.el7.x86_64
kernel-3.10.0-862.el7.x86_64


How reproducible:
Consistent after updating to RHEL 7.5 from 7.4


Steps to Reproduce:
1. Configure OpenSC to work properly with CAC on RHEL 7.4
2. Upgrade to RHEL 7.5
3. Log in successfully with CAC
4. After the screen locks, insert CAC


Actual results:
Previously-working cards are no longer detected, don't unlock server


Expected results:
CAC cards to continue working to unlock server


Additional info:

Output of the following commands below:
      # lsusb
      # dmesg | tail
      # opensc-tool --list-readers
      # pkcs11-tool --list-slots
      # pkcs15-tool -D


[root@E03I-DFRYE-LX ~]# lsusb
Bus 002 Device 003: ID 0a5c:5800 Broadcom Corp. BCM5880 Secure Applications Processor
Bus 002 Device 002: ID 8087:8000 Intel Corp.
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:8008 Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 007: ID 413c:301a Dell Computer Corp.
Bus 003 Device 006: ID 413c:2113 Dell Computer Corp.
Bus 003 Device 005: ID 10d5:1234 Uni Class Technology Co., Ltd
Bus 003 Device 004: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 003 Device 002: ID 413c:2513 Dell Computer Corp. internal USB Hub of E-Port Replicator
Bus 003 Device 003: ID 413c:2513 Dell Computer Corp. internal USB Hub of E-Port Replicator
Bus 003 Device 008: ID 04e6:5116 SCM Microsystems, Inc. SCR331-LC1 / SCR3310 SmartCard Reader
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub


[root@E03I-DFRYE-LX ~]# dmesg | tail
[72487.345520] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.349243] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.373363] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.377114] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.401139] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.404791] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.428811] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.432277] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.456263] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.459880] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?


[root@E03I-DFRYE-LX ~]# opensc-tool --list-readers
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    No              Broadcom Corp 5880 Unsupported Needs Microcode Update [Contacted SmartCard] (0123456789ABCD) 00 00
1    Yes             SCM Microsystems Inc. SCR 3310 [CCID Interface] 01 00
*** FYI, the "Broadcom" card reader is not used, the customer uses the "SCM Microsystems" reader ***


[root@E03I-DFRYE-LX ~]# pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Broadcom Corp 5880 Unsupported Needs Microcode Update [Contacted
  (empty)
Slot 1 (0x4): SCM Microsystems Inc. SCR 3310 [CCID Interface] 01 00
  token label        : LAST.FIRST.MIDDLE.1234567890
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 52108d843810a3e4


[root@E03I-DFRYE-LX ~]# pkcs15-tool -D
Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] 01 00
PKCS#15 Card [FRYE.DANIEL.JUSTIN.1512554446]:
        Version        : 0
        Serial number  : d43810da19456c120a01cd8360da15822b52108d843810a3e4
        Manufacturer ID: piv_II
        Flags          :
PIN [PIN]
        Object Flags   : [0x1], private
        ID             : 01
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 128 (0x80)
        Type           : ascii-numeric

PIN [PIV PUK]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0xF2], local, initialized, needs-padding, unblockingPin, soPin
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 129 (0x81)
        Type           : ascii-numeric

Private RSA Key [PIV AUTH key]
        Object Flags   : [0x1], private
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 154 (0x9A)
        Native         : yes
        Auth ID        : 01
        ID             : 01
        MD:guid        : 0x'36303137303031333235303438313031303031353132353534343436313137300000000000000000'

Private RSA Key [SIGN key]
        Object Flags   : [0x1], private
        Usage          : [0x20E], decrypt, sign, signRecover, nonRepudiation
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 156 (0x9C)
        Native         : yes
        Auth ID        : 01
        ID             : 02
        MD:guid        : 0x'36303137303031333235303438313032303031353132353534343436313137300000000000000000'

Private RSA Key [KEY MAN key]
        Object Flags   : [0x1], private
        Usage          : [0x22], decrypt, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 157 (0x9D)
        Native         : yes
        Auth ID        : 01
        ID             : 03
        MD:guid        : 0x'36303137303031333235303438313033303031353132353534343436313137300000000000000000'

Public RSA Key [PIV AUTH pubkey]
        Object Flags   : [0x0]
        Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
        Access Flags   : [0x2], extract
        ModLength      : 2048
        Key ref        : 154 (0x9A)
        Native         : yes
        ID             : 01
        DirectValue    : <absent>

Public RSA Key [SIGN pubkey]
        Object Flags   : [0x0]
        Usage          : [0x2C1], encrypt, verify, verifyRecover, nonRepudiation
        Access Flags   : [0x2], extract
        ModLength      : 2048
        Key ref        : 156 (0x9C)
        Native         : yes
        ID             : 02
        DirectValue    : <absent>

Public RSA Key [KEY MAN pubkey]
        Object Flags   : [0x0]
        Usage          : [0x11], encrypt, wrap
        Access Flags   : [0x2], extract
        ModLength      : 2048
        Key ref        : 157 (0x9D)
        Native         : yes
        ID             : 03
        DirectValue    : <absent>

X.509 Certificate [Certificate for PIV Authentication]
        Object Flags   : [0x0]
        Authority      : no
        Path           :
        ID             : 01
        Encoded serial : 02 03 1A3DCA

X.509 Certificate [Certificate for Digital Signature]
        Object Flags   : [0x0]
        Authority      : no
        Path           :
        ID             : 02
        Encoded serial : 02 03 252183

X.509 Certificate [Certificate for Key Management]
        Object Flags   : [0x0]
        Authority      : no
        Path           :
        ID             : 03
        Encoded serial : 02 03 25218D

Data object 'Card Capability Container'
        applicationName: Card Capability Container
        applicationOID:  2.16.840.1.101.3.7.1.219.0
        Path:            db00
        Data (268 bytes): 53820108F015A00000007902024820502B10290818961500002C79F10121F20121F310A0000000790102000100000000
                   000000F310A0000000790102010100000000000000F310A0000000790401000100000000000000F310A0000000790401
                   010100000000000000F310A0000000790401020100000000000000F310A0000001160130003000000000000000F310A0
                   000001160160103000000000000000F310A0000001160160303000000000000000F310A0000001160190003000000000
                   000000F310A0000000790112011201000000000000F310A0000000790112021201000000000000F40100F50110F61107
                   A0000000790300000000000000000000F700FA00FB00FC00FD00FE00
Data object 'Card Holder Unique Identifier'
        applicationName: Card Holder Unique Identifier
        applicationOID:  2.16.840.1.101.3.7.2.48.0
        Path:            3000
        Data (1891 bytes): 5382075F3019D43810DA19456C120A01CD8360DA15822B52108D843810A3E43410000000000000000000000000000000
                    00350832303231303132343E8207223082071E06092A864886F70D010702A082070F3082070B020103310F300D060960
                    86480165030402010500300A06086086480165030601A08204743082047030820358A00302010202010A300D06092A86
                    4886F70D01010B0500305D310B300906035504061302555331183016060355040A130F552E532E20476F7665726E6D65
                    6E74310C300A060355040B1303446F44310C300A060355040B1303504B49311830160603550403130F444F4420494420
                    53572043412D3436301E170D3136303332333137323731315A170D3232303330393134323232375A306D310B30090603
                    5504061302555331183016060355040A130F552E532E20476F7665726E6D656E74310C300A060355040B1303446F4431
                    0C300A060355040B1303504B49310C300A060355040B13034F5344311A301806035504031311446F445F5049565F5369
                    676E65725F313530820122300D06092A864886F70D01010105000382010F003082010A0282010100DA940DC15F5204AB
                    83AD5199CDB4111D67AA455AA1DEDF6945031A271A3942036AFA394E8F1A24B3EA01A29F9D3133FA2E6FE8DAB033715D
                    7C8148141D372D6B02449D43B052D716FC5C6C0DD0329CB3090D7FDA58990BF6298C6B1FE37851E39772705D716ED426
                    EE185D3D33EC019BC8D14DCC0EA567C1B3E7505AD919F02316E5BB1786CE2CD1BFED2EA12425E5EF7C7E98C269BE958C
                    260B4A80DAC52168DA98B831A741B2A37AE333BB50C939FC74BE16FA75DBA76AF21CB806E2D356E827519A4FE6181384
                    B17DB6021AB51911136A6C7D377F631EEDF78ADEB9BDFA9F9CECB506A46B5651FBC336F9C2439BC4A603DA973C0D95E3
                    5AF82ED82D4833AD0203010001A382012930820125301F0603551D230418301680145B67695EB5580B9C1F09DC357D9B
                    D627EE62AA9C30390603551D1F04323030302EA02CA02A8628687474703A2F2F63726C2E646973612E6D696C2F63726C
                    2F444F444944535743415F34362E63726C300E0603551D0F0101FF04040302078030170603551D200410300E300C060A
                    60864801650302010327301D0603551D0E04160414A8ECD2015DAB48A103B78051B5BD1227D39394D1306706082B0601
                    0505070101045B3059303506082B060105050730028629687474703A2F2F63726C2E646973612E6D696C2F7369676E2F
                    444F444944535743415F34362E636572302006082B060105050730018614687474703A2F2F6F6373702E646973612E6D
                    696C30160603551D250101FF040C300A06086086480165030607300D06092A864886F70D01010B050003820101002135
                    DAC68A2159266A79AA6704BF9487632F4076515032C4B5A1F01B09E9D7C4358E58EA18792E21177BA732E8EE85FCA785
                    437637E9389F1CA11F998CD7B164F016FE1AF923652D371FE53D9A033320C1A1CEC596575F3A18129A81627699508E8B
                    CE9E23FF09C10701F81F7B25AC53DC42B558A2A8BCB25C702C57E880A48B4B760F0DA36FB3AF140F5882F380595E2462
                    4185DAE36451FA770398398120B12FE0555DC7F7D21933DE2BCF5616C8F4787B9803D61F0559AC8EE29D0B4A012AE48D
                    DEB341F1B1C18DC071AB5F13E714BF042790512FDAE0EEC2F64FA6E76179BD901A6AB35E299D3C4DEEED750617FEFF10
                    8C829BDA6249C1B433484EC26AB73182026F3082026B0201013062305D310B3009060355040613025553311830160603
                    55040A130F552E532E20476F7665726E6D656E74310C300A060355040B1303446F44310C300A060355040B1303504B49
                    311830160603550403130F444F442049442053572043412D343602010A300D06096086480165030402010500A081DF30
                    110603672A00310A06086086480165030601302F06092A864886F70D010904312204201207C596C732E831646FA66C60
                    B966115B5671A247A3D7D08EE18C1F03ED1435307B06086086480165030605316F306D310B3009060355040613025553
                    31183016060355040A130F552E532E20476F7665726E6D656E74310C300A060355040B1303446F44310C300A06035504
                    0B1303504B49310C300A060355040B13034F5344311A301806035504031311446F445F5049565F5369676E65725F3135
                    301C06092A864886F70D010905310F170D3138303132353230313230335A300D06092A864886F70D0101010500048201
                    00B6CE63C39CAFD98C1D27427B760ADF3058F28634EA3E9AB400433324EADDDF6881F5E53AA8C35EE5E3A1C6E01431B7
                    B22C0B7450A69CBED1CEF2BF3CBCF43086C90B670C0792809F151D7D1BA51E5B198FC7628B20D69717816EB5D7F0F384
                    7C253395AF24BEE08DCC6F76D0602190C2E23829FB7D0355CBE57CA6C3CB23B3EB4C34E52D15D486F64E6E99DCB72116
                    2EFEB900ED7789E90154728C7207FE676DC4FCF2CB09FE6321B4B854965312FA228D0261CE2BF8D5868D3118E0F3A13E
                    E2AAE7395F723105C112F900585E4F74611FB71FC906BF5BD3E7999C26B51EE0F95962BF917D944EE4FA8A2B56D59454
                    7F81A83436CEBD3C3797524C3F7446F53BFE00
Data object 'Unsigned Card Holder Unique Identifier'
        applicationName: Unsigned Card Holder Unique Identifier
        applicationOID:  2.16.840.1.101.3.7.2.48.2
        Path:            3010
Data object read failed: File not found
Data object 'X.509 Certificate for PIV Authentication'
        applicationName: X.509 Certificate for PIV Authentication
        applicationOID:  2.16.840.1.101.3.7.2.1.1
        Path:            0101
        Data (1114 bytes): 538204567082044D1F8B080000000000000B336862653168627EB380998991898959CAF694012F1BA7569B47DB775E46
                    466E56068328436E034E36E650163661A6D0604309033110874B983F542F584FC13DBF2CB5282F3735AFC490C7800B24
                    C32DCCEC92EF82C40BF0F63414351006F19885795CFC5D143C5D149C1D754D8C0CE4C4790D2D0C0C8D4C0DC0204A9CD7
                    C810C835313236B534B58C32A8A486DD085E68B09FA19A810AC425B26E4191AE7A2E8E7E9EAE3E7A5EA1C1219E7E7A86
                    A640B7989A9898981934312A218704232B037313233F03509C8BA9899191E1E6E1955157146A53977C320E525EFCC158
                    6C7DFECC4AFEC4438FAF4AFCD29ADA92C15E927564AFF986B42306338A39D4422BE54EA67035A639FB257688BF510996
                    EB5AF6D42959346082EDF65D2D597232BF5ADFA43F97DDC015E7E0F96C9AD6F196BD4D3F7FCA165EEC5BB76CDF9F6C9B
                    8A5D176678BE512BE00B6A355EFEAF49A82CF5FFF6CDC7C204E27ADF1A28C45DB1FF33A5CFE39781B3DBB7E9CEDF0B9B
                    660AAC65D47A2DED5578E3F4E2E02A7F81FA332EDFAF27EF67B738C575219A63D21CEDA6F9DF0E3E987522C655F56CFB
                    BF36BB89DD418B4F173E531716EBF075F0F758D1DE54CEFBB8CCDA5C963138967FF536E96B4FCB946472C5325E14CC5F
                    7C48F6CA42FB677D97D8DA99981919181737316E0286C83A03796098CA2AB30023A841C46801C3A9C8EE23E76AAA6FDF
                    93D412E86A73BCF8D8C01CA4409EC5C040CF406781D6028D36B58C9292022B7DFDE4A21CBD94CCE244BDDCCC1C10471F
                    98403C5D9C1DE34D8CF4805C033E90467E46C6FF2C2CCC4CEC0DE0D893556091359036E066E34C68F3604C6562E4D632
                    E061E3027380E99899D74016A48A8F458C45648942FB94B8AABF571EEC0D153BA5B53FF7D8F2795F0D52D938B4D91859
                    59D9191959220DC20D8C617C03A636756C0E2BCE4CCF4371596A9181025C13639B0854537E7271015C974104C815822C
                    8106FE0B54D8B8808A59189BCC4598981788F18820929AA1A1B98181910350C30275360E8827D8D81648B3485EB110B8
                    25E99A23C4C578B639E19668937690406F8B85C0E22706D220933959440C840C0460CEE06431640165134864A8822203
                    C9522698326626B41CCE0C4ACE73525F2C6F966092579ABA675EC704D1D2F09FEA2EF1DA0C5247C35AF88ED4CC528B39
                    BABDE9C88D0581AC9B6CDD4EB9A69F5361176017510EE2B8B1E25F7EF6A5F75A422CEF569C95A93C7A6FC19AD4B95C1F
                    DF1ED1D2F2683788DFFC64B3E647F1BB4BA4322B9A78587716A4B4DD5AC961BF7CFF2701E7B037456DAAEBD3CBFABDA3
                    66EDD7DF6F5875F1D4922D272F1735EA2AE9DA9DC8DC5DFD67D6844073979AB78B04FF75FE7D2CBDFAC36A1FB1ADBF1F
                    9BA97E4ABDBD7DC9B7ADEE81369F94F62AB55D5CDE7AFCC953B59B467F3F6F16D35AAC5F7CB545B6ECBAF9A344F1C8FD
                    E2A7995A748E3DEA6A93CF63FB5AA3ECF9A680E59BA4DEB5F88FEFA6EDBFF73E78D3F487A7456F1FE53AE70500DF406F
                    AE08050000710101FE00
Data object 'Cardholder Fingerprints'
        applicationName: Cardholder Fingerprints
        applicationOID:  2.16.840.1.101.3.7.2.96.16
        Path:            6010
        Auth ID:         01
Data object 'Printed Information'
        applicationName: Printed Information
        applicationOID:  2.16.840.1.101.3.7.2.48.1
        Path:            3001
        Auth ID:         01
Data object 'Cardholder Facial Image'
        applicationName: Cardholder Facial Image
        applicationOID:  2.16.840.1.101.3.7.2.96.48
        Path:            6030
        Auth ID:         01
Data object 'X.509 Certificate for Digital Signature'
        applicationName: X.509 Certificate for Digital Signature
        applicationOID:  2.16.840.1.101.3.7.2.1.0
        Path:            0100
        Data (1085 bytes): 53820439708204301F8B080000000000000B336862F960D0C47C63013313231313B3AA62B3012F1BA7569B47DB775E46
                    466E56068358436E034E36E650163661A6D0604309033110874B983F542F584FC13DBF2CB5282F3735AFC490C7800B24
                    C32DCCEC92EF82C40BF0F684E96216E677F1775170F575F4F4517076D43531349013E735B43030323034008328715E23
                    43034323132363534B53CB28834A6A588FE08506FB19AA19A8401C23EB1614E9AAE7E2E8E7E9EAA3E7151A1CE2E9A767
                    686A68646A6A62626266D0C4A8841C188CAC0CCC4D8CFC0C40712EA626464686A3573E4E5E53C6C7FB3BDD48747604E3
                    5B198D178C078C2E5E7AAED32D38AF7997864D766D14E70655436EFFD04F9F8DCF3D6188C84D0E78F96FCD1EFB2349CB
                    F22FC5E57CB635B1664F292E9E20215762FBB6EDA68194C7A32BBB128A6FEF5EF8A8FD9AEDAC9F86F2E2073F4DE093B7
                    155CB03BEE762DD7B303EBB81AED2CCEDE8CEBF49D2E705562B14C5ACF91C8B5320231292F829E6A2EF4F74DEC7CFD34
                    24681F6F91647582C8315BDF49ED8DEB1E6CF550888AF09EA8C8A323F767EBFB67139279EF361CAFF76499D1BCEDFE9A
                    39F74F4E9FABAB2B357FE7CF7565AB4C18452FC7DD2B6BB7E09FDE7D47F9C9B3B24B95D3B5B5CF14C81DB4EFB1333EA0
                    A1BB3A7CF28248D9B0EC50496726664606C6C54D8CB3812132DD401E18A6B2CA2CC0086A10B1D45CC191F2A8BF795563
                    A2BBE044E31F51E6CB9E18588114C8B31803A35A7F81EE02ED36CD8C9292022B7DFDE4A21CBD94CCE244BDDCCC1C1047
                    1F9846C049C4D931DEC4500F2862C007D2CBCFC8F89F85859989ED003811C82AB0F01BF01A70B37126B47930A6323172
                    6B19C882C4F958C45844925E4974BC2F792AE67F641957A0D5C26747B65DF96A90C1C6A1CDC6C8CACACEC8C812631065
                    6006E31B30B56961734D71667A1EBA73528B0C14E0FA18DB44A0FAF2938B0BE01A0DEC410E1164B130306B144949CCCB
                    4CCDD14B2BAA4C75C84B2CAB04295820C7C605348285B1C95C84897981000F1F22E139800C900619C0C9226220642000
                    B38D93C59005940B0C344192AA2C4A4087204C6182296346B058D072333328DDC6FC0B7DD72B3DDFD33D634FB481E9CA
                    4BFEF6E719D7EA05A7E61B4D3766ACB33C72E8938F92C786B7B7DF47AEBC55B9BB2754B17D7DFC9B830726BC9AF6C9CF
                    EE9D408E95EB4733C6DEAFD1DBD6DCBABE65E5E34F02BB33C59F2D596B72E1BE61CBF3CD3778672C38B17D89C1C3FB61
                    DB15136522D5CA574DB2E2DC3FED779E42DD2959FBCF42EDA265CBA24ADB558A777F7BD8BBC8D0F2357BCBD3D72EB712
                    5EAB99B89A456F7517B8E6ABFD4C514DED91F6346F71231FA1FC163E76A6064DD6CB871AB4E6F54D3FF98AD7638B81E1
                    DBA0E5D7DEEFBDF9DB6C7FB2F094957D1297DE9D9DA1EFF07B474DD9266105FEB79B1686DE7AD979D8955DFBCA5DC7B9
                    D7C5EF4CFFD4B8CF32DC6CB3CF9E1600A92AFF37F4040000710101FE00
Data object 'X.509 Certificate for Key Management'
        applicationName: X.509 Certificate for Key Management
        applicationOID:  2.16.840.1.101.3.7.2.1.2
        Path:            0102
        Data (1038 bytes): 5382040A708204011F8B080000000000000B336862596AD0C4DCBB8099899189895955B1D780978D53ABCDA3ED3B2F23
                    23372B8341AC21B701271B73280B9B305368B0A184811888C325CC1FAA17ACA7E09E5F965A94979B9A5762C863C00592
                    E1166676C97741E205787BC274310BF3BBF8BB28B8FA3A7AFA28383BEA9A181AC889F31A5A181819181A80419438AF91
                    A181A1918991B1A9A5A96594412535AC47F04283FD0CD50C54208E91750B8A74D57371F4F374F5D1F30A0D0EF1F4D333
                    34353432353531313133686254420E0C465606E626467E06A0381753132323C3D5D469D63C79CF0BCC4ABF9B56C7C997
                    D6CF996550CD62EBB3C4A2A1E0A7B822EFF6DDAAACAD711792D82A3C6E17E77DDC57B520AFC7E6D5F75B3233D67A9BCD
                    5ACEBAC36FD6A9D82ECD5DA206BD0B035A56F2FA37BD8ABB724C9135CA718DC3DA3CAEDF6D91E1C7E282DA83FB15CF9F
                    7E1668BF69F6814E654197D99257384FF32C717D6AD2DE68976CEFC413F0F8D672FF834E151DCF7C0DC2037BE7949D4A
                    0E90E699BDEDB3F793AC13D53D4DE6DCBB03C43FEF128BF85473EA997DD895C68599D967375D6DD8BBE9D8A29DF3AE24
                    F8EFE1B19B74FD43A6597BEBD3AD7384B557E5E8BB3C7FCEED211011F5F9BD53AD73FDCEBCB6C007AF19FD5C65ECE630
                    D7BA71CC7E9A23F3DCE6F17A26664606C6C54D8C01C010F131900786A9AC320B30821A442C355770A43CEA6F5ED598E8
                    2E38D1F84794F9B22706562005F22CC6C0A8D65FA0BB40BB4D33A3A4A4C04A5F3FB928472F25B338512F373307C4D107
                    A611701271768C3731D4038A18F081F4F23332FE6761616662550027025905167E035E036E36CE84360FC65426466E75
                    035990381F8B188B88B4D76BCD9CF71186E71EFC5E7C7AF5FABD5B6D3F7C30C860E3D066636465656764648931883230
                    83F10D98DAB4B0B9A638333D0FDD39A945060A707D8C6D22507DF9C9C505708D90D010048546A3484A625E666A8E5E5A
                    5165AA435E6259255881344801278B8881908100CC344E164316502A47CB82CCA0C4966E71ABDE5F363D4E3A7FE6BB3D
                    1F569FFC6AFADF9739FDF78FFEDD6527A7F1ACF8B5D26441EE9FFE0C6D63B6EC77DEE5A231B3047304DF554D3FA5C3FB
                    C780E5F1810DDE5BBD7F18595A1E116F67CD0B3F90CDF77FCBC624B34313FAF82A6376E8FCD110AF4C5F7DF3DC5B85C3
                    19E21B84F8450E29E87ABA1C34CFBA2DAB6B56B1469D51FAF21AA590B3075A6A53153BEF9F5F5B7EDD63F1F4BD1A17AF
                    EE94129FB373C743F3674F1E245D5DC1CC5F367765D16EEB6BABB8FA9EB0CFED2FF8B3D6CA6AEEE56C755E8E4336B7CF
                    CC745AA0C7E31B3FFDF617EEA6FD496245970C3B5EF764AD67B57C60927564E38F16D692F769F26553A50F4AB7B61D29
                    0DEF7ACDB9CF767230C7C2A8B6934539001C0353AEA9040000710101FE00
Data object 'X.509 Certificate for Card Authentication'
        applicationName: X.509 Certificate for Card Authentication
        applicationOID:  2.16.840.1.101.3.7.2.5.0
        Path:            0500
Data object read failed: File not found
Data object 'Security Object'
        applicationName: Security Object
        applicationOID:  2.16.840.1.101.3.7.2.144.0
        Path:            9000
        Data (796 bytes): 53820318BB82030A3082030606092A864886F70D010702A08202F7308202F3020103310F300D06096086480165030402
                   010500306D06052B1B010101A06404623060020100300B0609608648016503040201304E3025020102042099DCBE19C4
                   4DA11FCBBFB13775C3C64AAFF01EE24542A4C0C63B2F5DAE08FD29302502010304203E5D248B7328D79391FD9CE09082
                   354F1508521417C22BA68F5CC3B776E446233182026C308202680201013062305D310B30090603550406130255533118
                   3016060355040A130F552E532E20476F7665726E6D656E74310C300A060355040B1303446F44310C300A060355040B13
                   03504B49311830160603550403130F444F442049442053572043412D343602010A300D06096086480165030402010500
                   A081DC300E0603672A00310706052B1B010101302F06092A864886F70D0109043122042050D030093C997A42EA2A7348
                   713B119676CAAB7AEE20AA96924256A7B13BE6FE307B06086086480165030605316F306D310B30090603550406130255
                   5331183016060355040A130F552E532E20476F7665726E6D656E74310C300A060355040B1303446F44310C300A060355
                   040B1303504B49310C300A060355040B13034F5344311A301806035504031311446F445F5049565F5369676E65725F31
                   35301C06092A864886F70D010905310F170D3138303132353230313230335A300D06092A864886F70D01010105000482
                   01008DECAFDF8BF81C7FB22B161C475D443973F5862FB5DE46F247913869B12E97DA706F15BAB70DE8DA04AEC2762BCB
                   70C8717B8EA9810D6D9128CDFDB0CA3B653669ED96E7E00CB055DB7C77EF56E79BE6C3AFD58BF84BDEA3AFA9ABD6FEB9
                   2051F3D17FAFD7405F455B7538D3B7A6F1408034A08BACCCA219E8BBA3F8CC775A798A9048A9CCFE6227AD4750997B7B
                   425B036A4693795F248FAADC208B43D175FBC5BF770DAC285EF66B567CE18181937E2CF1C35A4DF884C570ABD025C97C
                   1F439E940323388143E6EA7ED667FA3419722F21ED7A4BC7F6E2A2ABA1D7810154BD08780DA7ED417D6B298F784B9DE3
                   961878EA0AFE73D114CC8D41DE4A2B8F3ABDBA06026030036010FE00
Data object 'Cardholder Iris Image'
        applicationName: Cardholder Iris Image
        applicationOID:  2.16.840.1.101.3.7.2.16.21
        Path:            1015
Data object read failed: File not found

Comment 2 Jakub Jelen 2018-04-13 07:26:24 UTC

What is the version of NSS used? There was an issue with recent NSS, that breaks the insert detection:

https://bugzilla.redhat.com/show_bug.cgi?id=1557015

The log look completely fine from this point of view. Did you verify that it does work when you downgrade only the OpenSC, but not the NSS?

Comment 3 Jakub Jelen 2018-04-13 07:29:58 UTC

From the SOS report, it looks like the NSS is indeed recently updated to the affected version:

nss-3.34.0-4.el7.x86_64                                     Wed Apr 11 12:11:17 2018

We noticed this issue only with Firefox so far, but I believe it can demonstrate also with other tools using NSS. The patch is on the way and as an workaround, please downgrade the NSS (and potentially other dependencies).

Comment 6 Dan 2018-04-13 16:47:03 UTC

Downgrading nss, nss-sysinit, and nss-tools (all to 3.28.4-15) did not fix the problem.  I am still prompted to insert my smart card when the machine is locked, even though the card is in the card reader.

Logging in still works fine.

Comment 7 Jakub Jelen 2018-04-16 08:38:45 UTC

The bug #1557015 does not clearly say what NSS version have this problematic patch or its variations (Kai can probably confirm), but RHEL7.4 GA should work (nss-3.28.4-10.el7). Can you confirm that?

Comment 8 Kai Engert (:kaie) (inactive account) 2018-04-16 09:08:27 UTC

(In reply to Jakub Jelen from comment #7)
> The bug #1557015 does not clearly say what NSS version have this problematic
> patch or its variations (Kai can probably confirm), but RHEL7.4 GA should
> work (nss-3.28.4-10.el7). Can you confirm that?

Yes, in my understanding, the NSS 3.28.x packages shouldn't have this bug.

The regression was apparently introduced by this upstream commit:
  https://hg.mozilla.org/projects/nss/rev/6242acf9c02f
which was part of the 7.5.0 packages.

Comment 9 Kai Engert (:kaie) (inactive account) 2018-04-16 09:09:23 UTC

Did you try to reboot after downgrading?

Comment 10 Dan 2018-04-16 12:48:10 UTC

Yes, I did. 

I only downgraded nss; I am still running 7.5.

Comment 11 Dan 2018-04-23 13:32:43 UTC

I also downgraded pam_pkcs11 as that is my current method for linking the user account to the CAC (cn_map).  Did not change.

I am loathe to downgrade anything regarding gnome-shell as I am not sure what that would break.

Comment 12 Jakub Jelen 2018-04-23 14:08:10 UTC

Does downgrading the opensc package, change something? Does it work with old version? Can you generate the OpenSC debug log from the time, when the issue shows (by modifying the log options in /etc/opensc-*.conf) and attach the logs?

Comment 13 Dan 2018-04-23 14:27:48 UTC

yes, downgrading opensc does change things.  I am able to unlock the machine using opensc-0.16.0-5.

I updated and set debug to 9.  Attached is the log file.

Comment 14 Dan 2018-04-23 14:28:19 UTC

Created attachment 1425675 [details]
opensc debug 9

opensc debug 9

Comment 15 Jakub Jelen 2018-04-23 14:56:34 UTC

The log says, that the card is detected by the PIV driver so the car is probably dual interface. Even though, this sounds like an issue. There are some failures from the PIV driver already.

Does changing the card_drivers to prefer CAC cards in /etc/opensc-*.conf help?

  card_drivers = cac, internal

Comment 16 Dan 2018-04-23 15:01:30 UTC

It definitely reads the card differently (instead of saying 'Welcome PIVII...', it says 'Welcome CAC II <NAME>'.

And, I am able to unlock the machine using the newer version of opensc with the conf change.

Comment 17 Jakub Jelen 2018-04-23 15:16:00 UTC

Thank you for verification that CAC driver works (if they are CAC, it should be used anyway). But the broken PIV endpoint is still an issue. I am reading through the logs to get a gasp of something useful, but no luck yet.

Can you share some more information about the CAC cards you have? Ideally a dump from ActivClient or so (if you do not wish to do that publicly, you can do it through the customer portal). This might show some differences from expected PIV structures.
Unfortunately, I don't have any such cards around to reproduce the issue locally.

Comment 18 Jakub Jelen 2018-04-23 15:25:18 UTC

Can you try to get the same log once again with the old version and old configuration? Note, that the log file is not being overwritten, but appended, so before running the test, truncating the file would be good to have somehow comparable results.

Comment 19 Dan 2018-04-23 15:58:23 UTC

Created attachment 1425698 [details]
opensc debug 9 (old version)

this is with the older version of opensc and no changes to opensc.conf

Comment 20 Dan 2018-04-23 15:59:34 UTC

I posted some questions to the OpenSC github regarding the email cert issue and openSC.

https://github.com/OpenSC/OpenSC/issues/1164

Might shed some light on the CAC/PIV stuff.

I also posted a log for you to look through.

Comment 21 Jakub Jelen 2018-04-23 17:48:29 UTC

Comparing the logs, it gets down to the following lines somewhere close to the end, where old version says

  reader-pcsc.c:402:pcsc_detect_card_presence: returning with: 1
  sc.c:276:sc_detect_card_presence: returning with: 1

but a new one:

  reader-pcsc.c:402:pcsc_detect_card_presence: returning with: 5
  sc.c:276:sc_detect_card_presence: returning with: 5

Similar block was already here somewhere around the middle (probably the successful login), which went just fine:

  reader-pcsc.c:402:pcsc_detect_card_presence: returning with: 1
  sc.c:276:sc_detect_card_presence: returning with: 1
  slot.c:349:card_detect: SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00: Detection ended
  pkcs11-global.c:516:C_GetSlotInfo: C_GetSlotInfo() card detect rv 0x0
  pkcs11-global.c:533:C_GetSlotInfo: C_GetSlotInfo() flags 0x7
  pkcs11-global.c:534:C_GetSlotInfo: C_GetSlotInfo(0x0) = CKR_OK


These are flags returned by the PCSC driver, where, the value 1 means SC_READER_CARD_PRESENT, and value 5 means SC_READER_CARD_PRESENT|SC_READER_CARD_INUSE. This means, the card is detected properly, but the PCSC layer says there is something else already using the card (?). Returning 5 prevents the card from popping out as detected if I understand it correctly. I did not find any other significant difference in the logs.

In both cases, there are several processes accessing the card through opensc. But throughout the changes from last release, I don't see any change that would affect the above in any way. Further way, that can help us to debug the case, can be identification of the patch that changed this behavior. There are only few changes since last release. If you could try to rebuild the current OpenSC source package without one of the following patches affecting PIV driver, it would be very helpful:
  opensc-0.16.0-piv-cardholder-name.patch
  opensc-0.16.0-labels-from-dn.patch

Comment 22 Dan 2018-04-23 19:11:48 UTC

Unfortunately, I only install it from the official repo.  I've never had luck building it from source (I think the github version is .17 now).

Comment 23 Jakub Jelen 2018-04-26 12:00:43 UTC

From the upstream issue linked in previous comments, it looks like this card is somehow tricky. Is it the same card? Can you clarify if the issues described there are still present (you don't see the "email certificate" in Firefox?)? Can you attach the output of the following commands (assuming the main nss db has the opensc pkcs11 module)?

  pkcs11-tool -O

  certutil -L -d /etc/pki/nssdb -h all

From the logs, I see that all the three certificates were read from the card, which is also what I see in the pkcs15 dump of description of this bug.


Rereading the logs again, it looks like the "old good" log from comment #19 is truncated before the authentication is done, isn't it? At least, I don't see any RSA operation, Login nor even the attempt to search for keys (while at least the last one is in the "new bad" log). Can you please retest it again with both versions and attach the logs from the whole procedure (ideally from before the login, to the attempt to successful or unsuccessful unlock the screen saver). Noting timestamps and delays between actions would be also good to distinguish the events and sync the messages.


Do you have some spare cards of this type, that could be used for testing? We have some official PIV Test cards as well as standard CAC test cards, but probably not these hybrid ones.

Comment 24 Dan 2018-04-26 13:55:27 UTC

It is a new CAC, but the old issue is still there.  If I do not specify CAC in /etc/opensc-x86_64.conf, I cannot see the email certificate in FireFox nor can I unlock the machine with the newest opensc version installed.

All of the logs were taken when attempting to unlock the screen.  With any version, in any configuration, I am able to log into the machine with my CAC.  It is *only* failing when trying to unlock the machine.

As far as spare card types, I definitely can't get my hands on any.

Current setup: opensc-0.16.0-8, cac explicitly defined in /etc/opensc-x86_64.conf.

pkcs11-tool -O

Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      CAC ID Certificate
  ID:         0001
  Usage:      verify
Certificate Object; type = X.509 cert
  label:      CAC ID Certificate
  ID:         0001
Public Key Object; RSA 2048 bits
  label:      CAC Email Signature Certificate
  ID:         0002
  Usage:      verify
Certificate Object; type = X.509 cert
  label:      CAC Email Signature Certificate
  ID:         0002
Public Key Object; RSA 2048 bits
  label:      CAC Email Encryption Certificate
  ID:         0003
  Usage:      encrypt
Certificate Object; type = X.509 cert
  label:      CAC Email Encryption Certificate
  ID:         0003
Data object 22750240
  label:          'Person Instance'
  application:    'Person Instance'
  app_id:         <empty>
  flags:          <empty>
Data object 22750336
  label:          'Personnel'
  application:    'Personnel'
  app_id:         <empty>
  flags:          <empty>

certutil -L -d /etc/pki/nssdb -h all

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

DODIDSWCA-36                                                 c,c,c
DODEMAILCA-44                                                c,c,c
DODEMAILCA-39                                                c,c,c
DODEMAILCA-28                                                c,c,c
DODCA-31                                                     c,c,c
DoDRootCA4                                                   CT,C,C
DODIDSWCA-47                                                 c,c,c
DODIDSWCA-37                                                 c,c,c
DODIDCA-43                                                   c,c,c
DODIDCA-40                                                   c,c,c
DODIDCA-33                                                   c,c,c
DODEMAILCA-43                                                c,c,c
DODEMAILCA-34                                                c,c,c
DODEMAILCA-27                                                c,c,c
DODCA-27                                                     c,c,c
DoDRootCA3                                                   CT,C,C
DODIDCA-42                                                   c,c,c
DODIDCA-39                                                   c,c,c
DODIDCA-34                                                   c,c,c
DODEMAILCA-42                                                c,c,c
DODEMAILCA-31                                                c,c,c
DODEMAILCA-30                                                c,c,c
DODCA-30                                                     c,c,c
DoDRootCA2                                                   CT,C,C
DODIDSWCA-46                                                 c,c,c
DODIDSWCA-35                                                 c,c,c
DODIDCA-41                                                   c,c,c
DODEMAILCA-41                                                c,c,c
DODEMAILCA-40                                                c,c,c
DODEMAILCA-32                                                c,c,c
DODEMAILCA-29                                                c,c,c
DODCA-29                                                     c,c,c
DODIDSWCA-48                                                 c,c,c
DODIDSWCA-45                                                 c,c,c
DODIDSWCA-38                                                 c,c,c
DODIDCA-44                                                   c,c,c
DODEMAILCA-33                                                c,c,c
DODCA-32                                                     c,c,c
DODCA-28                                                     c,c,c

Comment 25 Jakub Jelen 2018-05-03 12:41:15 UTC

OK, so lets summarize what we learned in the recent comments:

 * RHEL7.5 GA configured with OpenSC does not work (with default PIV driver)

Both of the following options fix the issue:

 * Downgrading OpenSC to 0.16.0-5 version fixes the issue (comment #13)
 * Changing the driver to CAC fixes the issue (comment #16)

Second issue is with the PIV driver, which does not list the CAC Email certificate, which is to my understanding (also from the upstream comments) the limitation of the dual card.


Your provided logs for good and old version look very similar and the supposively good version is also missing any note about the GDM searching for the card objects.

Can you make sure you don't have coolkey installed and loaded in NSS DB also?

  $ modutil -list -dbdir /etc/pki/nssdb/

Comment 26 Dan 2018-05-03 13:11:10 UTC

coolkey was installed as it worked with FireFox without making changes to any config files.

Here is the product of the requested command:

 modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. CoolKey PKCS #11 Module
        library name: libcoolkeypk11.so
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20;library-version=1.0
         slots: 3 slots attached
        status: loaded

         slot: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
        token:
          uri: pkcs11:

         slot: SCM Microsystems Inc. SCR 331 [CCID Interface] (21120808221064)
        token:
          uri: pkcs11:

         slot: Hewlett-Packard Company HP Smart Card Terminal KUS1206 [HP Smart
        token:
          uri: pkcs11:
-----------------------------------------------------------

Comment 27 Jakub Jelen 2018-05-03 14:23:53 UTC

This means that the nss db that is used by the pam_pkcs11 has cookley installed. To work with OpenSC, you need to remove the cookley from this database and install OpenSC in there if I am right. This sounds like a duplicate work since you already specified the opensc in the pam_pkcs11 config, but this is how NSS works.

The Firefox is using different NSS DB so removing coolkey from this one should not affect its functionality.

We have a simple script that should do the job of removing coolkey and installing opensc into the /etc/pki/nssdb/:

  pkcs11-switch opensc

Do you see changes after running the above?

Comment 28 Dan 2018-05-03 16:47:44 UTC

Yes and no.

I didn't run the pkcs11-switch command, but I did remove coolkey. 

In doing so, I am immediately able to unlock the machine (SSH'd in while the machine is locked, remove coolkey, go back to the gui).

I still have to explicitly define 'cac' as the card_driver in /etc/opensc-x86_64 for FireFox to read the email certificate, but I believe that is outside of the scope of this "bug".

So, the issue boils down to this - with opensc 0.16.0 release 8.2017022, coolkey cannot also be installed.  Previous versions worked with both opensc and coolkey installed.

Comment 29 Jakub Jelen 2018-05-04 07:29:50 UTC

Thank you for the confirmation, that it solved the issue.

The email certificate is out of the scope of this bug and as already said, I believe this is a limitation of the dual card. If you know you will be using CAC cards, configuring OpenSC to prefer this driver is the way to go (already documented -- see the link later)

Having both of the pkcs11 modules in the NSS DB is really not supported nor recommended configuration. It was probably a coincidence that it worked before (and that it worked for login). Both of the modules are trying to connect to the same inserted smart card and especially when waiting for card to be inserted, it is very racy.
This is also already documented in the following article:

https://access.redhat.com/articles/3034441

Is there anything else to clarify or can we close this bug?

Comment 30 Dan 2018-05-04 12:35:31 UTC

I think we have delved deep enough into this and have come up with the reason for my initial issues.

The bug can be closed.

Thank you

Note You need to log in before you can comment on or make changes to this bug.