Bug 1566675 - CAC card no longer unlocks server after update to RHEL 7.5
Summary: CAC card no longer unlocks server after update to RHEL 7.5
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc
Version: 7.5
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Asha Akkiangady
Mirek Jahoda
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-12 18:46 UTC by Josip Vilicic
Modified: 2021-06-10 15:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Clone Of:
Last Closed: 2018-05-04 13:26:26 UTC
Target Upstream Version:

Attachments (Terms of Use)
output of command `LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color | tee pcscd_log.txt` (241.47 KB, text/plain)
2018-04-12 18:46 UTC, Josip Vilicic
no flags Details
opensc debug 9 (1.18 MB, text/plain)
2018-04-23 14:28 UTC, Dan
no flags Details
opensc debug 9 (old version) (774.83 KB, text/plain)
2018-04-23 15:58 UTC, Dan
no flags Details

Description Josip Vilicic 2018-04-12 18:46:42 UTC
Created attachment 1421025 [details]
output of command  `LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color | tee pcscd_log.txt`

Description of problem:
After updating server to RHEL 7.5, CAC card no longer works

Version-Release number of selected component (if applicable):

How reproducible:
Consistent after updating to RHEL 7.5 from 7.4

Steps to Reproduce:
1. Configure OpenSC to work properly with CAC on RHEL 7.4
2. Upgrade to RHEL 7.5
3. Log in successfully with CAC
4. After the screen locks, insert CAC

Actual results:
Previously-working cards are no longer detected, don't unlock server

Expected results:
CAC cards to continue working to unlock server

Additional info:

Output of the following commands below:
      # lsusb
      # dmesg | tail
      # opensc-tool --list-readers
      # pkcs11-tool --list-slots
      # pkcs15-tool -D

[root@E03I-DFRYE-LX ~]# lsusb
Bus 002 Device 003: ID 0a5c:5800 Broadcom Corp. BCM5880 Secure Applications Processor
Bus 002 Device 002: ID 8087:8000 Intel Corp.
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:8008 Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 007: ID 413c:301a Dell Computer Corp.
Bus 003 Device 006: ID 413c:2113 Dell Computer Corp.
Bus 003 Device 005: ID 10d5:1234 Uni Class Technology Co., Ltd
Bus 003 Device 004: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 003 Device 002: ID 413c:2513 Dell Computer Corp. internal USB Hub of E-Port Replicator
Bus 003 Device 003: ID 413c:2513 Dell Computer Corp. internal USB Hub of E-Port Replicator
Bus 003 Device 008: ID 04e6:5116 SCM Microsystems, Inc. SCR331-LC1 / SCR3310 SmartCard Reader
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

[root@E03I-DFRYE-LX ~]# dmesg | tail
[72487.345520] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.349243] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.373363] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.377114] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.401139] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.404791] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.428811] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.432277] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.456263] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?
[72487.459880] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 8 with no TDs queued?

[root@E03I-DFRYE-LX ~]# opensc-tool --list-readers
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    No              Broadcom Corp 5880 Unsupported Needs Microcode Update [Contacted SmartCard] (0123456789ABCD) 00 00
1    Yes             SCM Microsystems Inc. SCR 3310 [CCID Interface] 01 00
*** FYI, the "Broadcom" card reader is not used, the customer uses the "SCM Microsystems" reader ***

[root@E03I-DFRYE-LX ~]# pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Broadcom Corp 5880 Unsupported Needs Microcode Update [Contacted
Slot 1 (0x4): SCM Microsystems Inc. SCR 3310 [CCID Interface] 01 00
  token label        : LAST.FIRST.MIDDLE.1234567890
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 52108d843810a3e4

[root@E03I-DFRYE-LX ~]# pkcs15-tool -D
Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] 01 00
PKCS#15 Card [FRYE.DANIEL.JUSTIN.1512554446]:
        Version        : 0
        Serial number  : d43810da19456c120a01cd8360da15822b52108d843810a3e4
        Manufacturer ID: piv_II
        Flags          :
        Object Flags   : [0x1], private
        ID             : 01
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 128 (0x80)
        Type           : ascii-numeric

        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0xF2], local, initialized, needs-padding, unblockingPin, soPin
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 129 (0x81)
        Type           : ascii-numeric

Private RSA Key [PIV AUTH key]
        Object Flags   : [0x1], private
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 154 (0x9A)
        Native         : yes
        Auth ID        : 01
        ID             : 01
        MD:guid        : 0x'36303137303031333235303438313031303031353132353534343436313137300000000000000000'

Private RSA Key [SIGN key]
        Object Flags   : [0x1], private
        Usage          : [0x20E], decrypt, sign, signRecover, nonRepudiation
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 156 (0x9C)
        Native         : yes
        Auth ID        : 01
        ID             : 02
        MD:guid        : 0x'36303137303031333235303438313032303031353132353534343436313137300000000000000000'

Private RSA Key [KEY MAN key]
        Object Flags   : [0x1], private
        Usage          : [0x22], decrypt, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 157 (0x9D)
        Native         : yes
        Auth ID        : 01
        ID             : 03
        MD:guid        : 0x'36303137303031333235303438313033303031353132353534343436313137300000000000000000'

Public RSA Key [PIV AUTH pubkey]
        Object Flags   : [0x0]
        Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
        Access Flags   : [0x2], extract
        ModLength      : 2048
        Key ref        : 154 (0x9A)
        Native         : yes
        ID             : 01
        DirectValue    : <absent>

Public RSA Key [SIGN pubkey]
        Object Flags   : [0x0]
        Usage          : [0x2C1], encrypt, verify, verifyRecover, nonRepudiation
        Access Flags   : [0x2], extract
        ModLength      : 2048
        Key ref        : 156 (0x9C)
        Native         : yes
        ID             : 02
        DirectValue    : <absent>

Public RSA Key [KEY MAN pubkey]
        Object Flags   : [0x0]
        Usage          : [0x11], encrypt, wrap
        Access Flags   : [0x2], extract
        ModLength      : 2048
        Key ref        : 157 (0x9D)
        Native         : yes
        ID             : 03
        DirectValue    : <absent>

X.509 Certificate [Certificate for PIV Authentication]
        Object Flags   : [0x0]
        Authority      : no
        Path           :
        ID             : 01
        Encoded serial : 02 03 1A3DCA

X.509 Certificate [Certificate for Digital Signature]
        Object Flags   : [0x0]
        Authority      : no
        Path           :
        ID             : 02
        Encoded serial : 02 03 252183

X.509 Certificate [Certificate for Key Management]
        Object Flags   : [0x0]
        Authority      : no
        Path           :
        ID             : 03
        Encoded serial : 02 03 25218D

Data object 'Card Capability Container'
        applicationName: Card Capability Container
        applicationOID:  2.16.840.
        Path:            db00
        Data (268 bytes): 53820108F015A00000007902024820502B10290818961500002C79F10121F20121F310A0000000790102000100000000
Data object 'Card Holder Unique Identifier'
        applicationName: Card Holder Unique Identifier
        applicationOID:  2.16.840.
        Path:            3000
        Data (1891 bytes): 5382075F3019D43810DA19456C120A01CD8360DA15822B52108D843810A3E43410000000000000000000000000000000
Data object 'Unsigned Card Holder Unique Identifier'
        applicationName: Unsigned Card Holder Unique Identifier
        applicationOID:  2.16.840.
        Path:            3010
Data object read failed: File not found
Data object 'X.509 Certificate for PIV Authentication'
        applicationName: X.509 Certificate for PIV Authentication
        applicationOID:  2.16.840.
        Path:            0101
        Data (1114 bytes): 538204567082044D1F8B080000000000000B336862653168627EB380998991898959CAF694012F1BA7569B47DB775E46
Data object 'Cardholder Fingerprints'
        applicationName: Cardholder Fingerprints
        applicationOID:  2.16.840.
        Path:            6010
        Auth ID:         01
Data object 'Printed Information'
        applicationName: Printed Information
        applicationOID:  2.16.840.
        Path:            3001
        Auth ID:         01
Data object 'Cardholder Facial Image'
        applicationName: Cardholder Facial Image
        applicationOID:  2.16.840.
        Path:            6030
        Auth ID:         01
Data object 'X.509 Certificate for Digital Signature'
        applicationName: X.509 Certificate for Digital Signature
        applicationOID:  2.16.840.
        Path:            0100
        Data (1085 bytes): 53820439708204301F8B080000000000000B336862F960D0C47C63013313231313B3AA62B3012F1BA7569B47DB775E46
Data object 'X.509 Certificate for Key Management'
        applicationName: X.509 Certificate for Key Management
        applicationOID:  2.16.840.
        Path:            0102
        Data (1038 bytes): 5382040A708204011F8B080000000000000B336862596AD0C4DCBB8099899189895955B1D780978D53ABCDA3ED3B2F23
Data object 'X.509 Certificate for Card Authentication'
        applicationName: X.509 Certificate for Card Authentication
        applicationOID:  2.16.840.
        Path:            0500
Data object read failed: File not found
Data object 'Security Object'
        applicationName: Security Object
        applicationOID:  2.16.840.
        Path:            9000
        Data (796 bytes): 53820318BB82030A3082030606092A864886F70D010702A08202F7308202F3020103310F300D06096086480165030402
Data object 'Cardholder Iris Image'
        applicationName: Cardholder Iris Image
        applicationOID:  2.16.840.
        Path:            1015
Data object read failed: File not found

Comment 2 Jakub Jelen 2018-04-13 07:26:24 UTC
What is the version of NSS used? There was an issue with recent NSS, that breaks the insert detection:


The log look completely fine from this point of view. Did you verify that it does work when you downgrade only the OpenSC, but not the NSS?

Comment 3 Jakub Jelen 2018-04-13 07:29:58 UTC
From the SOS report, it looks like the NSS is indeed recently updated to the affected version:

nss-3.34.0-4.el7.x86_64                                     Wed Apr 11 12:11:17 2018

We noticed this issue only with Firefox so far, but I believe it can demonstrate also with other tools using NSS. The patch is on the way and as an workaround, please downgrade the NSS (and potentially other dependencies).

Comment 6 Dan 2018-04-13 16:47:03 UTC
Downgrading nss, nss-sysinit, and nss-tools (all to 3.28.4-15) did not fix the problem.  I am still prompted to insert my smart card when the machine is locked, even though the card is in the card reader.

Logging in still works fine.

Comment 7 Jakub Jelen 2018-04-16 08:38:45 UTC
The bug #1557015 does not clearly say what NSS version have this problematic patch or its variations (Kai can probably confirm), but RHEL7.4 GA should work (nss-3.28.4-10.el7). Can you confirm that?

Comment 8 Kai Engert (:kaie) (inactive account) 2018-04-16 09:08:27 UTC
(In reply to Jakub Jelen from comment #7)
> The bug #1557015 does not clearly say what NSS version have this problematic
> patch or its variations (Kai can probably confirm), but RHEL7.4 GA should
> work (nss-3.28.4-10.el7). Can you confirm that?

Yes, in my understanding, the NSS 3.28.x packages shouldn't have this bug.

The regression was apparently introduced by this upstream commit:
which was part of the 7.5.0 packages.

Comment 9 Kai Engert (:kaie) (inactive account) 2018-04-16 09:09:23 UTC
Did you try to reboot after downgrading?

Comment 10 Dan 2018-04-16 12:48:10 UTC
Yes, I did. 

I only downgraded nss; I am still running 7.5.

Comment 11 Dan 2018-04-23 13:32:43 UTC
I also downgraded pam_pkcs11 as that is my current method for linking the user account to the CAC (cn_map).  Did not change.

I am loathe to downgrade anything regarding gnome-shell as I am not sure what that would break.

Comment 12 Jakub Jelen 2018-04-23 14:08:10 UTC
Does downgrading the opensc package, change something? Does it work with old version? Can you generate the OpenSC debug log from the time, when the issue shows (by modifying the log options in /etc/opensc-*.conf) and attach the logs?

Comment 13 Dan 2018-04-23 14:27:48 UTC
yes, downgrading opensc does change things.  I am able to unlock the machine using opensc-0.16.0-5.

I updated and set debug to 9.  Attached is the log file.

Comment 14 Dan 2018-04-23 14:28:19 UTC
Created attachment 1425675 [details]
opensc debug 9

opensc debug 9

Comment 15 Jakub Jelen 2018-04-23 14:56:34 UTC
The log says, that the card is detected by the PIV driver so the car is probably dual interface. Even though, this sounds like an issue. There are some failures from the PIV driver already.

Does changing the card_drivers to prefer CAC cards in /etc/opensc-*.conf help?

  card_drivers = cac, internal

Comment 16 Dan 2018-04-23 15:01:30 UTC
It definitely reads the card differently (instead of saying 'Welcome PIVII...', it says 'Welcome CAC II <NAME>'.

And, I am able to unlock the machine using the newer version of opensc with the conf change.

Comment 17 Jakub Jelen 2018-04-23 15:16:00 UTC
Thank you for verification that CAC driver works (if they are CAC, it should be used anyway). But the broken PIV endpoint is still an issue. I am reading through the logs to get a gasp of something useful, but no luck yet.

Can you share some more information about the CAC cards you have? Ideally a dump from ActivClient or so (if you do not wish to do that publicly, you can do it through the customer portal). This might show some differences from expected PIV structures.
Unfortunately, I don't have any such cards around to reproduce the issue locally.

Comment 18 Jakub Jelen 2018-04-23 15:25:18 UTC
Can you try to get the same log once again with the old version and old configuration? Note, that the log file is not being overwritten, but appended, so before running the test, truncating the file would be good to have somehow comparable results.

Comment 19 Dan 2018-04-23 15:58:23 UTC
Created attachment 1425698 [details]
opensc debug 9 (old version)

this is with the older version of opensc and no changes to opensc.conf

Comment 20 Dan 2018-04-23 15:59:34 UTC
I posted some questions to the OpenSC github regarding the email cert issue and openSC.


Might shed some light on the CAC/PIV stuff.

I also posted a log for you to look through.

Comment 21 Jakub Jelen 2018-04-23 17:48:29 UTC
Comparing the logs, it gets down to the following lines somewhere close to the end, where old version says

  reader-pcsc.c:402:pcsc_detect_card_presence: returning with: 1
  sc.c:276:sc_detect_card_presence: returning with: 1

but a new one:

  reader-pcsc.c:402:pcsc_detect_card_presence: returning with: 5
  sc.c:276:sc_detect_card_presence: returning with: 5

Similar block was already here somewhere around the middle (probably the successful login), which went just fine:

  reader-pcsc.c:402:pcsc_detect_card_presence: returning with: 1
  sc.c:276:sc_detect_card_presence: returning with: 1
  slot.c:349:card_detect: SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00: Detection ended
  pkcs11-global.c:516:C_GetSlotInfo: C_GetSlotInfo() card detect rv 0x0
  pkcs11-global.c:533:C_GetSlotInfo: C_GetSlotInfo() flags 0x7
  pkcs11-global.c:534:C_GetSlotInfo: C_GetSlotInfo(0x0) = CKR_OK

These are flags returned by the PCSC driver, where, the value 1 means SC_READER_CARD_PRESENT, and value 5 means SC_READER_CARD_PRESENT|SC_READER_CARD_INUSE. This means, the card is detected properly, but the PCSC layer says there is something else already using the card (?). Returning 5 prevents the card from popping out as detected if I understand it correctly. I did not find any other significant difference in the logs.

In both cases, there are several processes accessing the card through opensc. But throughout the changes from last release, I don't see any change that would affect the above in any way. Further way, that can help us to debug the case, can be identification of the patch that changed this behavior. There are only few changes since last release. If you could try to rebuild the current OpenSC source package without one of the following patches affecting PIV driver, it would be very helpful:

Comment 22 Dan 2018-04-23 19:11:48 UTC
Unfortunately, I only install it from the official repo.  I've never had luck building it from source (I think the github version is .17 now).

Comment 23 Jakub Jelen 2018-04-26 12:00:43 UTC
From the upstream issue linked in previous comments, it looks like this card is somehow tricky. Is it the same card? Can you clarify if the issues described there are still present (you don't see the "email certificate" in Firefox?)? Can you attach the output of the following commands (assuming the main nss db has the opensc pkcs11 module)?

  pkcs11-tool -O

  certutil -L -d /etc/pki/nssdb -h all

From the logs, I see that all the three certificates were read from the card, which is also what I see in the pkcs15 dump of description of this bug.

Rereading the logs again, it looks like the "old good" log from comment #19 is truncated before the authentication is done, isn't it? At least, I don't see any RSA operation, Login nor even the attempt to search for keys (while at least the last one is in the "new bad" log). Can you please retest it again with both versions and attach the logs from the whole procedure (ideally from before the login, to the attempt to successful or unsuccessful unlock the screen saver). Noting timestamps and delays between actions would be also good to distinguish the events and sync the messages.

Do you have some spare cards of this type, that could be used for testing? We have some official PIV Test cards as well as standard CAC test cards, but probably not these hybrid ones.

Comment 24 Dan 2018-04-26 13:55:27 UTC
It is a new CAC, but the old issue is still there.  If I do not specify CAC in /etc/opensc-x86_64.conf, I cannot see the email certificate in FireFox nor can I unlock the machine with the newest opensc version installed.

All of the logs were taken when attempting to unlock the screen.  With any version, in any configuration, I am able to log into the machine with my CAC.  It is *only* failing when trying to unlock the machine.

As far as spare card types, I definitely can't get my hands on any.

Current setup: opensc-0.16.0-8, cac explicitly defined in /etc/opensc-x86_64.conf.

pkcs11-tool -O

Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      CAC ID Certificate
  ID:         0001
  Usage:      verify
Certificate Object; type = X.509 cert
  label:      CAC ID Certificate
  ID:         0001
Public Key Object; RSA 2048 bits
  label:      CAC Email Signature Certificate
  ID:         0002
  Usage:      verify
Certificate Object; type = X.509 cert
  label:      CAC Email Signature Certificate
  ID:         0002
Public Key Object; RSA 2048 bits
  label:      CAC Email Encryption Certificate
  ID:         0003
  Usage:      encrypt
Certificate Object; type = X.509 cert
  label:      CAC Email Encryption Certificate
  ID:         0003
Data object 22750240
  label:          'Person Instance'
  application:    'Person Instance'
  app_id:         <empty>
  flags:          <empty>
Data object 22750336
  label:          'Personnel'
  application:    'Personnel'
  app_id:         <empty>
  flags:          <empty>

certutil -L -d /etc/pki/nssdb -h all

Certificate Nickname                                         Trust Attributes

DODIDSWCA-36                                                 c,c,c
DODEMAILCA-44                                                c,c,c
DODEMAILCA-39                                                c,c,c
DODEMAILCA-28                                                c,c,c
DODCA-31                                                     c,c,c
DoDRootCA4                                                   CT,C,C
DODIDSWCA-47                                                 c,c,c
DODIDSWCA-37                                                 c,c,c
DODIDCA-43                                                   c,c,c
DODIDCA-40                                                   c,c,c
DODIDCA-33                                                   c,c,c
DODEMAILCA-43                                                c,c,c
DODEMAILCA-34                                                c,c,c
DODEMAILCA-27                                                c,c,c
DODCA-27                                                     c,c,c
DoDRootCA3                                                   CT,C,C
DODIDCA-42                                                   c,c,c
DODIDCA-39                                                   c,c,c
DODIDCA-34                                                   c,c,c
DODEMAILCA-42                                                c,c,c
DODEMAILCA-31                                                c,c,c
DODEMAILCA-30                                                c,c,c
DODCA-30                                                     c,c,c
DoDRootCA2                                                   CT,C,C
DODIDSWCA-46                                                 c,c,c
DODIDSWCA-35                                                 c,c,c
DODIDCA-41                                                   c,c,c
DODEMAILCA-41                                                c,c,c
DODEMAILCA-40                                                c,c,c
DODEMAILCA-32                                                c,c,c
DODEMAILCA-29                                                c,c,c
DODCA-29                                                     c,c,c
DODIDSWCA-48                                                 c,c,c
DODIDSWCA-45                                                 c,c,c
DODIDSWCA-38                                                 c,c,c
DODIDCA-44                                                   c,c,c
DODEMAILCA-33                                                c,c,c
DODCA-32                                                     c,c,c
DODCA-28                                                     c,c,c

Comment 25 Jakub Jelen 2018-05-03 12:41:15 UTC
OK, so lets summarize what we learned in the recent comments:

 * RHEL7.5 GA configured with OpenSC does not work (with default PIV driver)

Both of the following options fix the issue:

 * Downgrading OpenSC to 0.16.0-5 version fixes the issue (comment #13)
 * Changing the driver to CAC fixes the issue (comment #16)

Second issue is with the PIV driver, which does not list the CAC Email certificate, which is to my understanding (also from the upstream comments) the limitation of the dual card.

Your provided logs for good and old version look very similar and the supposively good version is also missing any note about the GDM searching for the card objects.

Can you make sure you don't have coolkey installed and loaded in NSS DB also?

  $ modutil -list -dbdir /etc/pki/nssdb/

Comment 26 Dan 2018-05-03 13:11:10 UTC
coolkey was installed as it worked with FireFox without making changes to any config files.

Here is the product of the requested command:

 modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. CoolKey PKCS #11 Module
        library name: libcoolkeypk11.so
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20;library-version=1.0
         slots: 3 slots attached
        status: loaded

         slot: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
          uri: pkcs11:

         slot: SCM Microsystems Inc. SCR 331 [CCID Interface] (21120808221064)
          uri: pkcs11:

         slot: Hewlett-Packard Company HP Smart Card Terminal KUS1206 [HP Smart
          uri: pkcs11:

Comment 27 Jakub Jelen 2018-05-03 14:23:53 UTC
This means that the nss db that is used by the pam_pkcs11 has cookley installed. To work with OpenSC, you need to remove the cookley from this database and install OpenSC in there if I am right. This sounds like a duplicate work since you already specified the opensc in the pam_pkcs11 config, but this is how NSS works.

The Firefox is using different NSS DB so removing coolkey from this one should not affect its functionality.

We have a simple script that should do the job of removing coolkey and installing opensc into the /etc/pki/nssdb/:

  pkcs11-switch opensc

Do you see changes after running the above?

Comment 28 Dan 2018-05-03 16:47:44 UTC
Yes and no.

I didn't run the pkcs11-switch command, but I did remove coolkey. 

In doing so, I am immediately able to unlock the machine (SSH'd in while the machine is locked, remove coolkey, go back to the gui).

I still have to explicitly define 'cac' as the card_driver in /etc/opensc-x86_64 for FireFox to read the email certificate, but I believe that is outside of the scope of this "bug".

So, the issue boils down to this - with opensc 0.16.0 release 8.2017022, coolkey cannot also be installed.  Previous versions worked with both opensc and coolkey installed.

Comment 29 Jakub Jelen 2018-05-04 07:29:50 UTC
Thank you for the confirmation, that it solved the issue.

The email certificate is out of the scope of this bug and as already said, I believe this is a limitation of the dual card. If you know you will be using CAC cards, configuring OpenSC to prefer this driver is the way to go (already documented -- see the link later)

Having both of the pkcs11 modules in the NSS DB is really not supported nor recommended configuration. It was probably a coincidence that it worked before (and that it worked for login). Both of the modules are trying to connect to the same inserted smart card and especially when waiting for card to be inserted, it is very racy.
This is also already documented in the following article:


Is there anything else to clarify or can we close this bug?

Comment 30 Dan 2018-05-04 12:35:31 UTC
I think we have delved deep enough into this and have come up with the reason for my initial issues.

The bug can be closed.

Thank you

Note You need to log in before you can comment on or make changes to this bug.