Bug 1576562 - Alt Token not read when opensc receives empty certificate
Summary: Alt Token not read when opensc receives empty certificate
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc
Version: 7.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Asha Akkiangady
Marc Muehlfeld
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-09 18:50 UTC by Scott Poore
Modified: 2018-10-22 11:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
OpenSC supports HID Alt Tokens with up to 16 certificates With this enhancement, OpenSC now supports HID Alt Tokens. OpenSC can use these these tokens with up to 16 certificates.
Clone Of:
Last Closed: 2018-07-18 15:54:03 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Scott Poore 2018-05-09 18:50:42 UTC
Description of problem:

Customer was seeing an issue reading Alt Token card with OpenSC when the first PKI container/Applet AID was empty.

When a new card generated with same data but, with certificate in the first container/AID, it worked.

Version-Release number of selected component (if applicable):

How reproducible:
Always with the particular card.

Steps to Reproduce:
Note:  Specifics about setting up card currently unknown.
1. Installed released version of RHEL 7.5 GA.
   - set network to static
   - software selection server with gui and smart card support
   - registered with subscription manager

2. Installed opensc

[root@rhel7-8 ~]# yum install opensc

[root@rhel7-8 ~]# rpm -q opensc

3.  Copy signing and root CA certs and add to NSSDB

[root@rhel7-8 ~]# mkdir certs
[root@rhel7-8 ~]# cd certs
[root@rhel7-8 certs]# certutil -d /etc/pki/nssdb -A -i jitc-root-ca-2.crt -n jitc-root-ca-2.crt -t CT,C,C
[root@rhel7-8 certs]# certutil -d /etc/pki/nssdb -A -i jitc-id-sw-ca-37.crt -n jitc-id-sw-ca-37.crt -t CT,C,C

4.  Switch pam_pkcs11 to opensc

[root@rhel7-8 certs]# cd /etc/pam_pkcs11/
[root@rhel7-8 pam_pkcs11]# cp pam_pkcs11.conf pam_pkcs11.conf.orig
[root@rhel7-8 pam_pkcs11]# vim pam_pkcs11.conf
[root@rhel7-8 pam_pkcs11]# diff pam_pkcs11.conf.orig pam_pkcs11.conf
<   use_pkcs11_module = coolkey;
>   use_pkcs11_module = opensc;
>     nss_dir = /etc/pki/nssdb;

[root@rhel7-8 pam_pkcs11]# pkcs11-switch opensc

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Module "OpenSC PKCS #11 Module" added to database.
Module "CoolKey PKCS #11 Module" deleted from database.

5. Setup authentication

[root@rhel7-8 pam_pkcs11]# authconfig --enablemkhomedir  --enablesmartcard --update

6. Make sure pcscd is started

[root@rhel7-8 pam_pkcs11]# systemctl start pcscd.service pcscd.socket

7. share USB reader with VM
- plug in reader
- select Virtual Machine -> Redirect USB device
- Identive SCR33xx v2.0 USB SC Reader...
- OK

8. Add user of CN of subject

[root@rhel7-8 pam_pkcs11]# useradd Poore.REDHAT.9010000489 -m

9. Reboot

[root@rhel7-8 pam_pkcs11]# reboot
Connection to rhel7-8 closed by remote host.
Connection to rhel7-8 closed.

- remove card while rebooting

10. Login with pin

- insert card
- was prompted for pin

Actual results:
Customer sees:

"Sorry, that didn’t work. Please try again"

Expected results:

Logged in successfully.  Which is what I see with my Alt Token test card.

Additional info:

Comment 2 Jakub Jelen 2018-05-10 07:11:07 UTC
Some notes for my future self:
 * We need to parse the ACA object, which will say us, which AIDs and OIDs to use to look for certificates, instead of blindly trying all the known AIDs and ignoring OIDs. The useful table from ACA should be Service Applet Table.
 * The ActivClient trace from the customer clearly says, that the certificate is in AID=0101 OID=0102, which is not default:

CJavaCardV2SMServiceProvider::GetCardURLFromContainerId : Container ID = A0000000790101
CJavaCardV2SMServiceProvider::GetCardURLFromContainerId : OID = 0102

 * The ActivClient dump visualizes the above as a certificate in A0000000790102 for whatever reason

Comment 18 Jakub Jelen 2018-06-21 11:22:12 UTC
The issue with Dell keyboard is that it does not follow the CCID specification for pinpad. This might work if the pin is the same length as the keyboard and opensc expect. I believe the difference in your case is that Alt tokens have PIN of different length than the CAC cards.

The provided build comes with disabled pinpad in default configuration (if you installed the RPM over previously modified opensc.conf, check the .rpmnew file and try with the shipped version or manually disable the pinpad in /etc/opensc-*.conf. It should resolve the issue. If not, please, share the debug log from the resting procedure, ideally by setting debug and debug_file in opensc.conf and try to login as it worked with the Alt token.

Comment 19 Josip Vilicic 2018-06-27 01:03:20 UTC
Hello Jakub,

You referred me to this bug from bug 1593034:

   "NIPR-ALT card (a Giesecke & Devrient "SmartCafe Expert v7.0 144K DI") cannot be read by OpenSC"

1) Would it be possible to re-open the brew build so we can provide the possible fix to the customer?

2) I've asked them for 2 SmartCards for testing/verification.  I'll report their response as soon as possible.

Comment 37 Jakub Jelen 2018-10-22 11:24:41 UTC
Lets open new separate bugs, one for OpenSC and Alt tokens and on for pcsc-lite and Dell keyboard.

Note You need to log in before you can comment on or make changes to this bug.