1696238 – yubikey based ssh to IPA fails with C_Sign failed: 32

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1696238 - yubikey based ssh to IPA fails with C_Sign failed: 32

Summary: yubikey based ssh to IPA fails with C_Sign failed: 32

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	opensc
Sub Component:
Version:	7.6
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Jelen
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-04 11:53 UTC by amitkuma
Modified:	2019-07-26 12:43 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-26 12:43:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 2 amitkuma 2019-04-11 14:18:28 UTC

Jakub Any updates here!

Comment 4 amitkuma 2019-04-23 11:26:46 UTC

Attached 
1. output of # pkcs11-tool -O
2. Secure log in /var/log/secure
3. Messages log in /var/log/messages When Yubikey is plugged in to machine

Comment 6 amitkuma 2019-04-30 10:17:44 UTC

# pkcs11-tool --pin 123456 --test
No slots.
# pkcs11-tool --pin 177181 --test
Using slot 0 with a present token (0x0)
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (PIV AUTH key) 
error: PKCS11 function C_SignFinal failed: rv = CKR_DATA_INVALID (0x20)
Aborting.

Comment 7 Jakub Jelen 2019-04-30 10:36:44 UTC

I am not sure if I already proposed to test more recent OpenSC (to be shipped with RHEL 7.7):

https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=868732

Also I do not see here information what version and type of yubikey is customer using.

Lets provide also a opensc debug log from the test in previous comment:

OPENSC_DEBUG=9 pkcs11-tool --pin 177181 --test &> /tmp/opensc.log

Comment 10 Jakub Jelen 2019-05-02 07:28:20 UTC

And the yubikey version/type? I am personally using Yubikey 4 without any problems.

Comment 11 joel 2019-05-10 20:54:38 UTC

cu has multiple keys they are working with:

~We have YubiKey 4, 5, 5c, and 5c Fips edition to test with.

Is there anything else you would need?

Comment 12 Jakub Jelen 2019-05-14 08:24:21 UTC

All of the above yubikeys show the same issues as in this bug report or is it just one of them?

Is there some other application running that might poll the smart card status during the tests?

Comment 13 joel 2019-05-14 22:23:39 UTC

cu got back with this:

We experienced the same issue with all 3 versions of the yubikey. However, I have no idea if another program is conflicting with our configuration.

Comment 14 Jakub Jelen 2019-05-16 09:05:45 UTC

OK, so lets try the following:

 * modify /etc/opensc.conf to contain the following in the "app default" block:

    debug = 3;
    debug_file = /tmp/opensc-debug.txt;

* Restart system
* Retry the test (assuming the 177181 is the pin for the yubikey):

    $ pkcs11-tool --pin 177181 --test &> /tmp/opensc-pkcs11-tool--test.log

* Attach the /tmp/opensc-debug.log
* Attach a new sosreport

Comment 17 Jakub Jelen 2019-06-28 08:22:59 UTC

Hello,
I am sorry for a delay. I just tried my yubikey with the latest RHEL7 (beta) machine and it looks like it is still working as expected.

The error message comes from the card. How was the card provisioned? How was the key generated and certificate loaded to the yubikey? From the description, the certificate and public key look fine. Is it still the same certificate and key on all the testing cards or did you try different ones?

What version of pcsc-lite and pcsc-lite-ccid is used? Can you try to install these version from RHEL 7.7 beta too?

Also please retry with modified option disconnect_action=leave in the opensc.conf, which should address possible concurrency issues.

Comment 18 joel 2019-07-24 18:19:11 UTC

Hello,

Thanks for the update.

> What version of pcsc-lite and pcsc-lite-ccid is used?

pcsc-lite-1.8.8-8.el7.x86_64                                Tue Dec 11 14:12:56 2018
pcsc-lite-ccid-1.4.10-14.el7.x86_64                         Tue Dec 11 14:12:56 2018
pcsc-lite-libs-1.8.8-8.el7.x86_64                           Tue Dec 11 11:52:59 2018

> Is it still the same certificate and key on all the testing cards or did you try different ones?

I believe they are using the same certs for testing purposes and from them:

~We have YubiKey 4, 5, 5c, and 5c Fips edition to test with.

> Can you try to install these version from RHEL 7.7 beta too?

Is there certain packages you want them to try? I can ask if they'll make a beta test machine.

I'm requesting they try with your disconnect option.

Comment 19 Jakub Jelen 2019-07-25 15:22:24 UTC

(In reply to joel from comment #18)
> I believe they are using the same certs for testing purposes and from them:

Please, clarify how the yubikeys were provisioned and keys generated and whether it is one testing or more keys. If it is still the same key, if they can try to generate different.

> > Can you try to install these version from RHEL 7.7 beta too?
> 
> Is there certain packages you want them to try? I can ask if they'll make a
> beta test machine.

Trying complete beta would be best, otherwise I would be interested in pcsc-lite, pcsc-lite-ccid, opensc at least.

> I'm requesting they try with your disconnect option.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.