Bug 1756326 - Does not work with compressed certificates; needs to be built with zlib
Summary: Does not work with compressed certificates; needs to be built with zlib
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: opensc
Version: 31
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-27 12:00 UTC by Craig
Modified: 2019-10-04 20:05 UTC (History)
8 users (show)

Fixed In Version: opensc-0.19.0-8.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-04 20:05:35 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Craig 2019-09-27 12:00:37 UTC 
Description of problem:
opensc currently does not work with smart cards with compressed certificates. opensc cannot access any compressed certificates.
According to upstream, the fix for this is to build opensc with zlib; full details at https://github.com/OpenSC/OpenSC/issues/1811#issuecomment-535761831

Version-Release number of selected component (if applicable):
0.19.0-7.fc31

How reproducible:
With any smart card that uses compression.
I just got a new US DoD CAC (Common Access Card) on September 9, 2019, so I suspect that many (if not all) new CACs will be impacted (and since CACs are impacted, and they're pretty big user base that's important, I've reported this as a high severity issue).

Steps to Reproduce:
1. Insert a smart card that has compressed certificates
2. Try to read the certificate using `pkcs15-tool --read-certificate 01`

Actual results:
$ pkcs15-tool --read-certificate 01 | openssl x509 -text -noout
Using reader with a card: Identiv SCR3500 A Contact Reader [CCID Interface] (54301709612490) 00 00
Certificate with ID '01' not found.
unable to load certificate
140098756077376:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICAT

Expected results:
A listing of the certificate information.

Additional info:
Please see the upstream issue report at https://github.com/OpenSC/OpenSC/issues/1811
Comment 1 Jakub Jelen 2019-09-27 12:11:17 UTC 
Thank you for the report. It looks like the zlib disappeared from the build roots for the new Fedora 31 with the mass rebuild.

https://koji.fedoraproject.org/koji/buildinfo?buildID=1332387

The last build I did was still done with zlib.

https://koji.fedoraproject.org/koji/buildinfo?buildID=1239714

Anyway, I will add the proper build requires and rebuild the OpenSC package.
Comment 2 Jakub Jelen 2019-09-27 12:47:21 UTC 
Please, try the following scratch build. It should address your issue:

https://koji.fedoraproject.org/koji/taskinfo?taskID=37892414

I will issue package update soon.
Comment 3 Craig 2019-09-27 14:04:51 UTC 
(In reply to Jakub Jelen from comment #2)
> Please, try the following scratch build. It should address your issue:
> 
> https://koji.fedoraproject.org/koji/taskinfo?taskID=37892414
> 
> I will issue package update soon.

I tested opensc-0.19.0-7.1.fc31.x86_64.rpm and can confirm that it fixes the issue. Thank you very much!
Comment 4 Fedora Update System 2019-09-30 12:25:47 UTC 
FEDORA-2019-a413bf11e2 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a413bf11e2
Comment 5 Fedora Update System 2019-10-01 03:06:28 UTC 
opensc-0.19.0-8.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a413bf11e2
Comment 6 Fedora Update System 2019-10-04 20:05:35 UTC 
opensc-0.19.0-8.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.