1848629 – Smartcard is not detected by esc

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1848629 - Smartcard is not detected by esc

Summary: Smartcard is not detected by esc

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	esc
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Jack Magne
QA Contact:	PKI QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-18 16:14 UTC by Radek Duda
Modified:	2020-11-04 03:38 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 03:38:42 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
opensc debug (version 0.20.0-2) (540.38 KB, text/plain) 2020-06-18 16:14 UTC, Radek Duda	no flags	Details
opensc debug (version 0.19.0-7) - works here (865.12 KB, text/plain) 2020-06-18 16:16 UTC, Radek Duda	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4757	0	None	None	None	2020-11-04 03:38:47 UTC

Description Radek Duda 2020-06-18 16:14:55 UTC

Created attachment 1697983 [details]
opensc debug (version 0.20.0-2)

Description of problem:
Smart card is shared, but ESC does not detect it.

Version-Release number of selected component (if applicable):
guest rhel8.3:
opensc-0.20.0-2.el8.x86_64
esc-1.1.2-12.el8.x86_64
pcsc-lite-1.8.23-3.el8.x86_64
pcsc-lite-libs-1.8.23-3.el8.x86_64
pcsc-lite-ccid-1.4.29-4.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1.Share smartcard to guest
2. Open ESC
3.

Actual results:
no smartcard is displayed even thou pkcs11-tool shows right token and certificates

Expected results:
Smartcard is displayed in ESC.

Additional info:
If opensc is downgraded to opensc-0.19.0-7.el8.x86_64 it works.

Comment 1 Radek Duda 2020-06-18 16:16:15 UTC

Created attachment 1697984 [details]
opensc debug (version 0.19.0-7) - works here

Comment 2 Jakub Jelen 2020-06-24 17:03:17 UTC

I tried to reproduce this, but it behaves weirdly. In my RHEL 8.3 VM, sharing smart card does not detect it either (but this is probably because of piv driver is spelled wrongly in the configuration -- will fill different bug).

I do not see any particular difference in the APDU traces collected from libcacard debug logs. In OpenSC, there are few changes in the code flow and in logging, but I do not see any functional difference what should prevent esc seeing the card correctly.

Jack, can you help us to get some more verbose logs from ESC? Could there be something why the ESC does not see the emulated card with new opensc? Are there some particulart information it is looking for?

Comment 3 Jack Magne 2020-06-25 16:19:22 UTC

In order to get some debugging info:

At terminal:

export NSPR_LOG_MODULES=all:5
export NSPR_LOG_FILE=/tmp/esc.log

run esc from the terminal, make sure any current one is exited before doing so.

Comment 4 Jakub Jelen 2020-06-25 18:37:30 UTC

Comparing the ESC logs, I am getting the difference in the following logs (the lines are a big mangled as there is probably more processes writing to the same file, but understandable):

   38 CoolKeyGetFullReaderName entering:                                                                               |   38 CoolKeyGetFullReaderName entering:
   39 Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:02.1:00.0-4) 00 00                     |   39 Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:02.1:00.0-4) 00 00
   40 CoolKeyGetFullReaderName correct full name:                                                                      |   40 CoolKeyGetFullReaderName reader: not the one.                                                                   

It looks like it does not recognize the reader name for some reason (even though in diff they are the same) with new OpenSC, which prevents it from continuing further. I will check either later in the evening or tomorrow why is that.

Comment 5 Jakub Jelen 2020-06-26 08:32:49 UTC

Having a second look, the new OpenSC changed a way how the reader names are shortened for the PKCS #11 limitation of 65 characters.

The old reader string loos like this (just cropped):

    Slot 0 (0x0): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (

The new reader string has last three characters replaced with ellipsis:

    Slot 0 (0x0): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface...

This makes ESC code searching for substring failing for long reader names.


I don't like much the idea of reverting this change in OpenSC for Fedora/RHEL or even in upstream. The new version is more user-readable but it somehow slipped through the list of changes (mostly because I did not know how ESC was doing this detection).

Jack, would it be possible to change this in ESC to work also with the new shortening of reader names? It is most probably the same issue as in #1733643 (but fixing the configuration in ESC would be also helpful if we would be doing resping of ESC as I described in bug#1733643#c6).

Comment 6 Jakub Jelen 2020-06-30 14:24:28 UTC

Moving to ESC until we will have final decission where and how we can fix this.

Comment 16 Sneha Veeranki 2020-08-13 20:22:26 UTC

Removing the 'need info' flag.

Comment 20 errata-xmlrpc 2020-11-04 03:38:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (esc bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4757

Note You need to log in before you can comment on or make changes to this bug.