RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1892810 - Enable file caching by default
Summary: Enable file caching by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: opensc
Version: 8.3
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: 8.0
Assignee: Jakub Jelen
QA Contact: PKI QE
URL:
Whiteboard:
Depends On:
Blocks: 1900086 2000626
TreeView+ depends on / blocked
 
Reported: 2020-10-29 17:21 UTC by Jakub Jelen
Modified: 2021-09-02 14:22 UTC (History)
2 users (show)

Fixed In Version: opensc-0.20.0-4.el8
Doc Type: Enhancement
Doc Text:
Feature: Enable file caching by default Reason: Some cards are slow and in combination with many certificates, the card detection times are very long. OpenSC supports file caching, which stores certificates locally in temporary files, which significantly speeds up card detection. Result: The card detection of most of the cards is faster. If customers will notice issues, with their cards, please contact your Red Hat Support. To revert this change, comment out the option "use_file_caching = true" in /etc/opensc.conf.
Clone Of:
: 1900086 2000626 (view as bug list)
Environment:
Last Closed: 2021-05-18 14:46:59 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jakub Jelen 2020-10-29 17:21:26 UTC
Description of problem:
Some PIV cards have very poor performance, taking up to 20 seconds to detect as reported by customers. This is a combination of slow Oberthur (PIV Test 4) smart card and large amount of certificates that are read from the card with every detection.

We ran some simple tests to verify that enabling file caching improves the performance significantly for these cards and does not break performance of others with this configuration snippet:

framework pkcs15 {
  use_file_caching = true;
  file_cache_dir = /var/cache/opensc/;
}

Version-Release number of selected component (if applicable):
all opensc versions

How reproducible:
always

Steps to Reproduce:
1. Insert a PIV Test card 4
2. Run "time pkcs11-tool -L" to show card information

Actual results:
The card detection takes 20 s before the output is shown

Expected results:
The card detection is faster

Additional info:
We need to figure out a best location for this cache, which will be accessible by most of the use cases, where we can count the following use cases:

 * Desktop login:
   * sssd_p11_child (the actual use of smart card -- running as privileged user?)
   * gsd-smartcard (gnome side for detection of insert/removal running as local user)

 * User processes:
   * firefox
   * esc (uses different configuration - if needed, we need different bug)
   * ssh and other terminal applications (wget, curl ...)

The good thing is that if an application does not have access to write the cache directory, caching it is silently skipped, but if the cache is found (could be read-only, it should work).

The proposed location /var/cache/opensc/ will be probably writable only for superuser (sssd_p11_child process ?), but the first process that needs to detect the card is probably gsd-smartcard, which can cause the first login take a bit longer. This would require tmpfiles entry for opensc.

Other possibility can be using per-user cache in /run/user/UID/opensc/ or permanent in ~/.cache/opensc/ to provide the speedup also for non-root processes. This might help to keep the cache per-user isolated.

Last possibility can be updating sssd to pass OpenSC yet another configuration file, but I am affraid that it would cause more trouble than gain.

This might need also tweaking selinux policy and labels to make sure processes will have to access to the cache.

Comment 1 Jakub Jelen 2020-11-10 14:14:39 UTC
Update from the ongoing email discussion:

 * We need to decide if the cache is supposed to be permanent (under home dir) or per-boot (under /run/), where the first one should give better performance on the first run after boot, while the second easier troubleshooting of stale caches (just reboot).
 * opensc does not support any environment variable expansion [1] in the path at this moment so we are off to use either hardcoded default "~/.eid/cache" or implement something new.
 * Sumit suggested $XDG_CACHE_HOME (~/.cache/) and $XDG_RUNTIME_DIR (/run/user/UID/) with possible fallback to $HOME/.cache [2] as a sensible defaults

I think the easiest solution would be to set just `use_file_caching = true;` in the shipped configuration file and implement default location to use `$XDG_CACHE_HOME` with fallback to `$HOME/.cache/opensc` by default, rather than the `~/.eid/cache` as for now.

I played around with this and noticed that the $XDG_CACHE_HOME is not set at all in my environment (Fedora 32).

I created the following PR with to use the new location of the cache:

https://github.com/OpenSC/OpenSC/pull/2148

The change for RHEL would consist also of adding the `use_file_caching = true;` to the default configuration file.

[1] https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/ctx.c#L1004
[2] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html

Comment 10 errata-xmlrpc 2021-05-18 14:46:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: opensc security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1600


Note You need to log in before you can comment on or make changes to this bug.