Description of problem: Version-Release number of selected component (if applicable): Coolkey 1.11 How reproducible: Always. Steps to Reproduce: 1. Insert a coolkey token in a non-eGate reader. Reproduced with both SCR243 and SCR331 readers. Actual results: Log file excerpt: Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: argc 4 Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: coolkey arg[0]: /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: coolkey arg[1]: 5 Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: coolkey arg[2]: CCID Smart Card Reader 0 0 Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: coolkey arg[3]: 0182594c00322a5000000010000000220000000a3b7594000062020202010000000000000000000000000000000000000000000000000000 Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: TOKEND_MAX_UID 128 Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: READER_STATE -> szReader CCID Smart Card Reader 0 0 Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: READER_STATE -> dwCurrentState 16 Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: READER_STATE -> dwEventState 34 Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: READER_STATE -> cbAtr 10 Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: READER_STATE -> rgbAtr a6e8204c Jan 26 09:53:52 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: Not our kind of token! returning 0. Expected results: Should work.
Thanks for the detailed logs. After trying the obvious fix , I found that further digging is needed into the problem.
I've managed to quickly alter the code to get past the first failure point. Now I"m getting to the point where CoolKey thinks that the slot has no key.I will try to get a log output from CoolKey and see what is going on.
Managed to basically duplicate this on the Mac using the Security Device manager in Firefox. Was able to get a print out of the CoolKey PKCS#11 driver's log when attempting insert the key using reader SCR331: Initialize called C_GetInfo called C_GetSlotList called calling IsConnected card changed cleared all sessions Unable to connect to token isTokenPresent, card state is 0x1 C_GetSlotList called calling IsConnected card changed cleared all sessions Unable to connect to token isTokenPresent, card state is 0x1 Called C_GetSlotInfo calling IsConnected card changed cleared all sessions Unable to connect to token
Jack, This sounds like a problem we were having in RHEL5 (bug 220542). We applied patches to NSS and coolkey: coolkey-1.0.1-16.el5 nss-3.11.5-1.el5 Perhaps try rebuilding those for MAC.
Interesting. The thing is, I was able to get pretty much the same behavior in my locally modified Tokend driver, which merely calls into CoolKey which was compiled from the tip. Here is part of the log after Tokend attempts to obtain info for the slot: Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK EY.tokend/Contents/MacOS/CoolKey: Slot Info: Slot: 0Jan 31 11:14:16 to-ngans -powerbook-g4-15 /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS /CoolKey: slotDescription = "CCID Smart Card Reader 0 0 " Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK EY.tokend/Contents/MacOS/CoolKey: manufacturerID = "Unknown " Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK EY.tokend/Contents/MacOS/CoolKey: flags = 0x00000006 Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK EY.tokend/Contents/MacOS/CoolKey: -> TOKEN PRESENT = FALSE Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK EY.tokend/Contents/MacOS/CoolKey: -> REMOVABLE DEVICE = TRUE Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK EY.tokend/Contents/MacOS/CoolKey: -> HW SLOT = TRUE Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK EY.tokend/Contents/MacOS/CoolKey: hardwareVersion = 255.255 Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK EY.tokend/Contents/MacOS/CoolKey: firmwareVersion = 0.00
Was able to further isolate CoolKey log activity with respect to this issue: The key point is the error # shown below: Connection Error = 0x80100016 Research indicates this error is really: SCARD_NOT_TRANSACTED An attempt was made to end a non-existent transaction. The following was taken while inserting a card with the Firefox security devices manager page showing: C_WaitForSlotEvent called Called C_GetSlotInfo calling IsConnected card changed cleared all sessions time connect: Connect Time 402 ms time connect: Read Slot 402 ms time connect: connection status 403 ms time connnect: Begin transaction 404 ms time connect: Select Applet 434 ms time connect: Get Personalization 574 ms time load object: Select Applet (again) 30 ms time load object: ReadCombined Header 720 ms Connection Error = 0x80100016 cleared all sessions refreshTokenState: Failed to load objects. isTokenPresent, card state is 0x1 C_WaitForSlotEvent called Called C_GetSlotInfo calling IsConnected card changed cleared all sessions Unable to connect to token isTokenPresent, card state is 0x1 C_WaitForSlotEvent called
Can I get a status on this one? I tried installing Coolkey 1.14 atop a SmartCardManager 1.0.1-4 and it borked up entirely (i.e., ESC wouldn't run at all, or even leave a crashlog behind).
Hello: We are still working on this. This problem has proved to be tough since the heart of the matter is happening at the CoolKey layer. The TokenD can easily be modified to allow this reader.
Jack-- Thanks for the update. Are you saying you could hard-code support for this particular reader easily, or that you now have an easy generalized solution? Either way, do you have and idea of when there would be a fix? I'm also seeing conflicts when trying to use both an eGate reader *and* a CCID reader (will open a separate bug once I nail it down better) but either way we will not want to have to deploy two readers--one for CAC and one for Coolkey.
Jack-- Just tried again. When I use a CCID reader and a Coolkey token (freshly enrolled with CS 7.2), the OS X JPKI tokend takes control. This wasn't happening before with SmartCardManager 1.11 (which this bug was opened under)--then it just wasn't working. Weird.
Tim: It would be interesting to see the log trace from that. I'll give it a try again myself. thanks, jack
It didn't leave any log trace on the two Macs it's been observed on so far, and for the life of me I can't reproduce it. If it happens again I'll grab what I can and open a new bug.
Bump. I installed SmartCardManager 1.15 and am observing the same problem with the following differences: - I can see formatted cards inserted in non-eGate readers. - I can *enroll* formatted cards using a non-eGate reader. But I still cannot *use* enrolled cards in non-eGate readers. tokend logs only the following: Nov 5 15:33:16 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/ COOLKEY: Token not present in slot Nov 5 15:33:16 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/ COOLKEY: Can't load CoolKey pkcs11 module. After which securityd starts rolling through the other available tokends. Sometimes JPKI.tokend sticks, sometimes not; this seems to depend on whether ESC or Firefox is running at the time. Note that this appears to be OS X specific--I can use non-eGate readers on Windows without any problems. -- T