Bug 224615 - COOLKEY.token fails to recognize Coolkey tokens in non-eGate passthru readers
COOLKEY.token fails to recognize Coolkey tokens in non-eGate passthru readers
Status: CLOSED WONTFIX
Product: Red Hat Certificate System
Classification: Red Hat
Component: ESC (Show other bugs)
7.3
All Mac OS
low Severity medium
: ---
: ---
Assigned To: Jack Magne
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-26 13:18 EST by Timothy J. Miller
Modified: 2010-01-29 14:15 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-29 14:15:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Timothy J. Miller 2007-01-26 13:18:05 EST
Description of problem:


Version-Release number of selected component (if applicable):
Coolkey 1.11

How reproducible:
Always.

Steps to Reproduce:
1. Insert a coolkey token in a non-eGate reader.  Reproduced with both SCR243
and SCR331 readers.
  
Actual results:
Log file excerpt:

Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: argc 4
Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: coolkey
arg[0]: /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey
Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: coolkey
arg[1]: 5
Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: coolkey
arg[2]: CCID Smart Card Reader 0 0
Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: coolkey
arg[3]:
0182594c00322a5000000010000000220000000a3b7594000062020202010000000000000000000000000000000000000000000000000000
Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey:
TOKEND_MAX_UID 128
Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey:
READER_STATE -> szReader CCID Smart Card Reader 0 0
Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey:
READER_STATE -> dwCurrentState 16
Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey:
READER_STATE -> dwEventState 34
Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey:
READER_STATE -> cbAtr 10
Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey:
READER_STATE -> rgbAtr                         a6e8204c
Jan 26 09:53:52 stovetop
/System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/CoolKey: Not our
kind of token! returning 0. 

Expected results:
Should work.
Comment 1 Jack Magne 2007-01-30 14:15:37 EST
Thanks for the detailed logs. After trying the obvious fix , I found that
further digging is needed into the problem.
Comment 2 Jack Magne 2007-01-30 20:33:34 EST
I've managed to quickly alter the code to get past the first failure point. Now
I"m getting to the point where CoolKey thinks that the slot has no key.I will
try to get a log output from CoolKey and see what is going on.
Comment 3 Jack Magne 2007-02-01 21:46:54 EST
Managed to basically duplicate this on the Mac using the Security Device manager
in Firefox. Was able to get a print out of the CoolKey PKCS#11 driver's log when
attempting insert the key using reader SCR331:

Initialize called
C_GetInfo called
C_GetSlotList called
calling IsConnected
card changed
cleared all sessions
Unable to connect to token
isTokenPresent, card state is 0x1
C_GetSlotList called
calling IsConnected
card changed
cleared all sessions
Unable to connect to token
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
Unable to connect to token
Comment 4 Bob Relyea 2007-02-02 14:38:09 EST
Jack, This sounds like a problem we were having in RHEL5 (bug 220542).
We applied patches to NSS and coolkey:

coolkey-1.0.1-16.el5
nss-3.11.5-1.el5

Perhaps try rebuilding those for MAC.
Comment 5 Jack Magne 2007-02-02 16:07:44 EST
Interesting. The thing is, I was able to get pretty much the same behavior in my
locally modified Tokend driver, which merely calls into CoolKey which was
compiled from the tip.

Here is part of the log after Tokend attempts to obtain info for the slot:

Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK
EY.tokend/Contents/MacOS/CoolKey:     Slot Info: Slot: 0Jan 31 11:14:16 to-ngans
-powerbook-g4-15 /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS
/CoolKey:         slotDescription = "CCID Smart Card Reader 0 0
                     "
Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK
EY.tokend/Contents/MacOS/CoolKey:         manufacturerID = "Unknown
            "
Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK
EY.tokend/Contents/MacOS/CoolKey:         flags = 0x00000006
Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK
EY.tokend/Contents/MacOS/CoolKey:             -> TOKEN PRESENT = FALSE
Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK
EY.tokend/Contents/MacOS/CoolKey:             -> REMOVABLE DEVICE = TRUE
Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK
EY.tokend/Contents/MacOS/CoolKey:             -> HW SLOT = TRUE
Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK
EY.tokend/Contents/MacOS/CoolKey:         hardwareVersion = 255.255
Jan 31 11:14:16 to-ngans-powerbook-g4-15 /System/Library/Security/tokend/A_COOLK
EY.tokend/Contents/MacOS/CoolKey:         firmwareVersion = 0.00
Comment 6 Jack Magne 2007-02-15 13:36:06 EST
Was able to further isolate CoolKey log activity with respect to this issue:

The key point is the error # shown below:

Connection Error = 0x80100016

Research indicates this error is really:

SCARD_NOT_TRANSACTED

An attempt was made to end a non-existent transaction.

The following was taken while inserting a card with the Firefox security devices
manager page showing:

C_WaitForSlotEvent called
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 402 ms
time connect: Read Slot 402 ms
time connect: connection status 403 ms
time connnect: Begin transaction 404 ms
time connect: Select Applet 434 ms
time connect: Get Personalization 574 ms
time load object: Select Applet (again) 30 ms
time load object: ReadCombined Header 720 ms
Connection Error = 0x80100016
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
C_WaitForSlotEvent called
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
Unable to connect to token
isTokenPresent, card state is 0x1
C_WaitForSlotEvent called
Comment 7 Timothy J. Miller 2007-06-18 10:05:03 EDT
Can I get a status on this one?  I tried installing Coolkey 1.14 atop a SmartCardManager 1.0.1-4 and it 
borked up entirely (i.e., ESC wouldn't run at all, or even leave a crashlog behind).
Comment 8 Jack Magne 2007-06-18 14:46:00 EDT
Hello:

We are still working on this. This problem has proved to be tough since the
heart of the matter is happening at the CoolKey layer. The TokenD can easily be
modified to allow this reader.  
Comment 9 Timothy J. Miller 2007-06-19 10:45:19 EDT
Jack--  Thanks for the update.  Are you saying you could hard-code support for this particular reader 
easily, or that you now have an easy generalized solution?  

Either way, do you have and idea of when there would be a fix?  I'm also seeing conflicts when trying to 
use both an eGate reader *and* a CCID reader (will open a separate bug once I nail it down better) but 
either way we will not want to have to deploy two readers--one for CAC and one for Coolkey.
Comment 10 Timothy J. Miller 2007-06-19 10:52:51 EDT
Jack--

Just tried again.  When I use a CCID reader and a Coolkey token (freshly enrolled with CS 7.2), the OS X 
JPKI tokend takes control.  This wasn't happening before with SmartCardManager 1.11 (which this bug was 
opened under)--then it just wasn't working.

Weird.
Comment 11 Jack Magne 2007-06-19 13:06:38 EDT
Tim:

It would be interesting to see the log trace from that. I'll give it a try again
myself.

thanks,
jack
Comment 12 Timothy J. Miller 2007-06-19 14:30:03 EDT
It didn't leave any log trace on the two Macs it's been observed on so far, and for the life of me I can't 
reproduce it.  If it happens again I'll grab what I can and open a new bug.
Comment 13 Timothy J. Miller 2007-11-05 15:39:53 EST
Bump.

I installed SmartCardManager 1.15 and am observing the same problem with the following differences:

- I can see formatted cards inserted in non-eGate readers.
- I can *enroll* formatted cards using a non-eGate reader.

But I still cannot *use* enrolled cards in non-eGate readers.  tokend logs only the following:

Nov  5 15:33:16 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/
COOLKEY:  Token not present in slot 
Nov  5 15:33:16 stovetop /System/Library/Security/tokend/A_COOLKEY.tokend/Contents/MacOS/
COOLKEY:  Can't load CoolKey pkcs11 module. 

After which securityd starts rolling through the other available tokends.  Sometimes JPKI.tokend sticks, 
sometimes not; this seems to depend on whether ESC or Firefox is running at the time. 

Note that this appears to be OS X specific--I can use non-eGate readers on Windows without any 
problems.

-- T

Note You need to log in before you can comment on or make changes to this bug.