Bug 385181 - Gemalto 64K token detection issues
Gemalto 64K token detection issues
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: coolkey (Show other bugs)
All All
high Severity medium
: ---
: ---
Assigned To: Jack Magne
Depends On:
Blocks: 229988 RHEL5u2_relnotes
  Show dependency treegraph
Reported: 2007-11-15 13:18 EST by Jack Magne
Modified: 2008-05-21 10:30 EDT (History)
5 users (show)

See Also:
Fixed In Version: RHBA-2008-0344
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 10:30:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jack Magne 2007-11-15 13:18:52 EST
Description of problem:

We have detected various detection issues with coolkey and the Gemalto 64K
tokens based on OS platform and actual token type.

How reproducible:


Steps to Reproduce:
1. Log into a machine
2. Put in a Gemalto 64K token

Actual results:

Based on Platform:

1. OS X everything is fine.
2. Windows. The Smart Card sized token works fine, the USB token is only
recognized once per application session.
3. Linux. The initial detection can be inconsistent.

Expected results:

The tokens should be recognized easily in all cases.

Additional info:

The main cause for this issue is the fact that these Gemalto cards now use CCID
compliant readers instead of the built in egate reader in the previous card. The
smart card sized tokens work better since the reader is usually plugged in first
(ex SCR 331) and then the card is placed in the reader. For the case of the USB
token, the reader and the card are essentially being inserted at the same time.

We have a patch in hand that resolves the Windows issue that fixes the smart
card detection event code specific to Windows. The Linux issue has also been
addressed by code that makes a few extra attempts to connect to the token.
Comment 1 RHEL Product and Program Management 2007-12-04 13:54:28 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 2 Bob Lord 2008-01-08 13:35:39 EST
Comment 3 Jack Magne 2008-01-15 13:45:48 EST
Resolved in build coolkey-1.1.0-6.el5
Comment 4 Jack Magne 2008-01-15 14:27:37 EST
How to test:

1. Obtain an uninitialized gemalto 64k token usb form factor. If a smart card
form factor is used, obtain an SCR 331 smart card reader.
2. Make sure ESC is running.
3. Insert the uninitialized token into the computer.
4. Fill in the phone home information for the test TPS system.
5. Make sure the token can be formatted.
6. Make sure the token can be enrolled.
7. Make sure the pin can be reset on the token.

8 Bring up Firefox and make sure the enrolled token and its contents are visible
in the PSM or security manager UI.

Comment 6 Chandrasekar Kannan 2008-03-12 19:21:37 EDT
Here's the new card spec that works. 
Cyberflex Access 64K v2 Standard with DER SHA1 value configured as in PKCS1 v2
Comment 7 Chandrasekar Kannan 2008-03-12 20:40:12 EDT
with the above card, I can do :

(1) smartcard format, enroll, password reset operations.
(2) smartcard login with HIEMDAL kerberos kdc for pkinit
(3) firefox webpage smartcard detection when the module is loaded.

I tried to play with card detection. Approx after about 15 insertions/removals,
the apps becomes unresponsive. Jack tells me that this is a pcscd slot
availability issue. So, ignoring that for now. 

This card seems to work ok. 

marking bug verified.
Comment 8 Scott Haines 2008-03-13 09:54:05 EDT
RHEL 5.2 now supports this new card type and we need it added to the Release
Notes (and the single-sign-on chapter of the Deployment Guide). Info needed
within bug, but will work with ChandraK and KevinU to assist with verbiage as
Comment 9 Don Domingo 2008-03-13 20:18:53 EDT
thanks Scott, adding to RHEL5.2 release notes under "Resolved Issues":

Gemalto 64K smart cards now use readers compliant with Chip/Smart Card Interface
Devices (CCID). Previously, this smart card used the built-in e-gate reader,
which essentially meant that the card and reader were being inserted at the same
time. As a result, coolkey did not consistently recognize Gemalto 64K smart cards.

In this update, coolkey now works correctly with Gemalto 64k smart cards.

please advise if any further revisions are required to the release notes. i'll
track the Deployment Guide revisions through the RT ticket mhideo wrote on your
Comment 11 Don Domingo 2008-04-01 22:14:47 EDT
the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at
which point no further additions or revisions will be entertained.

a mockup of the RHEL5.2 release notes can be viewed at the following link:

please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
bug number.

Comment 12 errata-xmlrpc 2008-05-21 10:30:00 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.