Bug 385181 - Gemalto 64K token detection issues
Summary: Gemalto 64K token detection issues
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: coolkey
Version: 5.1
Hardware: All
OS: All
high
medium
Target Milestone: ---
: ---
Assignee: Jack Magne
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 229988 RHEL5u2_relnotes
TreeView+ depends on / blocked
 
Reported: 2007-11-15 18:18 UTC by Jack Magne
Modified: 2008-05-21 14:30 UTC (History)
5 users (show)

Fixed In Version: RHBA-2008-0344
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-21 14:30:00 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0344 0 normal SHIPPED_LIVE coolkey bug fix update 2008-05-20 18:07:12 UTC

Description Jack Magne 2007-11-15 18:18:52 UTC
Description of problem:

We have detected various detection issues with coolkey and the Gemalto 64K
tokens based on OS platform and actual token type.



How reproducible:

Always

Steps to Reproduce:
1. Log into a machine
2. Put in a Gemalto 64K token

  
Actual results:

Based on Platform:

1. OS X everything is fine.
2. Windows. The Smart Card sized token works fine, the USB token is only
recognized once per application session.
3. Linux. The initial detection can be inconsistent.

Expected results:

The tokens should be recognized easily in all cases.

Additional info:

The main cause for this issue is the fact that these Gemalto cards now use CCID
compliant readers instead of the built in egate reader in the previous card. The
smart card sized tokens work better since the reader is usually plugged in first
(ex SCR 331) and then the card is placed in the reader. For the case of the USB
token, the reader and the card are essentially being inserted at the same time.

We have a patch in hand that resolves the Windows issue that fixes the smart
card detection event code specific to Windows. The Linux issue has also been
addressed by code that makes a few extra attempts to connect to the token.

Comment 1 RHEL Program Management 2007-12-04 18:54:28 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 2 Bob Lord 2008-01-08 18:35:39 UTC
devel_ack+

Comment 3 Jack Magne 2008-01-15 18:45:48 UTC
Resolved in build coolkey-1.1.0-6.el5

Comment 4 Jack Magne 2008-01-15 19:27:37 UTC
How to test:

1. Obtain an uninitialized gemalto 64k token usb form factor. If a smart card
form factor is used, obtain an SCR 331 smart card reader.
2. Make sure ESC is running.
3. Insert the uninitialized token into the computer.
4. Fill in the phone home information for the test TPS system.
5. Make sure the token can be formatted.
6. Make sure the token can be enrolled.
7. Make sure the pin can be reset on the token.

8 Bring up Firefox and make sure the enrolled token and its contents are visible
in the PSM or security manager UI.



Comment 6 Chandrasekar Kannan 2008-03-12 23:21:37 UTC
Here's the new card spec that works. 
Cyberflex Access 64K v2 Standard with DER SHA1 value configured as in PKCS1 v2
.1

Comment 7 Chandrasekar Kannan 2008-03-13 00:40:12 UTC
with the above card, I can do :

(1) smartcard format, enroll, password reset operations.
(2) smartcard login with HIEMDAL kerberos kdc for pkinit
(3) firefox webpage smartcard detection when the module is loaded.

I tried to play with card detection. Approx after about 15 insertions/removals,
the apps becomes unresponsive. Jack tells me that this is a pcscd slot
availability issue. So, ignoring that for now. 

This card seems to work ok. 

marking bug verified.

Comment 8 Scott Haines 2008-03-13 13:54:05 UTC
RHEL 5.2 now supports this new card type and we need it added to the Release
Notes (and the single-sign-on chapter of the Deployment Guide). Info needed
within bug, but will work with ChandraK and KevinU to assist with verbiage as
required.

Comment 9 Don Domingo 2008-03-14 00:18:53 UTC
thanks Scott, adding to RHEL5.2 release notes under "Resolved Issues":

<quote>
Gemalto 64K smart cards now use readers compliant with Chip/Smart Card Interface
Devices (CCID). Previously, this smart card used the built-in e-gate reader,
which essentially meant that the card and reader were being inserted at the same
time. As a result, coolkey did not consistently recognize Gemalto 64K smart cards.

In this update, coolkey now works correctly with Gemalto 64k smart cards.
</quote>

please advise if any further revisions are required to the release notes. i'll
track the Deployment Guide revisions through the RT ticket mhideo wrote on your
behalf.

Comment 11 Don Domingo 2008-04-02 02:14:47 UTC
Hi,
the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at
which point no further additions or revisions will be entertained.

a mockup of the RHEL5.2 release notes can be viewed at the following link:
http://intranet.corp.redhat.com/ic/intranet/RHEL5u2relnotesmockup.html

please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
bug number.

Cheers,
Don

Comment 12 errata-xmlrpc 2008-05-21 14:30:00 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0344.html



Note You need to log in before you can comment on or make changes to this bug.