Bug 663109 - Coolkey driver does not recognize Rutoken ECP an USB crypto token
Summary: Coolkey driver does not recognize Rutoken ECP an USB crypto token
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: coolkey
Version: 6.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact: Chandrasekar Kannan
Depends On:
TreeView+ depends on / blocked
Reported: 2010-12-14 18:08 UTC by Michael
Modified: 2015-01-04 23:45 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-12-15 18:37:02 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Michael 2010-12-14 18:08:07 UTC
Description of problem: Coolkey drives don`t have access to certificates on a  Rutoken ECP an USB crypto token in RHEL6.0

Version-Release number of selected component (if applicable):

How reproducible: 100%

Steps to Reproduce:
1. Insert a Rutoken ECP an USB crypto token into RHEL 6.0 system with USB port
2. Start Firefox, add PKCS #11 module with /usr/lib64/pkcs11/libcoolkeypk11.so

Actual results: No Rutoken ECP in listing modules of PKCS#11

Expected results: Rutoken ECP (User PIN) in listing modules of PKCS#11

Additional info:
Rutoken ECP: http://www.opensc-project.org/opensc/wiki/AktivRutokenECP

Comment 2 Bob Relyea 2010-12-14 19:49:39 UTC
Ah, what is a Rutoken ECP and why would you think coolkey should recognize it?

Coolkey supports:
   The coollkey applet (as provisioned by ESC/Dogtag TPS).
   The Dod CAC interface.

If Rutoken ECP is not a coolkey, CAC, or PIV, then this is "working as expected".

If it is one of these, then development and QA will need samples of this token before we can ack+ this.

Comment 3 Michael 2010-12-14 20:47:01 UTC
Sorry. This card don`t have Dod CAC interface. I think it support coolkey because pcsc-lite has support this token.

Comment 4 Bob Relyea 2010-12-15 01:45:15 UTC
There are different layers of support for smart cards. Each layer is responsible for different aspects. pcsc-lite gets you access from the computer, through the reader, onto the card.

The card could be memory only card, or a crypto capable smart card.

Each smart card has it's own api on how to use it. Many cards are programmable, so the API is actually determined by one firmware is loaded. CAC, coolkey and PIV are all related firmware standards. PKCS #15 is another (actually PKCS #15 was originally a file system card standard, but I suspect is also has definitions for programmable cards as well).

to use the Rutoken you would need a pkcs #11 module that worked specifically with that token (or the standard installed on it).


Comment 5 Michael 2010-12-15 07:49:57 UTC
I try to use Rutoken on last Fedora with /usr/lib64/pkcs11/opensc-pkcs11.so. It work fine. Could you please tell me why RHEL does`nt include opensc software?

Comment 6 Bob Relyea 2010-12-15 18:02:14 UTC
Because it interferes with pcsc-lite, and we don't have a business need to support those tokens.

It might be a good candidate for EPEL.


Comment 7 Michael 2010-12-15 18:29:08 UTC
Many thanks for your answer. I`am understand that is not a bug. I`ll hope to see opensc-pkcs11.so in EPEL. Please close.

Note You need to log in before you can comment on or make changes to this bug.