663109 – Coolkey driver does not recognize Rutoken ECP an USB crypto token

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 663109 - Coolkey driver does not recognize Rutoken ECP an USB crypto token

Summary: Coolkey driver does not recognize Rutoken ECP an USB crypto token

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	coolkey
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Bob Relyea
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-12-14 18:08 UTC by Michael
Modified:	2015-01-04 23:45 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-12-15 18:37:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Michael 2010-12-14 18:08:07 UTC

Description of problem: Coolkey drives don`t have access to certificates on a  Rutoken ECP an USB crypto token in RHEL6.0


Version-Release number of selected component (if applicable):
coolkey-1.1.0-16.el6

How reproducible: 100%

Steps to Reproduce:
1. Insert a Rutoken ECP an USB crypto token into RHEL 6.0 system with USB port
2. Start Firefox, add PKCS #11 module with /usr/lib64/pkcs11/libcoolkeypk11.so

Actual results: No Rutoken ECP in listing modules of PKCS#11

Expected results: Rutoken ECP (User PIN) in listing modules of PKCS#11

Additional info:
Rutoken ECP: http://www.opensc-project.org/opensc/wiki/AktivRutokenECP

Comment 2 Bob Relyea 2010-12-14 19:49:39 UTC

Ah, what is a Rutoken ECP and why would you think coolkey should recognize it?

Coolkey supports:
   The coollkey applet (as provisioned by ESC/Dogtag TPS).
   The Dod CAC interface.

If Rutoken ECP is not a coolkey, CAC, or PIV, then this is "working as expected".

If it is one of these, then development and QA will need samples of this token before we can ack+ this.

Comment 3 Michael 2010-12-14 20:47:01 UTC

Sorry. This card don`t have Dod CAC interface. I think it support coolkey because pcsc-lite has support this token.

Comment 4 Bob Relyea 2010-12-15 01:45:15 UTC

There are different layers of support for smart cards. Each layer is responsible for different aspects. pcsc-lite gets you access from the computer, through the reader, onto the card.

The card could be memory only card, or a crypto capable smart card.

Each smart card has it's own api on how to use it. Many cards are programmable, so the API is actually determined by one firmware is loaded. CAC, coolkey and PIV are all related firmware standards. PKCS #15 is another (actually PKCS #15 was originally a file system card standard, but I suspect is also has definitions for programmable cards as well).

to use the Rutoken you would need a pkcs #11 module that worked specifically with that token (or the standard installed on it).

bob

Comment 5 Michael 2010-12-15 07:49:57 UTC

I try to use Rutoken on last Fedora with /usr/lib64/pkcs11/opensc-pkcs11.so. It work fine. Could you please tell me why RHEL does`nt include opensc software?

Comment 6 Bob Relyea 2010-12-15 18:02:14 UTC

Because it interferes with pcsc-lite, and we don't have a business need to support those tokens.

It might be a good candidate for EPEL.

bob

Comment 7 Michael 2010-12-15 18:29:08 UTC

Many thanks for your answer. I`am understand that is not a bug. I`ll hope to see opensc-pkcs11.so in EPEL. Please close.

Note You need to log in before you can comment on or make changes to this bug.