Red Hat Bugzilla – Bug 826286
Coolkey will not operate with Actividentity's ActivKey USB Token
Last modified: 2013-08-01 06:03:07 EDT
Created attachment 587553 [details]
Redhat approved Patch for ActivKey functionality
Description of problem:
When inserting ActivKey USB Token in to a Fedora 17 running laptop. pkcs11_listcerts or pkcs11_inspect and etc. does not prompt for a password nor does it display the certificates. The reason is that it is missing the patch that allowed certs that did not exists in slot_0 work.
Version-Release number of selected component (if applicable):
1.1.0-15 - 1.1.0-20
install coolkey as part of the fedora base installation. Insert an ActivKey Token that is Grey not the blue one in an available USB slot and as root or as a regular user run pkcs11_listcerts debug and nothing returns stating no card available or to that suggestion.
1) download the patch at https://bugzilla.redhat.com/attachment.cgi?id=500732 2) download the coolkey-1.1.0-20 src.rpm
Steps to Reproduce:
1.Download the ActivKey Patch from Fedora Bug save it as coolkey-activkey.patch
2.Change Directory to coolkey-1.1.0/
3. Patch this order
1) patch -p0 < ../coolkey-cache-dir-move.patch (Aug 15th, 2007)
2) patch -p0 < ../coolkey-gcc43.patch (Feb 13th, 2008)
3) patch -p0 < ../coolkey-latest.patch (Sep 11th, 2009)
4) patch -p0 < ../coolkey-simple-bugs (Sep 16th, 2009)
5) patch -p0 < ../coolkey-thread-fix.patch (Dec 18th, 2009)
6) patch -p0 < ../coolkey-cac.patch (Jun 16th, 2010)
7) patch -p0 < ../coolkey-cac-1.patch (Jun 23rd, 2010)
8) patch -p0 < ../coolkey-pcsc-lite-fix.patch (Sep 8th 2010)
9) patch -p2 < ../coolkey-activkey.patch (May 23rd, 2011)
* you should only see succeeded messages if you get failure or prompted for the file you have a typo or you are in the wrong directory. If you cut and paste the above you need to remove the dates that I have on the end.
for 64bit system
./configure --libdir=/usr/lib64/ (check for errors)
for 32bit system
./configure --libdir=/usr/lib/ (check for errors)
5. make (check for errors)
sudo make install
6. or copy the newly created libcoolkeypk11.so from ~/src/rpm/SOURCES/coolkey-1.1.0/src/coolkey/.libs/ to /usr/lib64/pkcs11/
No prompt just returns with no results
PIN for token:
Printing data for mapper cn:
Printing data for mapper pwent:
Printing data for mapper subject:
Eemail@example.com,CN=John Doe,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company
Please incorporate the RedHat Patch back into the coolkey source. Attached is the patch.
This is actually https://bugzilla.redhat.com/show_bug.cgi?id=688837 transferred over to F17. Is this really that problematic to incorportate the fix in the new release? Having to downgrade some packages to versions shipped in F11 is weird at best, and this "workaround" perhaps hides the actual impact of this issue. In my organization there are literally tens of thousands ActiveKeys in operation, with a couple of thousand used with Linux. AFAIK, Fedora/RHEL is the only distro where this isn't working out of the box.
I confirm that exactly the same bug exists for me and a colleague of mine on an up to date Fedora 17 x86_64 installation. It's really frustrating that this bug exists only in Fedora/RHEL and for our colleagues which are using other distributions such as Ubuntu it's working out of the box. If you need any assistance from our side to troubleshoot it, don't hesitate to contact us.
Does this problem also exist on RHEL?
In order to fix this, I would need access to the failing hardware.
Haven't tried it personally, but IIRC a colleague of mine reported it failing on RHEL as well.
If it would help, I can provide you with root ssh acccess to my F17 x86_64 laptop with the failing hardware attached.
Count me in, I also am very interested of fixing this bug. I am also trying to make it running few mounts with downgrading the coolkey rpm and trying different drivers for the card reader. If you need access, I can give you too laptop with attached device on it. Or any other assistance you may need.
Using the Windows ActivClient utility I was able to find out that the ActivKey I have has 8 slots for certificates and my certificates are on slots 6 and 7 (one cert is used for mail signing and the other is class A for authentication):
The Troubleshooting Wizard has detected 8 PKI slots to store private keys and digital certificates.
Slot 1: does not contain a private key nor digital certificate.
Slot 2: does not contain a private key nor digital certificate.
Slot 3: does not contain a private key nor digital certificate.
Slot 4: does not contain a private key nor digital certificate.
Slot 5: does not contain a private key nor digital certificate.
Slot 6 contains a private key and a digital certificate.
Slot 7 contains a private key and a digital certificate.
Slot 8: does not contain a private key nor digital certificate.
Looks like a colleague of ours already made a Github repo with Coolkey patched to support multiple slots:
I guess his code can be used as a reference for fixing this issue.
I've tried to compile manually the source provided by the Github repository.
It worked fine, just keep in mind that the PIN code should be numeric, it cannot contain letters.
Nothing special, just get that source code and follow the official coolkey build instructions.
github? Upstream is fedora hosted. what github link are you seeing?
At the end of my previous post I provided a GitHub link, where a colleague of ours has published a patched source of Coolkey which supports multiple slots. Here's the link again - https://github.com/Vanuan/coolkey
in RHEL 6.3 (Desktop edition) Activkey will work with firefox, if you set up security devices and add coolkey as a new device and point to
The pkcs11_inspect and other tools work. VPN does not work with connection manager and I have not yet had the time to figure how to make it work yet on RHED 6.3.
I don't know why it works in RHED and not Fedora 17. I have a working document for Fedora 17. You can use the latest modules from fedora 17 you just need to recompile one of the PKCS11 modules with the coolkey-patch from source this will rebuild the libcookeypk11.so module and allow everything to work on fedora 17. you will still not have Network Manager support, you have to use pppd with PPTP and Activkey from the command line.
I think that when we file these bugs the check if RHED is working or not and don't check the Fedora distro packages.
Hope this helps.
If your activkey is plugged in it will prompt you to enter your pin.
On Thu, Nov 1, 2012 at 2:55 PM, <firstname.lastname@example.org> wrote:
--- Comment #10 from Bob Relyea <email@example.com> ---
You are receiving this mail because:
You reported the bug.
I can add some "soft" details.
Using Ubuntu Precise, active key was working ok until I renewed certificate on it.
So, it looks like newer tools of activekey tools write certificates differently on the key.
I have Pin initialized it back and writen a new certificate and the issue is still there.
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/pkcs11/libcoolkeypk11.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/pkcs11/libcoolkeypk11.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.11
DEBUG:pkcs11_lib.c:1108: - manufacturer: Mozilla Foundation
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: CoolKey PKCS #11 Module
DEBUG:pkcs11_lib.c:1111: - library version: 1.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: Activkey Sim 00 00
DEBUG:pkcs11_lib.c:1048: - manufacturer: Unknown
DEBUG:pkcs11_lib.c:1049: - flags: 0006
DEBUG:pkcs11_listcerts.c:94: no token available
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.1 LTS
$ aptitude show coolkey
Automatically installed: no
Maintainer: Ubuntu Developers <firstname.lastname@example.org>
Uncompressed Size: 428 k
Depends: libckyapplet1 (= 1.1.0-10ubuntu1), libc6 (>= 2.4), libgcc1 (>=
1:4.1.1), libstdc++6 (>= 4.6), zlib1g (>= 1:1.1.4), libpcsclite1
From our internal forun:
It seems like CoolKey doesn't support more than 3 PKI instances (so called "slots"). And it expects "CAC ID Certificate" to be in the first (0th) slot. If it isn't found, coolkey throws an exception.
Here is my branch of coolkey that fixes this issue: https://github.com/Vanuan/coolkey (multislot_support branch). It is a hack so it might not work in all cases.
Try if it works for you.
Created attachment 767121 [details]
Work on F19
Created attachment 767122 [details]
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '17'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 17's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 17 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged change the
'version' to a later Fedora version prior to Fedora 17's end of life.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.