Bug 826286 - Coolkey will not operate with Actividentity's ActivKey USB Token
Coolkey will not operate with Actividentity's ActivKey USB Token
Product: Fedora
Classification: Fedora
Component: coolkey (Show other bugs)
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Bob Relyea
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-05-29 18:52 EDT by Robert Ladd
Modified: 2013-08-01 06:03 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-01 06:03:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Redhat approved Patch for ActivKey functionality (863 bytes, patch)
2012-05-29 18:52 EDT, Robert Ladd
no flags Details | Diff
coolkey-1.1.0-26.fc19.src.rpm (468.75 KB, application/x-rpm)
2013-06-30 13:37 EDT, jac
no flags Details
coolkey-1.1.0-26.fc19.x86_64.rpm (356.45 KB, application/octet-stream)
2013-06-30 13:39 EDT, jac
no flags Details

  None (edit)
Description Robert Ladd 2012-05-29 18:52:08 EDT
Created attachment 587553 [details]
Redhat approved Patch for ActivKey functionality

Description of problem:
When inserting ActivKey USB Token in to a Fedora 17 running laptop.  pkcs11_listcerts or pkcs11_inspect and etc. does not prompt for a password nor does it display the certificates.  The reason is that it is missing the patch that allowed certs that did not exists in slot_0 work.

Version-Release number of selected component (if applicable):
1.1.0-15 - 1.1.0-20

How reproducible:
install coolkey as part of the fedora base installation.  Insert an ActivKey Token that is Grey not the blue one in an available USB slot and as root or as a regular user run pkcs11_listcerts debug and nothing returns stating no card available or to that suggestion.
1) download the patch at https://bugzilla.redhat.com/attachment.cgi?id=500732 2) download the coolkey-1.1.0-20 src.rpm  

Steps to Reproduce:
1.Download the ActivKey Patch from Fedora Bug save it as coolkey-activkey.patch

2.Change Directory to coolkey-1.1.0/

3. Patch this order
1)	patch -p0 < ../coolkey-cache-dir-move.patch (Aug 15th, 2007)
2)	patch -p0 < ../coolkey-gcc43.patch (Feb 13th, 2008)
3)	patch -p0 < ../coolkey-latest.patch (Sep 11th, 2009)
4)	patch -p0 < ../coolkey-simple-bugs (Sep 16th, 2009)
5)	patch -p0 < ../coolkey-thread-fix.patch (Dec 18th, 2009)
6)	patch -p0 < ../coolkey-cac.patch (Jun 16th, 2010)
7)	patch -p0 < ../coolkey-cac-1.patch (Jun 23rd, 2010)
8)	patch -p0 < ../coolkey-pcsc-lite-fix.patch (Sep 8th 2010)
9)	patch -p2 < ../coolkey-activkey.patch (May 23rd, 2011)
* you should only see succeeded messages if you get failure or prompted for the file you have a typo or you are in the wrong directory. If you cut and paste the above you need to remove the dates that I have on the end.

for 64bit system
./configure --libdir=/usr/lib64/ (check for errors)
for 32bit system
./configure --libdir=/usr/lib/ (check for errors)

5. make (check for errors)
   sudo make install

6. or copy the newly created libcoolkeypk11.so from ~/src/rpm/SOURCES/coolkey-1.1.0/src/coolkey/.libs/ to /usr/lib64/pkcs11/
Actual results:pkcs11_inspect
No prompt just returns with no results

Expected results:
PIN for token:
Printing data for mapper cn:
John Doe
Printing data for mapper pwent:
John Doe
Printing data for mapper subject:
E=john.doe@hp.com,CN=John Doe,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company

Additional info:

Please incorporate the RedHat Patch back into the coolkey source.  Attached is the patch.
Comment 1 Stoyan Tsalev 2012-06-21 07:39:36 EDT
This is actually https://bugzilla.redhat.com/show_bug.cgi?id=688837 transferred over to F17. Is this really that problematic to incorportate the fix in the new release? Having to downgrade some packages to versions shipped in F11 is weird at best, and this "workaround" perhaps hides the actual impact of this issue. In my organization there are literally tens of thousands ActiveKeys in operation, with a couple of thousand used with Linux. AFAIK, Fedora/RHEL is the only distro where this isn't working out of the box.
Comment 2 strasharo2000 2012-10-29 15:42:29 EDT
I confirm that exactly the same bug exists for me and a colleague of mine on an up to date Fedora 17 x86_64 installation. It's really frustrating that this bug exists only in Fedora/RHEL and for our colleagues which are using other distributions such as Ubuntu it's working out of the box. If you need any assistance from our side to troubleshoot it, don't hesitate to contact us.
Comment 3 Bob Relyea 2012-10-29 18:54:17 EDT
Does this problem also exist on RHEL?

In order to fix this, I would need access to the failing hardware.

Comment 4 strasharo2000 2012-10-30 04:06:21 EDT
Haven't tried it personally, but IIRC a colleague of mine reported it failing on RHEL as well.
If it would help, I can provide you with root ssh acccess to my F17 x86_64 laptop with the failing hardware attached.
Comment 5 Kaloyan Mehandzhiyski 2012-10-30 05:03:40 EDT
Count me in, I also am very interested of fixing this bug. I am also trying to make it running few mounts with downgrading the coolkey rpm and trying different drivers for the card reader. If you need access, I can give you too laptop with attached device on it. Or any other assistance you may need.
Comment 6 strasharo2000 2012-10-30 09:33:46 EDT
Using the Windows ActivClient utility I was able to find out that the ActivKey I have has 8 slots for certificates and my certificates are on slots 6 and 7 (one cert is used for mail signing and the other is class A for authentication):

The Troubleshooting Wizard has detected 8 PKI slots to store private keys and digital certificates.
	Slot 1: does not contain a private key nor digital certificate.
	Slot 2: does not contain a private key nor digital certificate.
	Slot 3: does not contain a private key nor digital certificate.
	Slot 4: does not contain a private key nor digital certificate.
	Slot 5: does not contain a private key nor digital certificate.
	Slot 6 contains a private key and a digital certificate.
	Slot 7 contains a private key and a digital certificate.
	Slot 8: does not contain a private key nor digital certificate.

Looks like a colleague of ours already made a Github repo with Coolkey patched to support multiple slots:
I guess his code can be used as a reference for fixing this issue.
Comment 7 Kaloyan Mehandzhiyski 2012-11-01 05:03:55 EDT

I've tried to compile manually the source provided by the Github repository. 

It worked fine, just keep in mind that the PIN code should be numeric, it cannot contain letters.

Nothing special, just get that source code and follow the official coolkey build instructions.
Comment 8 Bob Relyea 2012-11-01 12:41:47 EDT
github? Upstream is fedora hosted. what github link are you seeing?

Comment 9 strasharo2000 2012-11-01 15:55:38 EDT
Hello Bob,

At the end of my previous post I provided a GitHub link, where a colleague of ours has published a patched source of Coolkey which supports multiple slots. Here's the link again - https://github.com/Vanuan/coolkey
Comment 10 Bob Relyea 2012-11-01 16:55:55 EDT
Comment 11 Robert Ladd 2012-11-04 21:46:01 EST
Hi Everyone,

in RHEL 6.3 (Desktop edition) Activkey will work with firefox, if you set up security devices and add coolkey as a new device and point to


The pkcs11_inspect and other tools work.  VPN does not work with connection manager and I have not yet had the time to figure how to make it work yet on RHED 6.3.

I don't know why it works in RHED and not Fedora 17.  I have a working document for Fedora 17.  You can use the latest modules from fedora 17 you just need to recompile one of the PKCS11 modules with the coolkey-patch from source this will rebuild the libcookeypk11.so module and allow everything to work on fedora 17.  you will still not have Network Manager support,  you have to use pppd with PPTP and Activkey from the command line.

I think that when we file these bugs the check if RHED is working or not and don't check the Fedora distro packages.

Hope this helps.


Robert Ladd

If your activkey is plugged in it will prompt you to enter your pin.

On Thu, Nov 1, 2012 at 2:55 PM, <bugzilla@redhat.com> wrote:


    --- Comment #10 from Bob Relyea <rrelyea@redhat.com> ---

    You are receiving this mail because:
    You reported the bug.
Comment 12 Sebastian Muñiz 2013-01-28 14:07:19 EST
I can add some "soft" details.
Using Ubuntu Precise, active key was working ok until I renewed certificate on it.
So, it looks like newer tools of activekey tools write certificates differently on the key.
I have Pin initialized it back and writen a new certificate and the issue is still there.
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/pkcs11/libcoolkeypk11.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/pkcs11/libcoolkeypk11.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.11
DEBUG:pkcs11_lib.c:1108: - manufacturer: Mozilla Foundation              
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: CoolKey PKCS #11 Module     
DEBUG:pkcs11_lib.c:1111: - library version: 1.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: Activkey Sim 00 00                                              
DEBUG:pkcs11_lib.c:1048: - manufacturer: Unknown                         
DEBUG:pkcs11_lib.c:1049: - flags: 0006
DEBUG:pkcs11_listcerts.c:94: no token available

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 12.04.1 LTS
Release:	12.04
Codename:	precise

$ aptitude show coolkey
Package: coolkey                         
State: installed
Automatically installed: no
Version: 1.1.0-10ubuntu1
Priority: optional
Section: universe/admin
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Uncompressed Size: 428 k
Depends: libckyapplet1 (= 1.1.0-10ubuntu1), libc6 (>= 2.4), libgcc1 (>=
         1:4.1.1), libstdc++6 (>= 4.6), zlib1g (>= 1:1.1.4), libpcsclite1

From our internal forun:
It seems like CoolKey doesn't support more than 3 PKI instances (so called "slots"). And it expects "CAC ID Certificate" to be in the first (0th) slot. If it isn't found, coolkey throws an exception.
Here is my branch of coolkey that fixes this issue: https://github.com/Vanuan/coolkey (multislot_support branch). It is a hack so it might not work in all cases.
Try if it works for you.

Comment 13 jac 2013-06-30 13:37:52 EDT
Created attachment 767121 [details]

Work on F19
Comment 14 jac 2013-06-30 13:39:41 EDT
Created attachment 767122 [details]

Binary rpm
Comment 15 Fedora End Of Life 2013-07-03 23:03:27 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 16 Fedora End Of Life 2013-08-01 06:03:07 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.