879563 – pkcs11_listcerts/pklogin_finder are not able to see certs/token on a smartcard

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 879563 - pkcs11_listcerts/pklogin_finder are not able to see certs/token on a smartcard

Summary: pkcs11_listcerts/pklogin_finder are not able to see certs/token on a smartcard

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	coolkey
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Bob Relyea
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	881827
TreeView+	depends on / blocked

Reported:	2012-11-23 10:47 UTC by Marian Krcmarik
Modified:	2013-02-21 10:16 UTC (History)
CC List:	1 user (show)
Fixed In Version:	coolkey-1.1.0-23.el6
Doc Type:	Known Issue
Doc Text:	The pkcs11_listcerts and pklogin_finder commands are not able to see certificates and tokens on a smartcard after upgrading coolkey from version 1.1.0-20 to 1.1.0-21.
Clone Of:
Environment:
Last Closed:	2013-02-21 10:16:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0397	0	normal	SHIPPED_LIVE	coolkey bug fix and enhancement update	2013-02-20 20:51:14 UTC

Description Marian Krcmarik 2012-11-23 10:47:08 UTC

Description of problem:
pkcs11_listcerts/pklogin_finder are not able to see certs/token on a smartcard after upgrading coolkey from coolkey-1.1.0-20 to coolkey-1.1.0-21. The tools print the certs on smartcard only once after pcscd restart. This does not work on RHEL6.3 with updated coolkey to -21 and It does work on RHEL6.4 with downgraded coolkey back to -20. 
Moreover It is causing problems when using smartcards over spice, with -21 coolkey It seems that ESC on the client interferes with spice client -> either smartcard is caught by ESC on the client (displayed in ESC) or is emulated in VM over spice (and not displayed in ESC on the client), It looks like They are racing Once I uninstall ESC on the client or disable autostart of ESC smartcard is correctly emulated in a VM always. This does not happen with -20 coolkey, smartcard is emulated in VM over spice as well as displayed in ESC on the client machine.
The thing is that The certs are displayed in ESC but not with the tools.

Version-Release number of selected component (if applicable):
coolkey-1.1.0-21

How reproducible:
Always

Steps to Reproduce:
# pkcs11_listcerts debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:222: Looking up module in list
DEBUG:pkcs11_lib.c:225: modList = 0x1c837b0 next = 0x1c97dc0

DEBUG:pkcs11_lib.c:226: dllName= <null> 

DEBUG:pkcs11_lib.c:225: modList = 0x1c97dc0 next = 0x0

DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so 

DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
PIN for token: 
DEBUG:pkcs11_lib.c:48: PIN = [*****]
DEBUG:pkcs11_lib.c:746: cert 0: found (mkrcmari:signing key for mkrcmari), "UID=mkrcmari,O=Token Key User"
Found '1' certificate(s)
Certificate #1:
- Subject:   UID=mkrcmari,O=Token Key User
- Issuer:    CN=Certificate Authority,OU=pki-ca,O=******
- Algorithm: PKCS #1 RSA Encryption
DEBUG:cert_vfy.c:34: Verifying Cert: mkrcmari:signing key for mkrcmari (UID=mkrcmari,O=Token Key User)
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's Certificate issuer is not recognized.
verify_certificate() failed: 
DEBUG:pkcs11_listcerts.c:157: releasing pkcs #11 module...
DEBUG:pkcs11_listcerts.c:160: Process completed

[root@dhcp131-204 ~]# yum update coolkey -y > /dev/null
[root@dhcp131-204 ~]# rpm -q coolkey
coolkey-1.1.0-21.el6.x86_64

[root@dhcp131-204 ~]# pkcs11_listcerts debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:222: Looking up module in list
DEBUG:pkcs11_lib.c:225: modList = 0x15557b0 next = 0x1569dc0

DEBUG:pkcs11_lib.c:226: dllName= <null> 

DEBUG:pkcs11_lib.c:225: modList = 0x1569dc0 next = 0x0

DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so 

DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
DEBUG:pkcs11_listcerts.c:94: no token available
  
Actual results:
No token available

Expected results:
Tone info

Additional info:
My sc:
# pcsc_scan 
PC/SC device scanner
V 1.4.17 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau>
Compiled with PC/SC lite version: 1.6.4
Scanning present readers...
0: Gemplus GemPC Twin 00 00

Fri Nov 23 10:42:52 2012
 Reader 0: Gemplus GemPC Twin 00 00
  Card state: Card inserted, 
  ATR: 3B 95 95 40 FF AE 01 03 00 00

ATR: 3B 95 95 40 FF AE 01 03 00 00
+ TS = 3B --> Direct Convention
+ T0 = 95, Y(1): 1001, K: 5 (historical bytes)
  TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
    125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
  TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0 
-----
  TC(2) = FF --> Work waiting time: 960 x 255 x (Fi/F)
+ Historical bytes: AE 01 03 00 00
  Category indicator byte: AE (proprietary format)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 95 95 40 FF AE 01 03 00 00
	Axalto - Cyberflex 64K
	Gemalto TOP IM FIPS CY2 (product code HWP115291A)

Comment 3 Bob Relyea 2012-11-26 19:54:16 UTC

Arg, I don't have a Gemalto TOP IM FIPS CY2 (product code HWP115291A). Can I borrow one from QA?

bob

Comment 5 Bob Relyea 2012-11-27 03:09:20 UTC

OK, I think I've found some cards that fail, I should be able to get a patch tomorrow. The basic problem is the cards lies when I ask it to switch to the PIV applet, and says "OK, I can do that". Of course it can't because the applet doesn't exist, but now we think the card is a PIV card.

Comment 6 Bob Relyea 2012-11-27 03:13:11 UTC

OK, I have patch in hand that fixes this problem. Queued up and waiting for approval.

(Patch looks at the returned data from the select and makes sure it's what a PIV card should return, now the Gemalto coolkeys no longer look like empty PIV cards).

bob

Comment 7 Bob Relyea 2012-11-27 17:55:38 UTC

builds complete: coolkey-1.1.0-22.el6

Comment 9 Bob Relyea 2012-11-27 18:14:11 UTC

build with rpmdiff fix: coolkey-1.1.0-23.el6

Comment 10 Marian Krcmarik 2012-11-28 16:42:14 UTC

(In reply to comment #9)
> build with rpmdiff fix: coolkey-1.1.0-23.el6

Works for me, Thanks.

Comment 11 Asha Akkiangady 2012-11-28 22:05:36 UTC

Tested with coolkey-1.1.0-23.el6, pklogin_finder command successfully recognize Gemalto 64K usb token, Gemalto 64K smart card, Safenet 330J smart card, Gemalto TOPDLGX4 144 (CAC), Gemalto GCX4 72K (CAC),  PIV Card(No card details printed on the card), Oberthur ID One V5.2 (CAC) cards.

Marking the bug verified.

Comment 13 errata-xmlrpc 2013-02-21 10:16:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0397.html

Note You need to log in before you can comment on or make changes to this bug.