This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 879563 - pkcs11_listcerts/pklogin_finder are not able to see certs/token on a smartcard
pkcs11_listcerts/pklogin_finder are not able to see certs/token on a smartcard
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: coolkey (Show other bugs)
6.4
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Bob Relyea
Asha Akkiangady
: Regression, TestBlocker
Depends On:
Blocks: 881827
  Show dependency treegraph
 
Reported: 2012-11-23 05:47 EST by Marian Krcmarik
Modified: 2013-02-21 05:16 EST (History)
1 user (show)

See Also:
Fixed In Version: coolkey-1.1.0-23.el6
Doc Type: Known Issue
Doc Text:
The pkcs11_listcerts and pklogin_finder commands are not able to see certificates and tokens on a smartcard after upgrading coolkey from version 1.1.0-20 to 1.1.0-21.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 05:16:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Marian Krcmarik 2012-11-23 05:47:08 EST
Description of problem:
pkcs11_listcerts/pklogin_finder are not able to see certs/token on a smartcard after upgrading coolkey from coolkey-1.1.0-20 to coolkey-1.1.0-21. The tools print the certs on smartcard only once after pcscd restart. This does not work on RHEL6.3 with updated coolkey to -21 and It does work on RHEL6.4 with downgraded coolkey back to -20. 
Moreover It is causing problems when using smartcards over spice, with -21 coolkey It seems that ESC on the client interferes with spice client -> either smartcard is caught by ESC on the client (displayed in ESC) or is emulated in VM over spice (and not displayed in ESC on the client), It looks like They are racing Once I uninstall ESC on the client or disable autostart of ESC smartcard is correctly emulated in a VM always. This does not happen with -20 coolkey, smartcard is emulated in VM over spice as well as displayed in ESC on the client machine.
The thing is that The certs are displayed in ESC but not with the tools.

Version-Release number of selected component (if applicable):
coolkey-1.1.0-21

How reproducible:
Always

Steps to Reproduce:
# pkcs11_listcerts debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:222: Looking up module in list
DEBUG:pkcs11_lib.c:225: modList = 0x1c837b0 next = 0x1c97dc0

DEBUG:pkcs11_lib.c:226: dllName= <null> 

DEBUG:pkcs11_lib.c:225: modList = 0x1c97dc0 next = 0x0

DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so 

DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
PIN for token: 
DEBUG:pkcs11_lib.c:48: PIN = [*****]
DEBUG:pkcs11_lib.c:746: cert 0: found (mkrcmari:signing key for mkrcmari), "UID=mkrcmari,O=Token Key User"
Found '1' certificate(s)
Certificate #1:
- Subject:   UID=mkrcmari,O=Token Key User
- Issuer:    CN=Certificate Authority,OU=pki-ca,O=******
- Algorithm: PKCS #1 RSA Encryption
DEBUG:cert_vfy.c:34: Verifying Cert: mkrcmari:signing key for mkrcmari (UID=mkrcmari,O=Token Key User)
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's Certificate issuer is not recognized.
verify_certificate() failed: 
DEBUG:pkcs11_listcerts.c:157: releasing pkcs #11 module...
DEBUG:pkcs11_listcerts.c:160: Process completed

[root@dhcp131-204 ~]# yum update coolkey -y > /dev/null
[root@dhcp131-204 ~]# rpm -q coolkey
coolkey-1.1.0-21.el6.x86_64

[root@dhcp131-204 ~]# pkcs11_listcerts debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:222: Looking up module in list
DEBUG:pkcs11_lib.c:225: modList = 0x15557b0 next = 0x1569dc0

DEBUG:pkcs11_lib.c:226: dllName= <null> 

DEBUG:pkcs11_lib.c:225: modList = 0x1569dc0 next = 0x0

DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so 

DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
DEBUG:pkcs11_listcerts.c:94: no token available
  
Actual results:
No token available

Expected results:
Tone info

Additional info:
My sc:
# pcsc_scan 
PC/SC device scanner
V 1.4.17 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.6.4
Scanning present readers...
0: Gemplus GemPC Twin 00 00

Fri Nov 23 10:42:52 2012
 Reader 0: Gemplus GemPC Twin 00 00
  Card state: Card inserted, 
  ATR: 3B 95 95 40 FF AE 01 03 00 00

ATR: 3B 95 95 40 FF AE 01 03 00 00
+ TS = 3B --> Direct Convention
+ T0 = 95, Y(1): 1001, K: 5 (historical bytes)
  TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
    125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
  TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0 
-----
  TC(2) = FF --> Work waiting time: 960 x 255 x (Fi/F)
+ Historical bytes: AE 01 03 00 00
  Category indicator byte: AE (proprietary format)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 95 95 40 FF AE 01 03 00 00
	Axalto - Cyberflex 64K
	Gemalto TOP IM FIPS CY2 (product code HWP115291A)
Comment 3 Bob Relyea 2012-11-26 14:54:16 EST
Arg, I don't have a Gemalto TOP IM FIPS CY2 (product code HWP115291A). Can I borrow one from QA?

bob
Comment 5 Bob Relyea 2012-11-26 22:09:20 EST
OK, I think I've found some cards that fail, I should be able to get a patch tomorrow. The basic problem is the cards lies when I ask it to switch to the PIV applet, and says "OK, I can do that". Of course it can't because the applet doesn't exist, but now we think the card is a PIV card.
Comment 6 Bob Relyea 2012-11-26 22:13:11 EST
OK, I have patch in hand that fixes this problem. Queued up and waiting for approval.

(Patch looks at the returned data from the select and makes sure it's what a PIV card should return, now the Gemalto coolkeys no longer look like empty PIV cards).

bob
Comment 7 Bob Relyea 2012-11-27 12:55:38 EST
builds complete: coolkey-1.1.0-22.el6
Comment 9 Bob Relyea 2012-11-27 13:14:11 EST
build with rpmdiff fix: coolkey-1.1.0-23.el6
Comment 10 Marian Krcmarik 2012-11-28 11:42:14 EST
(In reply to comment #9)
> build with rpmdiff fix: coolkey-1.1.0-23.el6

Works for me, Thanks.
Comment 11 Asha Akkiangady 2012-11-28 17:05:36 EST
Tested with coolkey-1.1.0-23.el6, pklogin_finder command successfully recognize Gemalto 64K usb token, Gemalto 64K smart card, Safenet 330J smart card, Gemalto TOPDLGX4 144 (CAC), Gemalto GCX4 72K (CAC),  PIV Card(No card details printed on the card), Oberthur ID One V5.2 (CAC) cards.

Marking the bug verified.
Comment 13 errata-xmlrpc 2013-02-21 05:16:03 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0397.html

Note You need to log in before you can comment on or make changes to this bug.