Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
The pkcs11_listcerts and pklogin_finder commands are not able to see certificates and tokens on a smartcard after upgrading coolkey from version 1.1.0-20 to 1.1.0-21.
DescriptionMarian Krcmarik
2012-11-23 10:47:08 UTC
Description of problem:
pkcs11_listcerts/pklogin_finder are not able to see certs/token on a smartcard after upgrading coolkey from coolkey-1.1.0-20 to coolkey-1.1.0-21. The tools print the certs on smartcard only once after pcscd restart. This does not work on RHEL6.3 with updated coolkey to -21 and It does work on RHEL6.4 with downgraded coolkey back to -20.
Moreover It is causing problems when using smartcards over spice, with -21 coolkey It seems that ESC on the client interferes with spice client -> either smartcard is caught by ESC on the client (displayed in ESC) or is emulated in VM over spice (and not displayed in ESC on the client), It looks like They are racing Once I uninstall ESC on the client or disable autostart of ESC smartcard is correctly emulated in a VM always. This does not happen with -20 coolkey, smartcard is emulated in VM over spice as well as displayed in ESC on the client machine.
The thing is that The certs are displayed in ESC but not with the tools.
Version-Release number of selected component (if applicable):
coolkey-1.1.0-21
How reproducible:
Always
Steps to Reproduce:
# pkcs11_listcerts debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ... NSS Complete
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:222: Looking up module in list
DEBUG:pkcs11_lib.c:225: modList = 0x1c837b0 next = 0x1c97dc0
DEBUG:pkcs11_lib.c:226: dllName= <null>
DEBUG:pkcs11_lib.c:225: modList = 0x1c97dc0 next = 0x0
DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so
DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:48: PIN = [*****]
DEBUG:pkcs11_lib.c:746: cert 0: found (mkrcmari:signing key for mkrcmari), "UID=mkrcmari,O=Token Key User"
Found '1' certificate(s)
Certificate #1:
- Subject: UID=mkrcmari,O=Token Key User
- Issuer: CN=Certificate Authority,OU=pki-ca,O=******
- Algorithm: PKCS #1 RSA Encryption
DEBUG:cert_vfy.c:34: Verifying Cert: mkrcmari:signing key for mkrcmari (UID=mkrcmari,O=Token Key User)
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's Certificate issuer is not recognized.
verify_certificate() failed:
DEBUG:pkcs11_listcerts.c:157: releasing pkcs #11 module...
DEBUG:pkcs11_listcerts.c:160: Process completed
[root@dhcp131-204 ~]# yum update coolkey -y > /dev/null
[root@dhcp131-204 ~]# rpm -q coolkey
coolkey-1.1.0-21.el6.x86_64
[root@dhcp131-204 ~]# pkcs11_listcerts debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ... NSS Complete
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:222: Looking up module in list
DEBUG:pkcs11_lib.c:225: modList = 0x15557b0 next = 0x1569dc0
DEBUG:pkcs11_lib.c:226: dllName= <null>
DEBUG:pkcs11_lib.c:225: modList = 0x1569dc0 next = 0x0
DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so
DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
DEBUG:pkcs11_listcerts.c:94: no token available
Actual results:
No token available
Expected results:
Tone info
Additional info:
My sc:
# pcsc_scan
PC/SC device scanner
V 1.4.17 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau>
Compiled with PC/SC lite version: 1.6.4
Scanning present readers...
0: Gemplus GemPC Twin 00 00
Fri Nov 23 10:42:52 2012
Reader 0: Gemplus GemPC Twin 00 00
Card state: Card inserted,
ATR: 3B 95 95 40 FF AE 01 03 00 00
ATR: 3B 95 95 40 FF AE 01 03 00 00
+ TS = 3B --> Direct Convention
+ T0 = 95, Y(1): 1001, K: 5 (historical bytes)
TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0
-----
TC(2) = FF --> Work waiting time: 960 x 255 x (Fi/F)
+ Historical bytes: AE 01 03 00 00
Category indicator byte: AE (proprietary format)
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 95 95 40 FF AE 01 03 00 00
Axalto - Cyberflex 64K
Gemalto TOP IM FIPS CY2 (product code HWP115291A)
OK, I think I've found some cards that fail, I should be able to get a patch tomorrow. The basic problem is the cards lies when I ask it to switch to the PIV applet, and says "OK, I can do that". Of course it can't because the applet doesn't exist, but now we think the card is a PIV card.
OK, I have patch in hand that fixes this problem. Queued up and waiting for approval.
(Patch looks at the returned data from the select and makes sure it's what a PIV card should return, now the Gemalto coolkeys no longer look like empty PIV cards).
bob
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHBA-2013-0397.html
Description of problem: pkcs11_listcerts/pklogin_finder are not able to see certs/token on a smartcard after upgrading coolkey from coolkey-1.1.0-20 to coolkey-1.1.0-21. The tools print the certs on smartcard only once after pcscd restart. This does not work on RHEL6.3 with updated coolkey to -21 and It does work on RHEL6.4 with downgraded coolkey back to -20. Moreover It is causing problems when using smartcards over spice, with -21 coolkey It seems that ESC on the client interferes with spice client -> either smartcard is caught by ESC on the client (displayed in ESC) or is emulated in VM over spice (and not displayed in ESC on the client), It looks like They are racing Once I uninstall ESC on the client or disable autostart of ESC smartcard is correctly emulated in a VM always. This does not happen with -20 coolkey, smartcard is emulated in VM over spice as well as displayed in ESC on the client machine. The thing is that The certs are displayed in ESC but not with the tools. Version-Release number of selected component (if applicable): coolkey-1.1.0-21 How reproducible: Always Steps to Reproduce: # pkcs11_listcerts debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:222: Looking up module in list DEBUG:pkcs11_lib.c:225: modList = 0x1c837b0 next = 0x1c97dc0 DEBUG:pkcs11_lib.c:226: dllName= <null> DEBUG:pkcs11_lib.c:225: modList = 0x1c97dc0 next = 0x0 DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module... PIN for token: DEBUG:pkcs11_lib.c:48: PIN = [*****] DEBUG:pkcs11_lib.c:746: cert 0: found (mkrcmari:signing key for mkrcmari), "UID=mkrcmari,O=Token Key User" Found '1' certificate(s) Certificate #1: - Subject: UID=mkrcmari,O=Token Key User - Issuer: CN=Certificate Authority,OU=pki-ca,O=****** - Algorithm: PKCS #1 RSA Encryption DEBUG:cert_vfy.c:34: Verifying Cert: mkrcmari:signing key for mkrcmari (UID=mkrcmari,O=Token Key User) DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's Certificate issuer is not recognized. verify_certificate() failed: DEBUG:pkcs11_listcerts.c:157: releasing pkcs #11 module... DEBUG:pkcs11_listcerts.c:160: Process completed [root@dhcp131-204 ~]# yum update coolkey -y > /dev/null [root@dhcp131-204 ~]# rpm -q coolkey coolkey-1.1.0-21.el6.x86_64 [root@dhcp131-204 ~]# pkcs11_listcerts debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:222: Looking up module in list DEBUG:pkcs11_lib.c:225: modList = 0x15557b0 next = 0x1569dc0 DEBUG:pkcs11_lib.c:226: dllName= <null> DEBUG:pkcs11_lib.c:225: modList = 0x1569dc0 next = 0x0 DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module... DEBUG:pkcs11_listcerts.c:94: no token available Actual results: No token available Expected results: Tone info Additional info: My sc: # pcsc_scan PC/SC device scanner V 1.4.17 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau> Compiled with PC/SC lite version: 1.6.4 Scanning present readers... 0: Gemplus GemPC Twin 00 00 Fri Nov 23 10:42:52 2012 Reader 0: Gemplus GemPC Twin 00 00 Card state: Card inserted, ATR: 3B 95 95 40 FF AE 01 03 00 00 ATR: 3B 95 95 40 FF AE 01 03 00 00 + TS = 3B --> Direct Convention + T0 = 95, Y(1): 1001, K: 5 (historical bytes) TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0 ----- TC(2) = FF --> Work waiting time: 960 x 255 x (Fi/F) + Historical bytes: AE 01 03 00 00 Category indicator byte: AE (proprietary format) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 95 95 40 FF AE 01 03 00 00 Axalto - Cyberflex 64K Gemalto TOP IM FIPS CY2 (product code HWP115291A)