882079 – Coolkey does not support Activkey's non-CAC slots

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 882079 - Coolkey does not support Activkey's non-CAC slots

Summary: Coolkey does not support Activkey's non-CAC slots

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	coolkey
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Bob Relyea
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-11-30 04:18 UTC by Robert Ladd
Modified:	2019-04-02 22:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-03-25 20:06:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Here is the Coolkey Log file. (3.32 KB, text/x-log) 2012-11-30 04:18 UTC, Robert Ladd	no flags	Details
View All

Description Robert Ladd 2012-11-30 04:18:59 UTC

Created attachment 654783 [details]
Here is the Coolkey Log file.

Description of problem:
Corporate Policy Changed Class-A Certificate from 1024 to 2048 and now the pkcs11_inspect and related tools do not find the Certificate and does not prompt for Token Pin.

Version-Release number of selected component (if applicable):
1.1.0-20 RHEL Workstation 6.3
1.1.0-20 Fedora Core 17 as well.

How reproducible:


Steps to Reproduce:
1.Use Activkey Token with 1024 bit certificate (works)
2.Use Activkey Token with 2048 bit certificate (fails)
3.
  
Actual results:
pkcs11_inspect debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:222: Looking up module in list
DEBUG:pkcs11_lib.c:225: modList = 0x1d55d20 next = 0x1d6a1e0

DEBUG:pkcs11_lib.c:226: dllName= <null> 

DEBUG:pkcs11_lib.c:225: modList = 0x1d6a1e0 next = 0x0

DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so 

DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
DEBUG:pkcs11_inspect.c:95: no token available


Expected results:
PIN: 
Certificate Details

Additional info:
The Activkey worked great under RHEL 6.3, until token update of certificate.
Have concern that position of new token might be a problem.  it resides in slot 6 of the usb token.
I have attached the coolkey log file.

I tried changing the CAC patch for MAX-SLOTS to 8 and compiled a custom lib to see if it was a slot issue. this did not change anything noticeable.

Comment 2 olaf.speder 2012-11-30 09:44:03 UTC

I'm having exactly the same problem. As long as the certificate is 1024 bit everything works. With a certificate of 2048 bit it no longer works. I compiled a version with MAX-SLOTS 8 too. But the problem persists.

Comment 3 Bob Relyea 2012-11-30 23:50:31 UTC

I'll need a 2048K key card that is failing. I seem to remember that some work has been done to support 2K keys, but I have no 2K tokens to verify.

Also, are we talking PIV, CAC or coolkey applets on the card (it matters).

Finally what 'MAX-SLOTS' thing are you talking about?

Anyway If I have a card in hand, I'll dev_ack+ this.

bob

Comment 4 Robert Ladd 2012-12-02 03:46:47 UTC

I can't provide my active identity activkey :-(. I'm not sure what PIV is. I believe that it's CAC. There is a patch from CAC that adjusts slots.h and slots.cpp. In this patch adds a #define MAX-SLOTS=3. 

Is there away that I can help you like running in debug mode. One of my code workers has this working with the new token cert 2k on Ubuntu. It's the weekend so I'm waiting to hear back from from him.

Comment 5 Robert Ladd 2012-12-13 20:46:35 UTC

Here is an update.  With some help from a fellow friend that was running Ubuntu 10.04 who had the same problem was able to use my process and fix his system.  We then took a diff on his coolkey source files and discovered the following missing from Fedora and Red Hat Source files.  When you add these changes in to the coolkey source files the PKCS11_INSPECT works again. 

There is a new problem with the pkcs11_inspect and other tools where it can't read the 2048-bit key.  

List of changes below that need to be an addtional patch to coolkey for the active_key_patching.

--- ./coolkey-1.1.0.stdpatched/src/coolkey/object.cpp	2012-12-13 11:20:50.356151100 -0800
+++ ./coolkey-1.1.0/src/coolkey/object.cpp	2012-12-13 10:42:00.028178027 -0800
@@ -1027,7 +1027,7 @@
 
     /* So we know what the key is supposed to be used for based on
      * the instance */
-    if (instance == 2) {
+    if (instance >= 2) {
 	decrypt = TRUE;
     }
 
@@ -1041,7 +1041,12 @@
     setAttribute(CKA_ID, &id);
     CKYBuffer_FreeData(&id);
     setAttributeULong(CKA_CERTIFICATE_TYPE, CKC_X_509);
-    setAttribute(CKA_LABEL, CAC_Label[instance]);
+    int keyIndex = instance;
+    /* ActivKey has up to 8 slots, read only the first cert from slots > 2 */
+    if(instance > 2) {
+	keyIndex = 0;
+    }
+    setAttribute(CKA_LABEL, CAC_Label[keyIndex]);
 
     CKYBuffer derSerial; CKYBuffer_InitEmpty(&derSerial);
     CKYBuffer derSubject; CKYBuffer_InitEmpty(&derSubject);
--- ./coolkey-1.1.0.stdpatched/src/coolkey/slot.cpp	2012-12-13 11:20:50.432151131 -0800
+++ ./coolkey-1.1.0/src/coolkey/slot.cpp	2012-12-13 10:26:38.802139604 -0800
@@ -2287,7 +2287,7 @@
 	if (instance == 0) throw e;
 	// If the CAC doesn't have instance '2', and we were updating
 	// the shared memory, set it to valid now.
-	if ((instance == 2) && !shmem.isValid()) {
+	if ((instance >= 2) && !shmem.isValid()) {
 	    shmem.setValid();
 	}
 	return;
@@ -2297,7 +2297,12 @@
 						 instance, OSTimeNow() - time);
 
     if (instance == 0) {
-	readCACCertificateFirst(&rawCert, &nextSize, true);
+    /* do not fail if 0 instance is not found */
+	readCACCertificateFirst(&rawCert, &nextSize, false);
+	if(CKYBuffer_Size (&rawCert) == 0) {
+	   shmem.clearValid(0);
+	   return;
+	}
 	log->log("CAC Cert %d: fetch CAC Cert:  %d ms\n", 
 						instance, OSTimeNow() - time);
     }
@@ -2312,7 +2317,7 @@
 	CKYSize shmCertSize = CKYBuffer_Size(&shmCert);
 	const CKYByte *shmData = CKYBuffer_Data(&shmCert);
 
-	if (instance != 0) {
+	if ((instance > 0) && (instance <=2)) {
 	    needRead = 0;
 	}
 
@@ -2343,7 +2348,7 @@
 	    if (status != CKYSUCCESS) {
 		/* CAC only requires the Certificate in pki '0' */
 		/* if pki '1' or '2' are empty, treat it as a non-fatal error*/
-		if (instance == 2) {
+		if (instance == MAX_CERT_SLOTS -1) {
 		    /* we've attempted to read all the certs, shared memory
 		     * is now valid */
 		    shmem.setValid();
@@ -2361,7 +2366,7 @@
 	    handleConnectionError();
 	}
 	shmem.writeCACCert(&rawCert, instance);
-	if (instance == 2) {
+	if (instance >= 2) {
 	    shmem.setValid();
 	}
     }
@@ -2436,9 +2441,9 @@
     std::list<ListObjectInfo>::iterator iter;
 
     if (state & CAC_CARD) {
-	loadCACCert(0);
-	loadCACCert(1);
-	loadCACCert(2);
+	for(int i = 0; i < MAX_CERT_SLOTS; ++i) {
+		loadCACCert(i);
+	}
 	status = trans.end();
 	loadReaderObject();
 	return;
--- ./coolkey-1.1.0.stdpatched/src/libckyapplet/cky_base.h	2012-12-13 11:20:50.353151098 -0800
+++ ./coolkey-1.1.0/src/libckyapplet/cky_base.h	2012-12-13 10:39:44.963172867 -0800
@@ -45,6 +45,15 @@
     void *reserved4; \
     void *reserved5;
 
+#define CKYBUFFER_PRIVATE \
+    CKYSize len; \
+    CKYSize size; \
+    CKYByte *data; \
+    void  *reserved;
+
+#define CKYAPDU_PRIVATE \
+    CKYBuffer apduBuf; \
+    void *reserved;
 
 typedef struct _CKYBuffer {
 #ifdef CKYBUFFER_PRIVATE

Comment 6 Robert Ladd 2012-12-13 20:48:08 UTC

Here is the new error from PKCS11_INSPECT.  Note the key is 2048-bit versus 1024-bit.

laddr@(none) coolkey-1.1.0]$ pkcs11_inspect 
PIN for token: 
ERROR:pkcs11_inspect.c:142: verify_certificate() failed: 
[laddr@(none) coolkey-1.1.0]$

Comment 7 Robert Ladd 2012-12-13 21:01:37 UTC

The error message is resolved this was due to the fact that I needed to import the new 2048-bit key with certutil

Comment 8 Bob Relyea 2012-12-13 22:31:56 UTC

So the issue wasn't 2K keys, the issue was that the token has more than 3 certs. (or at least the has certs in non-standard slots 4-7).

This is why I really need tokens in hand that have the same configuration. If Both Asha and I have test tokens, we can test new versions of coolkey against these tokens to make sure there are no regressions.

Adding a blind patch without tokens to test is not a good idea (not to meantion this patch will kill the performance of real CAC and PIV cards, so I can't just take it).

So... unless someone sends me a card that has certs in slots those upper slots, I really can't support that configuration.

bob

Comment 9 Robert Ladd 2012-12-17 00:25:59 UTC

Hi Bob,

I cannot provided you an Activkey with the certificate enabled, these keys contain our certificate and access information to our corp environment.  I would be more than willing to test your fixes and help in any other way I can.

Please advise.  Is there away I can private message you?

Comment 10 Bob Relyea 2012-12-17 18:15:37 UTC

I dont need certs enabled for an active environment, only cards with certs in a test environment that follow the environment's deployment model. If you can issue some active Cards with test certs (even expired certs will work for testing the coolkey module) in the extra slots beyond the 3 DoD slots, I can use that 1) make sure I'm supporting that configuration, and 2) to test for regressions.  

Actually I need 2 cards, one for me and one for our QA team.

bob

Comment 12 Asha Akkiangady 2013-03-25 19:58:26 UTC

QE doesn't have smart card to verify this bug.

Comment 13 RHEL Program Management 2013-03-25 20:06:33 UTC

Quality Engineering Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.