Bug 906537 - CAC card ( Gemalto GCX4 72k) shows invalid-signature message during pkinit
Summary: CAC card ( Gemalto GCX4 72k) shows invalid-signature message during pkinit
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: coolkey
Version: 6.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact: Asha Akkiangady
Depends On:
TreeView+ depends on / blocked
Reported: 2013-01-31 20:35 UTC by Asha Akkiangady
Modified: 2017-02-06 15:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Personal Identity Verification (PIV) Endpoint Cards which support both CAC and PIV interfaces might not work with the latest coolkey update; some signature operations like PKINIT can fail. To work around this problem, downgrade coolkey to the version shipped with Red Hat Enterprise Linux 6.3.
Clone Of:
Last Closed: 2013-11-21 23:05:40 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1699 0 normal SHIPPED_LIVE coolkey bug fix and enhancement update 2013-11-20 21:52:09 UTC

Description Asha Akkiangady 2013-01-31 20:35:11 UTC
Description of problem:
DOD CAC ( Gemalto GCX4 72k) shows invalid-signature during pkinit.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. kinit using the CAC card.

Actual results:
Eror message: Invalid Signature while getting the initial credentials.

Expected results:
kinit with this CAC card should be successful.

Additional info:
Downgraded the coolkey version to coolkey-1.1.0-20, pkinit works fine for the card. Getting the invalid signature error for the card with cookey -21 and also -24. 

Another CAC (Gemalto TOPDLGX 144) pkinit works fine with coolkey -26.

Comment 3 Jenny Severance 2013-02-01 19:15:42 UTC
Bob can you please add the appropriate information in the doc text field for the technical note - know issues

Comment 4 Bob Relyea 2013-02-01 22:59:11 UTC
Doc Text field updated.

Comment 5 Bob Relyea 2013-02-01 22:59:59 UTC
Is there anything else I need to do (set flags here or in the errata?


Comment 11 Bob Relyea 2013-08-12 19:18:31 UTC
Signatures appear to work with my Gemalto  GCX4 72K PIV endpoint card with built -27

Comment 13 Roshni 2013-09-27 15:26:32 UTC
Works fine using coolkey-1.1.0-30.el6 on RHEL 6.5

Comment 14 errata-xmlrpc 2013-11-21 23:05:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.