Bug 906537 - CAC card ( Gemalto GCX4 72k) shows invalid-signature message during pkinit
CAC card ( Gemalto GCX4 72k) shows invalid-signature message during pkinit
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: coolkey (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Bob Relyea
Asha Akkiangady
Depends On:
  Show dependency treegraph
Reported: 2013-01-31 15:35 EST by Asha Akkiangady
Modified: 2017-02-06 10:16 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
Personal Identity Verification (PIV) Endpoint Cards which support both CAC and PIV interfaces might not work with the latest coolkey update; some signature operations like PKINIT can fail. To work around this problem, downgrade coolkey to the version shipped with Red Hat Enterprise Linux 6.3.
Story Points: ---
Clone Of:
Last Closed: 2013-11-21 18:05:40 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Asha Akkiangady 2013-01-31 15:35:11 EST
Description of problem:
DOD CAC ( Gemalto GCX4 72k) shows invalid-signature during pkinit.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. kinit using the CAC card.

Actual results:
Eror message: Invalid Signature while getting the initial credentials.

Expected results:
kinit with this CAC card should be successful.

Additional info:
Downgraded the coolkey version to coolkey-1.1.0-20, pkinit works fine for the card. Getting the invalid signature error for the card with cookey -21 and also -24. 

Another CAC (Gemalto TOPDLGX 144) pkinit works fine with coolkey -26.
Comment 3 Jenny Galipeau 2013-02-01 14:15:42 EST
Bob can you please add the appropriate information in the doc text field for the technical note - know issues
Comment 4 Bob Relyea 2013-02-01 17:59:11 EST
Doc Text field updated.
Comment 5 Bob Relyea 2013-02-01 17:59:59 EST
Is there anything else I need to do (set flags here or in the errata?

Comment 11 Bob Relyea 2013-08-12 15:18:31 EDT
Signatures appear to work with my Gemalto  GCX4 72K PIV endpoint card with built -27
Comment 13 Roshni 2013-09-27 11:26:32 EDT
Works fine using coolkey-1.1.0-30.el6 on RHEL 6.5
Comment 14 errata-xmlrpc 2013-11-21 18:05:40 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.