Bug 988620 - Coolkey does not work when certs not loaded on first 3 "slots" of the CAC
Coolkey does not work when certs not loaded on first 3 "slots" of the CAC
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: coolkey (Show other bugs)
5.9
Unspecified Unspecified
medium Severity medium
: rc
: 5.11
Assigned To: Bob Relyea
Asha Akkiangady
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-25 22:06 EDT by Angelo Alvarez
Modified: 2013-10-15 15:25 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-15 15:25:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ActiveClient screenshot showing certs installed in last 3 slots on CAC. (21.88 KB, image/png)
2013-07-25 22:08 EDT, Angelo Alvarez
no flags Details

  None (edit)
Description Angelo Alvarez 2013-07-25 22:06:49 EDT
Description of problem:
Newer versions of ActivClient client (software for Windows) decided to use a diffent slot on the Common Access Card (CAC) for certificate storage. (Information about certificates can be found in "Help -> Troubleshooting"). ActiveKey SIM supports up to 8 certificates.

Unfortunately CoolKey does not find the certificates if they are not loaded in the first 3 slots of the CAC.

Version-Release number of selected component (if applicable):
coolkey-1.1.0-15.el5

How reproducible:

Steps to Reproduce:
1. Insert a CAC in reader.
2. Open a terminal and type "pki-loginfinder -debug"


Actual results:

DEBUG:pam_config.c:188: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11.c:65: Initializing NSS ...
DEBUG:pkcs11.c:75: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11.c:89: ...  NSS Complete
DEBUG:pklogin_finder.c:67: loading pkcs #11 module...
DEBUG:pkcs11.c:101: Looking up module in list
DEBUG:pkcs11.c:104: modList = 0x9e1cd20 next = 0x9e1dbf0

DEBUG:pkcs11.c:105: dllName= <null> 

DEBUG:pkcs11.c:104: modList = 0x9e1dbf0 next = 0x0

DEBUG:pkcs11.c:105: dllName= libcoolkeypk11.so 

DEBUG:pklogin_finder.c:75: initialising pkcs #11 module...
DEBUG:pklogin_finder.c:87: no token available

Expected results:

Something like this:

DEBUG:pam_config.c:188: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11.c:65: Initializing NSS ...
DEBUG:pkcs11.c:75: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11.c:89: ...  NSS Complete
DEBUG:pklogin_finder.c:67: loading pkcs #11 module...
DEBUG:pkcs11.c:101: Looking up module in list
DEBUG:pkcs11.c:104: modList = 0x9012d20 next = 0x9013bf0

DEBUG:pkcs11.c:105: dllName= <null> 

DEBUG:pkcs11.c:104: modList = 0x9013bf0 next = 0x0

DEBUG:pkcs11.c:105: dllName= libcoolkeypk11.so 

DEBUG:pklogin_finder.c:75: initialising pkcs #11 module...
DEBUG:pklogin_finder.c:101: PIN = [********]
DEBUG:pkcs11.c:399: cert 0: found (DOE.JOHN.9999999999:CAC ID Certificate), "CN=DOE.JOHN.9999999999,OU=USN,OU=PKI,OU=DoD,O=U.S. Government,C=US"
DEBUG:pkcs11.c:399: cert 1: found (DOE.JOHN.9999999999:CAC Email Signature Certificate), "CN=DOE.JOHN.9999999999,OU=USN,OU=PKI,OU=DoD,O=U.S. Government,C=US"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'cn'
DEBUG:mapper_mgr.c:197: Inserting mapper [cn] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'uid'
DEBUG:mapper_mgr.c:197: Inserting mapper [uid] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'pwent'
DEBUG:mapper_mgr.c:197: Inserting mapper [pwent] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'null'
DEBUG:mapper_mgr.c:197: Inserting mapper [null] into list
DEBUG:pklogin_finder.c:138: verifing the certificate for the key #1
DEBUG:cert_vfy.c:37: Verifying Cert: DOE.JOHN.9999999999:CAC ID Certificate (CN=DOE.JOHN.9999999999,OU=USN,OU=PKI,OU=DoD,O=U.S. Government,C=US)
DEBUG:pklogin_finder.c:154: Trying to deduce login from certificate
DEBUG:pklogin_finder.c:157: find_user() failed: get_file() failed: open() failed: Permission denied
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn
DEBUG:mapper_mgr.c:148: Module cn is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() uid
DEBUG:mapper_mgr.c:148: Module uid is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent
DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() null
DEBUG:mapper_mgr.c:148: Module null is static: don't remove
DEBUG:pklogin_finder.c:179: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:182: Process completed


Additional info:
Similar bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=882079
https://bugzilla.redhat.com/show_bug.cgi?id=826286

A patch for this issue can be found here:
https://github.com/Vanuan/coolkey/tree/multislot_support
but I was unable to compile and install the software likely due to older versions of the required libraries.
Comment 1 Angelo Alvarez 2013-07-25 22:08:18 EDT
Created attachment 778632 [details]
ActiveClient screenshot showing certs installed in last 3 slots on CAC.
Comment 2 Bob Relyea 2013-07-26 12:45:50 EDT
So the CAC spec only specifies 3 slots. I'm OK with adding support for more the 3, but I need 2 things:  1) a spec that lists what the other slots are, and actual sample cards that I can test.

We'll also need sample cards to test for QA.. Needless to say this is already too late for RHEL 5.10.
Comment 3 Angelo Alvarez 2013-07-29 23:04:34 EDT
Since it's not possible to upgrade coolkey, perhaps I can try modifying the source.  I downloaded the SRPM for coolkey.  Which coolkey source files would require modification to address this issue?  Thank you for your assistance.
Comment 5 Andrius Benokraitis 2013-10-15 15:25:20 EDT
No additional minor releases are planned for Production Phase 2 in Red Hat Enterprise Linux 5, and therefore Red Hat is closing this bugzilla as it does not meet the inclusion criteria as stated in:
https://access.redhat.com/site/support/policy/updates/errata/#Production_2_Phase

Note You need to log in before you can comment on or make changes to this bug.