Description of problem: Newer versions of ActivClient client (software for Windows) decided to use a diffent slot on the Common Access Card (CAC) for certificate storage. (Information about certificates can be found in "Help -> Troubleshooting"). ActiveKey SIM supports up to 8 certificates. Unfortunately CoolKey does not find the certificates if they are not loaded in the first 3 slots of the CAC. Version-Release number of selected component (if applicable): coolkey-1.1.0-15.el5 How reproducible: Steps to Reproduce: 1. Insert a CAC in reader. 2. Open a terminal and type "pki-loginfinder -debug" Actual results: DEBUG:pam_config.c:188: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11.c:65: Initializing NSS ... DEBUG:pkcs11.c:75: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11.c:89: ... NSS Complete DEBUG:pklogin_finder.c:67: loading pkcs #11 module... DEBUG:pkcs11.c:101: Looking up module in list DEBUG:pkcs11.c:104: modList = 0x9e1cd20 next = 0x9e1dbf0 DEBUG:pkcs11.c:105: dllName= <null> DEBUG:pkcs11.c:104: modList = 0x9e1dbf0 next = 0x0 DEBUG:pkcs11.c:105: dllName= libcoolkeypk11.so DEBUG:pklogin_finder.c:75: initialising pkcs #11 module... DEBUG:pklogin_finder.c:87: no token available Expected results: Something like this: DEBUG:pam_config.c:188: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11.c:65: Initializing NSS ... DEBUG:pkcs11.c:75: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11.c:89: ... NSS Complete DEBUG:pklogin_finder.c:67: loading pkcs #11 module... DEBUG:pkcs11.c:101: Looking up module in list DEBUG:pkcs11.c:104: modList = 0x9012d20 next = 0x9013bf0 DEBUG:pkcs11.c:105: dllName= <null> DEBUG:pkcs11.c:104: modList = 0x9013bf0 next = 0x0 DEBUG:pkcs11.c:105: dllName= libcoolkeypk11.so DEBUG:pklogin_finder.c:75: initialising pkcs #11 module... DEBUG:pklogin_finder.c:101: PIN = [********] DEBUG:pkcs11.c:399: cert 0: found (DOE.JOHN.9999999999:CAC ID Certificate), "CN=DOE.JOHN.9999999999,OU=USN,OU=PKI,OU=DoD,O=U.S. Government,C=US" DEBUG:pkcs11.c:399: cert 1: found (DOE.JOHN.9999999999:CAC Email Signature Certificate), "CN=DOE.JOHN.9999999999,OU=USN,OU=PKI,OU=DoD,O=U.S. Government,C=US" DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'cn' DEBUG:mapper_mgr.c:197: Inserting mapper [cn] into list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'uid' DEBUG:mapper_mgr.c:197: Inserting mapper [uid] into list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'pwent' DEBUG:mapper_mgr.c:197: Inserting mapper [pwent] into list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'null' DEBUG:mapper_mgr.c:197: Inserting mapper [null] into list DEBUG:pklogin_finder.c:138: verifing the certificate for the key #1 DEBUG:cert_vfy.c:37: Verifying Cert: DOE.JOHN.9999999999:CAC ID Certificate (CN=DOE.JOHN.9999999999,OU=USN,OU=PKI,OU=DoD,O=U.S. Government,C=US) DEBUG:pklogin_finder.c:154: Trying to deduce login from certificate DEBUG:pklogin_finder.c:157: find_user() failed: get_file() failed: open() failed: Permission denied DEBUG:mapper_mgr.c:214: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn DEBUG:mapper_mgr.c:148: Module cn is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() uid DEBUG:mapper_mgr.c:148: Module uid is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() null DEBUG:mapper_mgr.c:148: Module null is static: don't remove DEBUG:pklogin_finder.c:179: releasing pkcs #11 module... DEBUG:pklogin_finder.c:182: Process completed Additional info: Similar bugs: https://bugzilla.redhat.com/show_bug.cgi?id=882079 https://bugzilla.redhat.com/show_bug.cgi?id=826286 A patch for this issue can be found here: https://github.com/Vanuan/coolkey/tree/multislot_support but I was unable to compile and install the software likely due to older versions of the required libraries.
Created attachment 778632 [details] ActiveClient screenshot showing certs installed in last 3 slots on CAC.
So the CAC spec only specifies 3 slots. I'm OK with adding support for more the 3, but I need 2 things: 1) a spec that lists what the other slots are, and actual sample cards that I can test. We'll also need sample cards to test for QA.. Needless to say this is already too late for RHEL 5.10.
Since it's not possible to upgrade coolkey, perhaps I can try modifying the source. I downloaded the SRPM for coolkey. Which coolkey source files would require modification to address this issue? Thank you for your assistance.
No additional minor releases are planned for Production Phase 2 in Red Hat Enterprise Linux 5, and therefore Red Hat is closing this bugzilla as it does not meet the inclusion criteria as stated in: https://access.redhat.com/site/support/policy/updates/errata/#Production_2_Phase