[Bug 661643] New: libcoolkey doesn't work with D0D 144k CAC cards
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c0 Summary: libcoolkey doesn't work with D0D 144k CAC cards Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: x86-64 OS/Version: openSUSE 11.3 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: martin@etainable.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b8) Gecko/20101214 Firefox/4.0b8 Here is the redhat bug for the issue. The redhat library works with opensuse https://bugzilla.redhat.com/show_bug.cgi?id=534172 Need to get this bug into the opensuse product so it can be used with DoD... Reproducible: Always Steps to Reproduce: 1. load coolkey into firefox with (Preferences -> Advanced -> Security 2. Insert DoD CAC smartcard in USB Reader 3.Note no user info loaded under the security device settings Actual Results: none Expected Results: request user pin and load user settings from device Here is reasonable documentation on CAC use from Ubuntu site. https://help.ubuntu.com/community/CommonAccessCard Key note from webpage directly above Note that coolkey does not work on 10.04 LTS (maybe some earlier versions) and/or newer 144K CAC cards you can get an updated coolkey from http://koji.fedoraproject.org/koji/packageinfo?packageID=5 Its a RPM. Just extract lib folder and copy to /usr/ overwriting existing files. Follow this procedure: wget http://kojipkgs.fedoraproject.org/packages/coolkey/1.1.0/17.fc15/i686/coolke... (or a later version, if available) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c1 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@novell.com AssignedTo|security-team@suse.de |sbrabec@novell.com --- Comment #1 from Marcus Meissner <meissner@novell.com> 2010-12-30 08:46:00 UTC --- -> sbrabec is the maintainer -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c2 Stanislav Brabec <sbrabec@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low Status|NEW |ASSIGNED --- Comment #2 from Stanislav Brabec <sbrabec@novell.com> 2010-12-30 14:36:40 CET --- I don't have any test hardware for coolkey, so I can just pick the Fedora package and port all changes. Surprisingly, coolkey-1.1.0-17.fc15.src.rpm fails to compile on syntax error. I will try to fix this error and ask you for testing. cky_card.c:110:5: error: expected declaration specifiers or '...' before 'LPSCARD_READERSTATE' cky_card.c: In function 'CKYCardContext_WaitForStatusChange': cky_card.c:844:8: warning: passing argument 3 of 'ctx->scard->SCardGetStatusChange' makes integer from pointer without a cast cky_card.c:844:8: note: expected 'long unsigned int' but argument is of type 'struct SCARD_READERSTATE *' cky_card.c:844:8: error: too many arguments to function 'ctx->scard->SCardGetStatusChange' -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c3 --- Comment #3 from Martin Christeson <martin@etainable.com> 2010-12-30 14:06:13 UTC --- I would be very willing to help with the testing. I appreciate you looking into this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c4 Stanislav Brabec <sbrabec@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |martin@etainable.com --- Comment #4 from Stanislav Brabec <sbrabec@novell.com> 2010-12-31 15:47:32 CET --- coolkey-pcsc-lite-fix.patch from Fedora ports coolkey to the latest pcsc-lite, which was not yet part of openSUSE. Without this patch, it compiles with older pcsc-lite versions. Please test the preliminary versions from http://download.opensuse.org/repositories/home:/sbrabec:/branches:/security:... need to update pcsc-lite as well).a -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c5 --- Comment #5 from Martin Christeson <martin@etainable.com> 2011-01-01 00:15:04 UTC --- I get this error with the udpated pcscd. I validated that the update-reader.conf is not in /usr/sbin. /etc/init.d/pcscd start Starting PC/SC smart card daemon (pcscd): ./pcscd: line 50: /usr/sbin/update-reader.conf: No such file or directory The pcscd -f will run from command line but /etc/init.d/pcscd startup script doesn't work with error above. Not sure what the original intent of the third line of the startup script below. Is the update-reader an artifact from the old version of pcscd-lite? .. from startup script start() { echo -n $"Starting PC/SC smart card daemon ($prog): " /usr/sbin/update-reader.conf && startproc $exec $PCSCD_OPTIONS retval=$? rc_status echo [ $retval -eq 0 ] && touch $lockfile rc_status -v } -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c6 Martin Christeson <martin@etainable.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|martin@etainable.com | --- Comment #6 from Martin Christeson <martin@etainable.com> 2011-01-01 18:11:02 UTC --- I removed the test for update-reader.conf from startup and PCSCD starts fine. I loaded the new libcoolkey in firefox and was able to authenticate with a CAC144 card against a DoD Site. Use for Web site login is validated. I also tested a digitally signed email so this seems to be working. Recommend fixing the startup script and this should be good to go. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c7 --- Comment #7 from Stanislav Brabec <sbrabec@novell.com> 2011-01-04 18:01:27 CET --- Thanks for your testing. Yes, the whole init script is from an old version of pcsc-lite. New upstream version does not use init script any more. They use a daemon started on demand using SUID flag. Our security team recommends to not use SUID, so openSUSE will stick with the init script. update-reader.conf should obsolete now, as the function now seems to be integrated in the daemon. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c8 Stanislav Brabec <sbrabec@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |martin@etainable.com --- Comment #8 from Stanislav Brabec <sbrabec@novell.com> 2011-01-10 19:56:26 CET --- I did a final merge of Fedora and openSUSE patches for coolkey and fixed init script of pcsc-lite. Please test from the same repository as before. You need to wait for rebuild: https://build.opensuse.org/project/monitor?project=home%3Asbrabec%3Abranches... I also ported all affected packages to the new pcsc-lite, so the changes can be pushed to Factory. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c9 --- Comment #9 from Stanislav Brabec <sbrabec@novell.com> 2011-01-11 14:39:15 CET --- Updates were just moved to security:chipcard. It should rebuild soon. https://build.opensuse.org/project/show?project=security%3Achipcard http://download.opensuse.org/repositories/security:/chipcard/openSUSE_11.3/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c10 Martin Christeson <martin@etainable.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|martin@etainable.com | --- Comment #10 from Martin Christeson <martin@etainable.com> 2011-01-11 23:10:27 UTC --- I loaded the versions from the link. I had to stop PCSC service and restart (as two operations and yank the reader out of USB) to get the libcoolkey to load. When pcscd was stopped mozilla tried to start pcscd and didn't have proper access rights as regular user. After I restarted pcscd by hand as root, library add of libcoolkey to firefox and thunderbird worked. If you do an RPM update while a smartcard reader is connected. (in firefox 4.0), it stops working. Didn't test thunderbird to validate this behavior, just reloaded assuming it would be the same. I have always had to remove the security device and reload to get working. Once libraries reloaded, did test of card based web site login - Success Signed and encrypted an email - Success When card was removed, system had no memory of having the cert - Success I think this is good to go. Other comments reflect info for user training. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c11 --- Comment #11 from Stanislav Brabec <sbrabec@novell.com> 2011-01-12 14:57:07 CET --- Thanks for testing. I do not understand the need for the manual restart. The rpm scripts should do that automatically. Did you restart pcscd directly or did you use init script? (rpm uses init script) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c12 --- Comment #12 from Martin Christeson <martin@etainable.com> 2011-01-12 18:02:41 UTC --- I used the init scripts. Issue was a bit annoying, but a one-time problem... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=661643 https://bugzilla.novell.com/show_bug.cgi?id=661643#c13 William Witt <william@witt-family.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |william@witt-family.net --- Comment #13 from William Witt <william@witt-family.net> 2011-03-04 02:43:52 UTC --- I'm not sure how to verify whether or not my CAC is a 144k or not. In orange across the top of the back is "GEMALTO TOPGLDX4 144" plus a 28 digit string of mostly numbers (could be hex). It was issued approx 6 months ago and did not work under any linux distro that I tried, until today. I'm using 11.4 RC2 (gnome) and libcoolkey from the repos and can confirm that it works. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com