Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4077

Fix file caching with different offsets (upstream 2858)

XMLWordPrintable

    • None
    • Moderate
    • ZStream
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 26
    • 0.1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto23Q4
    • Approved Blocker
    • Hide

      AC1) Manual test: When file cashing is turned on one should be able to list objects(`pkcs11-tool -O`) on card after the card is reinserted.

      AC2) Optional: All manual tests from general testplan should pass when executed with new CardOS cards.

      Show
      AC1) Manual test: When file cashing is turned on one should be able to list objects(`pkcs11-tool -O`) on card after the card is reinserted. AC2) Optional: All manual tests from general testplan should pass when executed with new CardOS cards.
    • Pass
    • None
    • Known Issue
    • Hide
      .OpenSC might not detect CardOS V5.3 card objects correctly

      The OpenSC toolkit does not correctly read cache from different PKCS #15 file offsets used in some CardOS V5.3 cards. Consequently, OpenSC might not be able to list card objects and prevent using them from different applications.

      To work around the problem, turn off file caching by setting the `use_file_caching = false` option in the `/etc/opensc.conf` file.

      ////
      Future bug fix text:
      File caching was not working correctly for some CardOS 5.3 cards that stored certificates on different offsets of a single PKCS#15 file.

      The file caching was ignoring the offset part of the file, which caused repetitively overriding the cache and reading invalid data from file cache.

      The issue was identified and fix upstream and CardOS 5.3 cards should continue to work well with file cache.
      ////
      Show
      .OpenSC might not detect CardOS V5.3 card objects correctly The OpenSC toolkit does not correctly read cache from different PKCS #15 file offsets used in some CardOS V5.3 cards. Consequently, OpenSC might not be able to list card objects and prevent using them from different applications. To work around the problem, turn off file caching by setting the `use_file_caching = false` option in the `/etc/opensc.conf` file. //// Future bug fix text: File caching was not working correctly for some CardOS 5.3 cards that stored certificates on different offsets of a single PKCS#15 file. The file caching was ignoring the offset part of the file, which caused repetitively overriding the cache and reading invalid data from file cache. The issue was identified and fix upstream and CardOS 5.3 cards should continue to work well with file cache. ////
    • Done
    • None

      Description of problem:

      evaluate RHEL-8 CardOS support for
      https://github.com/OpenSC/OpenSC/issues/2591
      https://github.com/OpenSC/OpenSC/issues/2591#issuecomment-1267311419
      "
      ...snip...
      The keys/certificates are instead in the path 3F 00 -> 20 00 and 20 01, which already points to DF D2 76 00 00 98 C0 00 00 and similar. In the trace, it is visible that the proprietary driver goes this path by default. I did not worked enough with the PKCS#15 cards to be able to put something working together or point you to the right direction what needs to be changed in OpenSC to make this working, but I think we will need some fallback in sc_pkcs15emu_cardos_init() when sc_pkcs15_bind_internal() fail to read the information from standard path. Probably by manually creating the DF structures to aid the standard PKCS#15 code to find the final keys/certificates. I have the annotated APDUs from the trace if you want to pursuit this challenge of getting your card working with OpenSC. I will probably not have much more time to do that now.
      "

      pkcs11-tool fails to list the card objects.

      note: coolkey is reported to work on RHEL-7 for a "CardOS V5.3, 2014 from Charismathics GmbH"

      Version-Release number of selected component (if applicable):
      RHEL-8
      opensc-0.20.0-4.el8.x86_64

      opensc-tool -lan
      Detected readers (pcsc)
      Nr. Card Features Name
      0 Yes Gemalto PC Twin Reader (E86696AE) 00 00
      1 No Cherry KC 1000 SC [KC 1000 SC] 01 00
      2 No Alcor Micro AU9560 02 00
      Using reader with a card: Gemalto PC Twin Reader (E86696AE) 00 00
      3b:d2:18:00:81:31:fe:58:c9:03:16
      Atos CardOS

      How reproducible:
      N/A, no such card available at this moment

      Steps to Reproduce:
      1. N/A
      2.
      3.

      Actual results:
      no card objects listed by pkcs11-tool

      Expected results:
      yes

      Additional info:

      pkcs11-tool -O -l --module /usr/lib64/opensc-pkcs11.so
      Using slot 0 with a present token (0x0)
      Logging in to "test Card (Card PIN)".
      Please enter User PIN:
      Private Key Object; RSA
      label: Digital Signature
      ID: 11
      Usage: sign, unwrap
      Access: none
      Private Key Object; RSA
      label: Encryption
      ID: 5d
      Usage: decrypt, unwrap
      Access: none
      Data object 3389054704
      label: 'ProfileId'
      application: ''
      app_id: <empty>
      flags: <empty>

              jjelen@redhat.com Jakub Jelen
              rhn-support-msauton Marc Sauton
              Jakub Jelen Jakub Jelen
              George Pantelakis George Pantelakis
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: