Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1518348 - thunderbird 52.4 with OpenSC 0.16 and PIV cards ALWAYS_AUTHENTICATE fail
Summary: thunderbird 52.4 with OpenSC 0.16 and PIV cards ALWAYS_AUTHENTICATE fail
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc
Version: 7.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Asha Akkiangady
Depends On:
Blocks: 1477664 1563596
TreeView+ depends on / blocked
Reported: 2017-11-28 16:50 UTC by aheverle
Modified: 2018-06-15 15:35 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-23 16:49:38 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description aheverle 2017-11-28 16:50:34 UTC
Description of problem:
thunderbird 52.4 with OpenSC 0.16 returns an error:
"Sending of the message failed.
Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail."

Version-Release number of selected component (if applicable):
OpenSC 0.16

How reproducible:

Steps to Reproduce:
1.  Any attempt to sign with pkcs11 module and smartcard

Additional info:
workaround is to use, acceptable impact currently.

Comment 8 Jakub Jelen 2017-11-29 08:37:41 UTC
What card is that? Is is standard PIV, or dual CAC card? If it is CAC, can you try the CAC driver directly as described in the following article:

These logs do not say anything useful, can you reproduce the issue solemnly with the pkcs11-tool as described in the following article and attach the logs (note that it might contain PIN so the logs should be redacted before sharing!):

Can you try with latest build for RHEL7.5, if it will change anything?

Comment 17 Jakub Jelen 2018-04-26 08:15:43 UTC
To summarize the status of this bug, the issue with ALWAYS_AUTHENTICATE keys can be reproduced with any PIV Test card and with any NSS application.

It is a combination of NSS wrongly issuing the PKCS#11 commands out of the order (fixed in NSS 3.36) [1] and OpenSC resetting the login state in case this happens (fixed in OpenSC 0.17.0) [2]. Either of these changes fixes the issue.

For demonstation, I am using the Bob's smartcard test (let me know if you don't have that -- I don't think it is somewhere public). Once I reverted the patch [2] and downgraded NSS to 3.33 in Fedora, I am able to get errors such as the following:

-----Found Cert 2: CN=Test Cardholder XIII,OU=Test Agency,OU=Test Department,O=Test Government,C=US
  KeyType: RSA
  CertID [1] =  02
  KeyID [1] =  02
 Key can encipher... Testing enciphering
Password for Test Cardholder XIII? 
>failed to decrypt message with private key: The operation failed because the PKCS#11 token is not logged in.
-----Found Cert 3: CN=Test Cardholder XIII,OU=Test Agency,OU=Test Department,O=Test Government,C=US
>failed to find private key: Unknown code ___P 3

Updating either NSS or OpenSC fixes the issue and the tests pass.

The NSS is already updated in RHEL7.5 so the fix in OpenSC is not completely necessary (as it was when the bug was reported), but I would be for including the fix to make sure both with older NSS or even if there will be similar regression or some other libraries or tools would use the PKCS#11 interface wrongly.

Asha, Roshni, is this summary enough for you to verify this bug?


Comment 18 Roshni 2018-05-07 17:02:51 UTC
I was not able to see any error messages as in comment 17 when the smartcard test tool was run using PIV cards with the latest nss packages

Comment 19 Jakub Jelen 2018-05-23 16:49:38 UTC
This issue was resolved with the latest NSS update and there is no need to fix it again in OpenSC (and introduce other complexity).

Note You need to log in before you can comment on or make changes to this bug.