Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 454003 - GEMALTO GCX4 72K D1 : Card class failure : pam_pkcs11(login:auth): sign_value() failed [NEEDINFO]
Summary: GEMALTO GCX4 72K D1 : Card class failure : pam_pkcs11(login:auth): sign_value...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam_pkcs11
Version: 5.2
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-03 19:24 UTC by Aaron Lippold
Modified: 2014-04-22 20:32 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-04-22 20:32:04 UTC
Target Upstream Version:
pm-rhel: needinfo? (aaron.lippold)


Attachments (Terms of Use)

Description Aaron Lippold 2008-07-03 19:24:35 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15

Description of problem:
General Error:

When I try to use the Gemalto GCX4 72k D1 card to login via GDM or the console the authentication always fails. It seems that there is a signature failed when signing the challenge from the private key however this is a guess.

Results:

I get an 'authentication failed' for both GDM and the console ( which is expected ) and the /var/log/security lists:

[12:37] aaronlippold: Jul 2 12:35:09 localhost login: pam_pkcs11(login:auth): sign_value() failed:
Jul 2 12:35:09 localhost login: FAILED LOGIN 1 FROM (null) FOR aaronl, Insufficient credentials to access authentication data

Other Notes:

1) Working

READING: The middleware can read and display all the data using the standard
tools ( esd, pklogin_finder, etc. )
Installing Certs: The 2048 certs are installed into the nssdb with out
issues
Removing Certs: The 2048 certs are removed from the nssdb with out issues
PKLOGIN_FINDER: The pklogin_finder is able to find the user cert on the card
and map it correctly to the associated user account
PKLOGIN_FINDER DEBUG : Properly established the trust chain and displays all
the expected debug info that the 64k cards give


2) Broken

- Auth via GDM: The coolkey middleware throws an error when it tries to use
the private key on the card
- Auth via console: same error because it is the same subsystem.




Version-Release number of selected component (if applicable):
nss-3.12.0.3-1.el5, nss_tools-3.12.0.3-1.el5,pam_pkcs11-0.5.3-23

How reproducible:
Always


Steps to Reproduce:
( assuming your RH client is setup to use smartcard already )

1. Install the root and intermediate certs for the test tokens into the nssdb using standard methods
2. Logout back to GDM or goto a console
3. Insert a GEMALTO GCX4 72K D1 into a supported reader
4. Get GDM or the console to ask for your pin and notice the card ( i.e. hit enter or pull and replace the card once or twice )
5. GDM or the console will ask for the pin of the user cert
6. enter pin
7. gdm/console will return with 'authentication failed'

Actual Results:
[12:37] aaronlippold: Jul 2 12:35:09 localhost login:
pam_pkcs11(login:auth): sign_value() failed:
Jul 2 12:35:09 localhost login: FAILED LOGIN 1 FROM (null) FOR aaronl,
Insufficient credentials to access authentication data

Was issued to /var/log/security

Expected Results:
Authentication should have been valid

Additional info:

Comment 1 RHEL Product and Program Management 2014-03-07 13:35:44 UTC
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.


Note You need to log in before you can comment on or make changes to this bug.