All,
Op 12-02-11 00:30, Guy schreef:
Robert, Lyall,
Op 11-02-11 19:11, Robert Relyea schreef:
On 02/10/2011 10:39 PM, Guy wrote:
Bob,
Op 09-02-11 22:33, Robert Relyea schreef:
On 02/09/2011 12:33 PM, Guy wrote:
Hi,
I'm the one who started this thread but it got slightly derailed and
biased towards gentoo.
My systems are Opensuse 11.3 and Fedora14 and the problem I have is
that I do not get prompted for the PIN when issueing either
pkcs11_inspect or pkcs11_listcerts. I've never seen it work on either
of these systems. Pcsc_scan works though, it never complains.
This seems to indicate a problem with the pkcs11 module (probably
coolkey). Is the card you are using an actual CAC card, or one of
ActiveCard's 'CAC-Like' (where they use the CAC applet, but issued
through some other agency than DISA).
It's not a card as such, it's a usb sim (appearance is that of a usb
memory stick) so I guess it's CAC-Like.
A lot of information can be found withing this thread where Lyall and
myself supply output of various commands.
I'm not qualified enough to give you the answer right away I' afraid.
My Opensuse 11.3 bears all the latest pcsc-lite, opensc, coolkey, etc
packages. The Fedora14 system is stock + all automatic updates.
I run these 2 systems on a Dell Lattitude D830 over the usb port
(opensuse on a usb disk, fedora on a usb memory stick).
I plugged the Fedorea usb stick into my home tower pc, with an Asus
mobo, but the results are the same, so it's not Dell specific.
My home tower pc runs Opensuse 11.0 natively and there it just works
fine, I'm asked for the PIN and when supplied I get the certificates
listed.
The coolkey package, version 1.1.0-79.1, dates from June 2008.
Thanks, this is helpful. How many certs does your card have?
There's only one cert on it (this is an excerpt from my old working
Opensuse 11.0 distro) :
DEBUG:pkcs11_lib.c:47: PIN = [xxxxxxxx]
DEBUG:pkcs11_lib.c:528: cert 0: found (Guy Zelck:CAC ID Certificate),
"E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status -
Employees,O=Hewlett-Packard Company"
DEBUG:pkcs11_listcerts.c:112: Found '1' certificate(s)
DEBUG:pkcs11_listcerts.c:117: Certificate #1:
DEBUG:pkcs11_listcerts.c:119: - Subject: E=guy.zelck@xxxxxx,CN=Guy
Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard
Company
DEBUG:pkcs11_listcerts.c:121: - Issuer: CN=Hewlett-Packard Primary
Class 2 Certification Authority,O=Hewlett-Packard Company,C=US,OU=IT
Infrastructure,O=hp.com
DEBUG:pkcs11_listcerts.c:123: - Algorithm: PKCS #1 RSA Encryption
DEBUG:cert_vfy.c:32: Verifying Cert: Guy Zelck:CAC ID Certificate
(E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status -
Employees,O=Hewlett-Packard Company)
DEBUG:pkcs11_listcerts.c:147: releasing pkcs #11 module...
DEBUG:pkcs11_listcerts.c:150: Process completed
OK, my guess is you are running into a bug in coolkey that expects 3
certs, not one. It was fixed at one point in time, but appears to have
regressed. It would be good to add that info to the bug.
First I discovered I made a silly typo in pam_pkcs11.conf in specifying the slot description :
slot_description="Activekey Sim 00 00" when it should have been "Activkey Sim 00 00" (without the "e")!
Once cleared the PIN prompt appeared 8-;
But then, as Lyall pointed out, it was nearly impossible to get a succesful login and the msg "no token available" still crept in
the debug output.
Then I recompiled coolkey without the CAC-1 patch and bingo, logging in was simple. Even with a better average than 1 in 2.
I tested logging in on a hard-console (ctrl-alt-F2), with su and with kdm, it all works.
Here's the output of pkcs11_inspect :
# pkcs11_inspect debug
DEBUG:pam_config.c:245: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:187: Initializing NSS ...
DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:215: ... NSS Complete
DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:227: Looking up module in list
DEBUG:pkcs11_lib.c:230: modList = 0x806c850 next = 0x807b720
DEBUG:pkcs11_lib.c:231: dllName= <null>
DEBUG:pkcs11_lib.c:230: modList = 0x807b720 next = 0x0
DEBUG:pkcs11_lib.c:231: dllName= /usr/lib/libcoolkeypk11.so
DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:760: cert 0: found (Guy Zelck:CAC ID Certificate), "E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment
Status - Employees,O=Hewlett-Packard Company"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'mail'
DEBUG:mapper_mgr.c:196: Inserting mapper [mail] into list
DEBUG:pkcs11_inspect.c:128: Found '1' certificate(s)
DEBUG:pkcs11_inspect.c:132: verifing the certificate #1
DEBUG:cert_vfy.c:34: Verifying Cert: Guy Zelck:CAC ID Certificate (E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status
- Employees,O=Hewlett-Packard Company)
DEBUG:pkcs11_inspect.c:146: Inspecting certificate #1
Printing data for mapper mail:
guy.zelck@xxxxxx
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() mail
DEBUG:mapper_mgr.c:148: Module mail is static: don't remove
DEBUG:pkcs11_inspect.c:163: releasing pkcs #11 module...
DEBUG:pkcs11_inspect.c:166: Process completed
Who's going to file the bug? I have no idea where or how. Lyall, are you in for this?
The previous output came from my Opensuse 11.3 system.
I just now finished trying things on the stock Fedora 14 and the results are fine once coolkey was recompiled without the CAC-1 patch :
[guy@gz ~]$ pkcs11_listcerts
PIN for token:
Found '1' certificate(s)
Certificate #1:
- Subject: E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company
- Issuer: CN=Hewlett-Packard Primary Class 2 Certification Authority,O=Hewlett-Packard Company,C=US,OU=IT Infrastructure,O=hp.com
- Algorithm: PKCS #1 RSA Encryption
[guy@gz ~]$ pkcs11_inspect
PIN for token:
Printing data for mapper mail:
guy.zelck@xxxxxx
[guy@gz ~]$ pklogin_finder
PIN for token:
guy
Gtz,
Guy.
_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel
