Bug 681680

User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:2.0b12) Gecko/20110222 Firefox/4.0b12

This is a follow on from the discussion in bug 580144 and the suggestion to look at more recent versions of the chipcard project. The reason that I have filed one bug for these issues is because IMHO the regression since 11.3 is so severe that the real question is whether there is any point in keeping OpenCT in the default openSUSE repositories at all.

OpenCT used hal in 11.3, but uses udev in 11.4. According to the udev setup information at http://www.opensc-project.org/openct/wiki/OperatingSystems the file /etc/udev/rules.d/50-openct.rules is required, but is missing from the current distribution. This stops OpenCT functioning.

Manually adding the file by copying etc/openct.udev from the source RPM allows the ifdhandler process to start when a compatible smartcard is inserted, but we then hit the same issue as described in bug 580144 which is that the device created in /dev/bus/usb/ is owned by root:root, but the configuration in /etc/openct.conf specifies that the ifdhandler process runs as scard:scard. For the purposes of experimentation, this can be fixed by the following change to /lib/udev/rules.d/openct_usb:

--- openct_usb.orig	2011-03-22 12:07:32.117000002 +0000
+++ openct_usb	2011-03-22 12:08:33.619007414 +0000
@@ -3,6 +3,8 @@
 # maybe udev passes the device name to us.
 if [ -n "$1" ]; then
 	DEVNAME="$1"
+        chown scard:scard "$DEVNAME"
+        chmod o-r "$DEVNAME"
 fi
 
 [ -n "$DEVPATH" ] || exit 0

Now OpenCT works in the sense that 'openct-tool list' and 'openct-tool -r 0 atr' give the correct output:

guest@linux-lx7d:~> openct-tool list
  0 Rainbow iKey 3000
guest@linux-lx7d:~> openct-tool -r 0 atr
Detected Rainbow iKey 3000
Card present, status changed
ATR: 3b b7 94 00 81 31 fe 65 53 50 4b 32 33 90 00 d1

In 11.3, once the card was recognised by OpenCT, it could be used with OpenSC and OpenSSH (in conjunction with engine_pkcs11). In 11.4, OpenSC has not been compiled with OpenCT support:

 guest@linux-lx7d:~/openct-0.6.20/etc> opensc-tool -i
 opensc 0.12.0 [gcc  4.5.1 20101208 [gcc-4_5-branch revision 167585]]
 Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)

Compare with the output from 11.3:

 [bernoulli]~-560 > opensc-tool -i
 opensc 0.11.13 [gcc  4.5.0 20100604 [gcc-4_5-branch revision 160292]]
 Enabled features: zlib readline iconv openssl openct pcsc(/usr/lib64/libpcsclite.so.1) nsplugin

Attempting to install and use pcscd (package pcsc-lite) to access the card also fails, and according to this post on the MUSCLE card mailing list it is also due
to OpenCT not behaving correctly: http://lists.drizzle.com/pipermail/muscle/2011-March/008832.html

In 11.3, a private key on an OpenCT-compatible smartcard could be used with OpenSSH (version 5.4p1) out of the box by doing:

  ssh -v -I /usr/lib64/engines/engine_pkcs11.so ....

or

  ssh-add -s /usr/lib64/engines/engine_pkcs11.so

In 11.4 (OpenSSH version 5.8p1), we get the following error message in /var/log/messages or the output of 'ssh -v' when trying this:

Mar 22 15:24:25 linux-lx7d ssh-pkcs11-helper[3029]: error: dlsym(C_GetFunctionList) failed: /usr/lib64/engines/engine_pkcs11.so: undefined symbol: C_GetFunctionList

Sorry to go on at such length, but as I said I am wondering why OpenCT is in the distribution at all now. Comments anyone?


Reproducible: Always