[CentOS] CentOS 6, firefox, PIV cards

Wed Dec 7 21:20:48 UTC 2016
Denniston, Todd A CIV NAVSURFWARCENDIV Crane, JXVS <todd.denniston at navy.mil>

m.roth at 5-cent.us further wrote:
##############
m.roth at 5-cent.us wrote:
> Hi, folks,
>
>    Up until a few weeks ago, it worked as it has been for years: firefox,
> security device is libcoolkey, and pcscd.
>
>    Today, I go to use it (I have done updates sine I last used it), and
> try preferences->advanced->certificates, and it hangs. My most recent
> try was for over 20 min. If you move something over the window, then
> move it away, it's a blank window. Pull out the card, and *some* of the
> time, it pops up the window showing no certs, having never asked for a
> PIN. The rest of the time, firefox crashes, hard.
>
>    I know the pcscd part works - I used it via a script this morning from
> the command line, as does pkcs15-tool from the command line.
>
>    Anyone got any clues? Maybe I should downgrade (if I can) firefox?
>
Additional info: I tried bringing up firefox with two other profiles. One
didn't have coolkey as a security device, but when I tried to add it, it
responded with "cannot add module".

Yet a third profile, that had both libcoolky and the older onepin, and
that popped up a window saying I needed to authenticate, sat there with no
way to put a pin in, then, when I pulled the card, it flashed the popup
window with my certs.

Yes, at this time, I'm looking at issues with firefox.

So - has anyone else had this problem?

       mark
#################

Not yet had the issue(s) but I do have some questions:
1) is this with the same physical PIV that you have been using "Up until a few weeks ago", that is did you (or the affected person) get a new PIV recently?
1a) does firefox have the certificate authorities loaded which cover the card in question (make sure to trace back to the root CA, there have been changes)?

2) have you tried just `yum downgrade firefox` and see if it works?
2a) I would be tempted to do something on the order of `rpm -qa --last |head -50` and then for each package seen there do an rpm -q --verify (syntax unsure) on them to be sure all the packages got installed correctly.

3) same as (2) but with recent nss|coolkey|pcscd updates?

4) interrupted updates?  i.e., `yum complete-transaction` (sp???)  `yum reinstall firefox nss coolkey pcscd`

Even when this disclaimer is not here:
I am not a contracting officer. I do not have authority to make or modify the terms of any contract.