-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hello Nils,
Nils Larsch schrieb:
> Cornelius Koelbel wrote:
>> Hello,
>>
>> I liked the pkcs11-tool very much and used it with aladdin's own
>> pkcs11-lib. But I could not manage to initialize the token and i
>> could not change the pin.
>>
>> The Aladdin eToken can only be initialized after having logged in
>> as a user and having closed this session again.
>
> sounds like a bug
I tried to get some more information from Aladdin, since I guess (hope
;-) this is no bug in their pkcs11 implementation but I am still in
discussion with Aladdin regarding this issue.
>
>>
>> The PIN can only be changed, when logged in as a User before.
>>
>> So I wrote some small patches that worked for, so I could now
>> initialize the token and change the PIN. I am not a real
>> programmer and I guess the patches may not be valid for other
>> tokens. Maybe for the initilization-patch there should be an
>> if-statement or a commandline switch, that activates this code.
>>
>> Take a look at it and think of it. If there are any questions I
>> will be pleased to answer them...
>>
>> The patches are against pkcs11-tool.c version 0.10.1.
>
> please use unified diffs, normal diffs are difficult to read => at
> least I will ignore them if I don't have much time.
I attached a unified diff, hope this helps reading it. For my
conviniences I named the files pkcs11-tool.c-orig and my changes
pkcs11-tool.c-cko. (-> version1)
>>
>>> /* Add for aladdin eToken with aladdin's libetpkcs11.so Before
>>> initializing the token, we have to login to the token. cko */
>>>
>>> rv = p11->C_OpenSession(opt_slot, CKF_SERIAL_SESSION|
>>> CKF_RW_SESSION, NULL, NULL, &session); if (rv != CKR_OK)
>>> p11_fatal("C_OpenSession", rv);
>>>
>>> login(session, 0); // login as CKU_USER
>>>
>>> /* we need to close the session again. */ rv =
>>> p11->C_CloseSession(session); /* end of Aladdin specific stuff
>>> */
>
> are you sure that this workaround wont cause problems for other
> pkcs11 libs ?
It would cause problems, if someone who wants to initialize the token,
has forgotten the user pin.
I resorted the if statements at the beginning, so that I am able to
change my user pin by doing the parameters "-l -c".
For initilizing the token I also would prefer a solution at the
command line like "-l --init-token" but unfortunately the session that
is opened by the -l option is not closed before the init-token
function is called. And there must not be any open sessions...
May be it would be a possible solution to not having to change the
init_token function by adding an additional login-function, that
closes the session right after having logged in.
In patch version 2 I added a "fake_login" function, that does exactly
this. Thus I was able to initialize the Aladdin etoken this way:
./pkcs11-tool --module /usr/local/lib/libetpkcs11.so --fake-login
- --init-token --label test
>
>>>
>> 879a897,902
>>> /* cko: first we need to login to the token! */ rv =
>>> p11->C_Login(sess, CKU_USER, (CK_UTF8CHAR *) old_pin, old_pin
>>> == NULL ? 0 : strlen(old_pin)); if (rv != CKR_OK)
>>> p11_fatal("C_Login", rv); /* end */
>
> this will certainly cause problem if you try to change the so-pin
>
You are right. I removed it and changed it this way, that I can
accomplish it by using -l -c.
But how am I supposed to change the SO_PIN using the existing Code? I
need a C_Login(CKU_SO) and a C_SetPin.
Kind regards
Cornelius
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEPEcRtVsWxaSPzvkRA0yIAJ9e51wSjukj4OuuR/o1vIIvuM/8FQCgpEzv
92jSHhtXVY94e0n5s6BzWkQ=
=N3Om
-----END PGP SIGNATURE-----
--- pkcs11-tool.c-orig 2006-03-30 23:14:25.000000000 +0200
+++ pkcs11-tool.c-cko 2006-04-12 01:45:23.000000000 +0200
@@ -372,6 +372,7 @@
case 'c':
do_change_pin = 1;
need_session |= CKF_SERIAL_SESSION; /* no need for a
R/W session */
+ need_session |= NEED_SESSION_RW; /* cko */
action_count++;
break;
case 's':
@@ -495,15 +496,12 @@
CK_TOKEN_INFO info;
get_token_info(opt_slot, &info);
- if (!(info.flags & CKF_TOKEN_INITIALIZED))
- fatal("Token not initialized\n");
+ //if (!(info.flags & CKF_TOKEN_INITIALIZED))
+ // fatal("Token not initialized\n");
if (info.flags & CKF_LOGIN_REQUIRED)
opt_login++;
}
- if (do_init_token)
- init_token(opt_slot);
-
if (need_session) {
int flags = CKF_SERIAL_SESSION;
@@ -515,16 +513,24 @@
p11_fatal("C_OpenSession", rv);
}
- if (do_change_pin)
- /* To be sure we won't mix things up with the -l or -p options,
- * we safely stop here. */
- return change_pin(opt_slot, session);
-
if (opt_login || opt_pin || do_init_pin) {
int r = login(session, need_to_be_so);
if (r != 0)
return r;
}
+ /*
+ We put the do_change_pin _behind_ the opt_login to have the possibility
to
+ do a "-c -l" to change the PIN with the Aladdin etpkcs11, since we need
to login
+ before changing the pin
+ */
+ if (do_change_pin)
+ /* To be sure we won't mix things up with the -l or -p options,
+ * we safely stop here. */
+ return change_pin(opt_slot, session);
+
+ if (do_init_token)
+ init_token(opt_slot);
+
if (do_init_pin) {
init_pin(opt_slot, session);
@@ -753,6 +759,7 @@
get_token_info(opt_slot, &info);
+
/* Identify which pin to enter */
if (info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
@@ -787,13 +794,32 @@
char new_buf[21], *new_pin = NULL;
CK_TOKEN_INFO info;
CK_RV rv;
+ CK_SESSION_HANDLE session; // cko
if (!opt_object_label)
fatal("The token label must be specified using --label\n");
snprintf(token_label, sizeof (token_label), "%-32.32s",
opt_object_label);
-
+
get_token_info(slot, &info);
+ /* Add for aladdin eToken with aladdin's libetpkcs11.so
+ Before initializing the token, we have to login
+ to the token. cko */
+ /* This would be nice, if it could be done by --init-token -l,
+ but the -l option does not close the session again and we
+ need to close it! :( */
+
+ rv = p11->C_OpenSession(opt_slot, CKF_SERIAL_SESSION| CKF_RW_SESSION,
+ NULL, NULL, &session);
+ if (rv != CKR_OK)
+ p11_fatal("C_OpenSession", rv);
+
+ login(session, 0); // login as CKU_USER
+
+ /* we need to close the session again. */
+ rv = p11->C_CloseSession(session);
+ /* end of Aladdin specific stuff */
+
if (!(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
if (opt_so_pin == NULL) {
new_pin = getpass("Please enter the new SO PIN: ");
@@ -877,6 +903,15 @@
}
}
+ /* cko: first we need to login to the token! */
+ /* This would only be necessary, if we would not use the -l option (see
above)
+ I guess, this hurts noone!?
+ */
+// rv = p11->C_Login(sess, CKU_USER ...and sometimes CKU_SO,
(CK_UTF8CHAR *) old_pin, old_pin == NULL ? 0 : strlen(old_pin));
+// if (rv != CKR_OK)
+// p11_fatal("C_Login", rv);
+ /* end */
+
rv = p11->C_SetPIN(sess,
(CK_UTF8CHAR *) old_pin, old_pin == NULL ? 0 : strlen(old_pin),
(CK_UTF8CHAR *) new_pin, new_pin == NULL ? 0 : strlen(new_pin));
--- pkcs11-tool.c-orig 2006-03-30 23:14:25.000000000 +0200
+++ pkcs11-tool.c 2006-04-12 02:06:37.000000000 +0200
@@ -61,6 +61,7 @@
{ "hash", 0, 0, 'h' },
{ "mechanism", 1, 0, 'm' },
+ { "fake-login", 0, 0, 'f' },
{ "login", 0, 0, 'l' },
{ "pin", 1, 0, 'p' },
{ "so-pin", 1, 0, OPT_SO_PIN },
@@ -99,6 +100,7 @@
"Hash some data",
"Specify mechanism (use -M for a list of supported mechanisms)",
+ "Log into the token and close the session. Needed for Aladdin Token
initialization.",
"Log into the token first (not needed when using --pin)",
"Supply User PIN on the command line (if used in scripts: careful!)",
"Supply SO PIN on the command line (if used in scripts: careful!)",
@@ -194,6 +196,7 @@
static void list_mechs(CK_SLOT_ID);
static void list_objects(CK_SESSION_HANDLE);
static int login(CK_SESSION_HANDLE, int);
+static void fake_login(CK_SLOT_ID);
static void init_token(CK_SLOT_ID);
static void init_pin(CK_SLOT_ID, CK_SESSION_HANDLE);
static int change_pin(CK_SLOT_ID, CK_SESSION_HANDLE);
@@ -267,6 +270,7 @@
int do_init_pin = 0;
int do_change_pin = 0;
int action_count = 0;
+ int need_fake_login = 0;
CK_RV rv;
while (1) {
@@ -354,6 +358,9 @@
case 'i':
opt_input = optarg;
break;
+ case 'f':
+ need_fake_login = 1;
+ break;
case 'l':
need_session |= NEED_SESSION_RW;
opt_login = 1;
@@ -372,6 +379,7 @@
case 'c':
do_change_pin = 1;
need_session |= CKF_SERIAL_SESSION; /* no need for a
R/W session */
+ need_session |= NEED_SESSION_RW; /* cko */
action_count++;
break;
case 's':
@@ -495,15 +503,12 @@
CK_TOKEN_INFO info;
get_token_info(opt_slot, &info);
- if (!(info.flags & CKF_TOKEN_INITIALIZED))
- fatal("Token not initialized\n");
+ //if (!(info.flags & CKF_TOKEN_INITIALIZED))
+ // fatal("Token not initialized\n");
if (info.flags & CKF_LOGIN_REQUIRED)
opt_login++;
}
- if (do_init_token)
- init_token(opt_slot);
-
if (need_session) {
int flags = CKF_SERIAL_SESSION;
@@ -515,16 +520,28 @@
p11_fatal("C_OpenSession", rv);
}
- if (do_change_pin)
- /* To be sure we won't mix things up with the -l or -p options,
- * we safely stop here. */
- return change_pin(opt_slot, session);
-
if (opt_login || opt_pin || do_init_pin) {
int r = login(session, need_to_be_so);
if (r != 0)
return r;
}
+ /*
+ We put the do_change_pin _behind_ the opt_login to have the possibility
to
+ do a "-c -l" to change the PIN with the Aladdin etpkcs11, since we need
to login
+ before changing the pin
+ */
+ if (do_change_pin)
+ /* To be sure we won't mix things up with the -l or -p options,
+ * we safely stop here. */
+ return change_pin(opt_slot, session);
+
+ /* cko: Need to login to the token for Aladdin initialization */
+ if (need_fake_login)
+ fake_login(opt_slot);
+
+ if (do_init_token)
+ init_token(opt_slot);
+
if (do_init_pin) {
init_pin(opt_slot, session);
@@ -753,6 +770,7 @@
get_token_info(opt_slot, &info);
+
/* Identify which pin to enter */
if (info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
@@ -780,6 +798,22 @@
return 0;
}
+
+void fake_login(CK_SLOT_ID slot)
+{
+ CK_TOKEN_INFO info;
+ CK_RV rv;
+ CK_SESSION_HANDLE session;
+
+ get_token_info(slot, &info);
+ rv = p11->C_OpenSession(opt_slot, CKF_SERIAL_SESSION| CKF_RW_SESSION,
+ NULL, NULL, &session);
+ if (rv != CKR_OK)
+ p11_fatal("C_OpenSession", rv);
+ login(session, 0); // login as CKU_USER
+ rv = p11->C_CloseSession(session);
+}
+
void
init_token(CK_SLOT_ID slot)
{
@@ -787,13 +821,15 @@
char new_buf[21], *new_pin = NULL;
CK_TOKEN_INFO info;
CK_RV rv;
+ CK_SESSION_HANDLE session; // cko
if (!opt_object_label)
fatal("The token label must be specified using --label\n");
snprintf(token_label, sizeof (token_label), "%-32.32s",
opt_object_label);
-
+
get_token_info(slot, &info);
+
if (!(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
if (opt_so_pin == NULL) {
new_pin = getpass("Please enter the new SO PIN: ");
@@ -877,6 +913,15 @@
}
}
+ /* cko: first we need to login to the token! */
+ /* This would only be necessary, if we would not use the -l option (see
above)
+ I guess, this hurts noone!?
+ */
+// rv = p11->C_Login(sess, CKU_USER ...and sometimes CKU_SO,
(CK_UTF8CHAR *) old_pin, old_pin == NULL ? 0 : strlen(old_pin));
+// if (rv != CKR_OK)
+// p11_fatal("C_Login", rv);
+ /* end */
+
rv = p11->C_SetPIN(sess,
(CK_UTF8CHAR *) old_pin, old_pin == NULL ? 0 : strlen(old_pin),
(CK_UTF8CHAR *) new_pin, new_pin == NULL ? 0 : strlen(new_pin));
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
