Hi Daniel,
the card is known by opensc 0.11.2-svn-r3173 but still
unusable. I've got the same reader and card version
and have no trouble to use the opensc-explorer:
opensc-tool --reader 0 --atr
3b:f2:18:00:02:c1:0a:31:fe:58:c8:08:74
opensc-tool --reader 0 --name
CardOS M4
$ opensc-explorer
OpenSC Explorer version 0.11.2-svn-r3173
OpenSC [3F00]> exit
But the card is still unusable, because
the initialization and creation of a pkcs15
structure doesn't work:
$ pkcs15-init -E
Unspecified PIN [reference 116] required.
Please enter Unspecified PIN [reference 116]:
[pkcs15-init] apdu.c:341:sc_check_apdu: Invalid Case 3 short APDU:
cse=03 cla=00 ins=20 p1=00 p2=f4 lc=0 le=0
resp=(nil) resplen=0 data=0xbfde82ca datelen=0
[pkcs15-init] iso7816.c:963:iso7816_pin_cmd: APDU transmit failed:
Invalid arguments
[pkcs15-init] sec.c:201:sc_pin_cmd: returning with: Invalid arguments
[pkcs15-init] pkcs15-lib.c:3088:do_get_and_verify_secret: Failed to
verify PIN (ref=0x74)
Failed to erase card: Invalid arguments
There is no such pin on the card!
$ pkcs15-init --create-pkcs15 -v -v -v
...
[pkcs15-init] card.c:221:sc_connect_card: card info: CardOS M4, 1004, 0x0
[pkcs15-init] card.c:222:sc_connect_card: returning with: 0
...
[pkcs15-init] profile.c:317:sc_profile_load: Trying profile file
/usr/share/opensc/pkcs15.profile
[pkcs15-init] profile.c:325:sc_profile_load: profile
/usr/share/opensc/pkcs15.profile loaded ok
[pkcs15-init] profile.c:317:sc_profile_load: Trying profile file
/usr/share/opensc/cardos.profile
[pkcs15-init] profile.c:325:sc_profile_load: profile
/usr/share/opensc/cardos.profile loaded ok
About to create PKCS #15 meta structure.
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
[pkcs15-init] card.c:532:sc_select_file: called; type=2, path=3f00
[pkcs15-init] card-cardos.c:396:cardos_select_file: called
[pkcs15-init] card-cardos.c:400:cardos_select_file: returning with: 0
[pkcs15-init] card.c:554:sc_select_file: returning with: 0
[pkcs15-init] pkcs15-lib.c:3244:sc_pkcs15init_authenticate: path=3f00, op=3
[pkcs15-init] card.c:668:sc_card_ctl: called
[pkcs15-init] card-cardos.c:863:cardos_lifecycle_set: called
[pkcs15-init] card-cardos.c:817:cardos_lifecycle_get: called
[pkcs15-init] card-cardos.c:851:cardos_lifecycle_get: returning with: 0
[pkcs15-init] card-cardos.c:887:cardos_lifecycle_set: returning with: 0
[pkcs15-init] card.c:678:sc_card_ctl: returning with: 0
[pkcs15-init] card.c:362:sc_create_file: called; type=2, path=3f005015,
size=4096
[pkcs15-init] card-cardos.c:607:cardos_create_file: called
[pkcs15-init] card-cardos.c:503:cardos_construct_fcp: called
[pkcs15-init] card-cardos.c:229:cardos_check_sw: Unknown SWs; SW1=6A, SW2=8A
[pkcs15-init] card.c:367:sc_create_file: returning with: Card command failed
Failed to create PKCS #15 meta structure: Card command failed
[pkcs15-init] card.c:236:sc_disconnect_card: called
[pkcs15-init] card.c:251:sc_disconnect_card: returning with: 0
[pkcs15-init] ctx.c:736:sc_release_context: called
But initialization under windows works and I've got:
$ opensc-explorer
OpenSC Explorer version 0.11.2-svn-r3173
OpenSC [3F00]> ls
FileID Type Size
[5015] DF 80 Name: \xA0\x00\x00\x00cPKCS-15
OpenSC [3F00]> cd 5015
OpenSC [3F00/5015]> ls
FileID Type Size
5600 wEF 48
5031 wEF 40
5032 wEF 281
4408 wEF 422
4400 wEF 1024
[5072] DF 128
4401 wEF 1024
[5075] DF 128
4404 wEF 1024
[4304] DF 128
4407 wEF 1024
[4444] DF 128
After initialization there are three pins on card:
$ pkcs15-tool -D
PKCS#15 Card [Sandros Testkarte 1]:
Version : 1
Serial number :
Manufacturer ID: Siemens AG (C)
Flags : Login required, PRN generation
PIN [PIN]
Com. Flags: 0x3
ID : 01
Flags : [0x11], case-sensitive, initialized
Length : min_len:4, max_len:16, stored_len:0
Pad char : 0x00
Reference : 129
Type : UTF-8
Path :
PIN [SO-PIN]
Com. Flags: 0x3
ID : 02
Flags : [0x99], case-sensitive, unblock-disabled,
initialized, soPin
Length : min_len:4, max_len:16, stored_len:0
Pad char : 0x00
Reference : 130
Type : UTF-8
Path :
PIN [Secondary Authentication PIN]
Com. Flags: 0x3
ID : 03
Flags : [0x13], case-sensitive, local, initialized
Length : min_len:4, max_len:16, stored_len:0
Pad char : 0x00
Reference : 144
Type : UTF-8
Path :
But with opensc I can't generate a usable keypair in
card nor transfer a pkcs12 file with certificates
and private key to the card.
The generation works like that:
$ pkcs11-tool --keypairgen -l
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label:
Usage: decrypt, sign, unwrap
Public Key Object; RSA 768 bits
label:
Usage: encrypt, verify, wrap
But there is only a private key in the card and no
public key nor any certificates.
$ pkcs11-tool -l -t
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
not implemented
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (wefel)
[opensc-pkcs11] card-cardos.c:806:cardos_compute_signature: returning
with: Internal error
[opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Internal
error
[opensc-pkcs11] pkcs15-sec.c:248:sc_pkcs15_compute_signature:
sc_compute_signature() failed: Internal error
error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
Checking with opensc-explorer shows no certificates
nor pubkeys.
This also happens with the pkcs11 library from Siemens:
$ pkcs11-tool --module /usr/local/lib/libsiecap11.so --keypairgen
--key-type rsa:1024 -l
The same error during the test with or without
using the Siemens library.
Transfer from pkcs12-File also shows errors:
$ pkcs15-init -S newcert.p12 -f PKCS12 --auth-id 01 --split-key
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key:
Importing 2 certificates:
0: /C=DE/O=MLU/OU=people/CN=Sandro
Wefel/[EMAIL PROTECTED]/x500UniqueIdentifier=wefel
1:
/C=DE/L=Halle/O=MLU/OU=UZI/CN=ca.uzi.uni-halle.de/[EMAIL PROTECTED]
[pkcs15-init] card-cardos.c:224:cardos_check_sw: required access right
not granted
[pkcs15-init] card-cardos.c:913:cardos_put_data_oci: Card returned
error: Security status not satisfied
[pkcs15-init] card.c:678:sc_card_ctl: returning with: Security status
not satisfied
Failed to store private key: Security status not satisfied
The transfer works in windows with the HiPath SIcurity
Card Viewer. After that I've got:
$ pkcs15-tool -D
... PINs, etc. ...
Private RSA Key [wefel]
Com. Flags : 3
Usage : [0x26], decrypt, sign, unwrap
Access Flags: [0x9], sensitive, neverExtract
ModLength : 2048
Key ref : 1
Native : yes
Path : 3f00501550724b015501
Auth ID : 01
ID : af2c65e7e37e13c1705e398b43fca8a9
X.509 Certificate [wefel]
Flags : 2
Authority: no
Path : 3f00501543044301
ID : af2c65e7e37e13c1705e398b43fca8a9
X.509 Certificate [EMAIL PROTECTED]
Flags : 2
Authority: no
Path : 3f00501543044302
ID : 58c3b6ee15e8d658194b9a0f72e52128
But the usage fails with the same problem. It seems that
there is no assignment between the private key and the
certificate:
$ pkcs11-tool -t -l --module /usr/local/lib/libsiecap11.so
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
ERR: C_GenerateRandom(,NULL,) failed: CKR_ARGUMENTS_BAD (0x7)
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
Signatures (currently only RSA signatures)
testing key 0 (wefel)
coudn't find the corresponding pubkey
error: PKCS11 function C_SignUpdate failed: rv =
CKR_OPERATION_NOT_INITIALIZED (0x91)
Aborting.
$ pkcs11-tool -t -l
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
not implemented
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (wefel)
[opensc-pkcs11] card-cardos.c:806:cardos_compute_signature: returning
with: Internal error
[opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Internal
error
[opensc-pkcs11] pkcs15-sec.c:248:sc_pkcs15_compute_signature:
sc_compute_signature() failed: Internal error
error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
Regards,
Sandro
Daniel Weller schrieb:
> Hi Eddy,
>
> thanks for the tip - I just repeated the experiment using the current
> rev. 3191: The result was the same.
>
> On 6/28/07, *Eddy Nigg (StartCom Ltd.) * <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
> Hi Daniel,
>
> Did you use the latest checkout from the trunk? A patch was added to
> recognize higher versions, which doesn't mean however that there
> still might be a problem for 4.3B
>
> Daniel Weller wrote:
>> Hi all,
>>
>> I've been using the opensc CLI tools for some time together with
>> the Siemens CardAPI pkcs11 library. As the Linux version of
>> CardAPI has some, in my opinion, severe drawbacks (e.g. no support
>> for protected authentication path, no support for C_InitToken), I
>> would like to switch to the opensc driver, which should provide
>> these missing features. Unfortunately, so far I was unsuccessful -
>> I tried initializing an uninitialized ( i.e. untouched by CardAPI)
>> card: opensc 0.11.2 recognizes it, but cannot initialize it:
>>
>> # opensc-tool -l
>> Readers known about:
>> Nr. Driver Name
>> 0 pcsc Cherry XX44 00 00
>>
>> # opensc-tool --reader 0 --atr
>> 3b:f2:18:00:02:c1:0a:31:fe:58:c8:08:74
>>
>> # opensc-tool --reader 0 --name
>> CardOS M4
>>
>> # opensc-explorer
>> OpenSC Explorer version 0.11.2
>> card-cardos.c:224:cardos_check_sw: ins invalid
>> iso7816.c:464:iso7816_select_file: returning with: Unsupported INS
>> byte in APDU
>> card-cardos.c:400:cardos_select_file: returning with: Unsupported
>> INS byte in APDU
>> card.c:554:sc_select_file: returning with: Unsupported INS byte in
>> APDU
>> unable to select MF: Unsupported INS byte in APDU
>>
>> # pkcs15-init --create-pkcs15 -v -v -v
>> sc.c:196:sc_detect_card_presence: called
>> sc.c:201:sc_detect_card_presence: returning with: 1
>> Connecting to card in reader Cherry XX44 00 00...
>> card.c:110:sc_connect_card: called
>> reader-pcsc.c:542:pcsc_connect: Requesting reader features ...
>> reader-pcsc.c:576:pcsc_connect: Reader supports pinpad PIN
>> verification
>> reader-pcsc.c:586:pcsc_connect: Reader supports pinpad PIN
>> modification
>> card.c :221:sc_connect_card: card info: CardOS M4, 1004, 0x0
>> card.c:222:sc_connect_card: returning with: 0
>> Using card driver Siemens CardOS.
>> card.c:668:sc_card_ctl: called
>> card-cardos.c:863:cardos_lifecycle_set: called
>> card-cardos.c:817:cardos_lifecycle_get: called
>> card-cardos.c:851:cardos_lifecycle_get: returning with: 0
>> card.c:678:sc_card_ctl: returning with: 0
>> card.c:532:sc_select_file: called; type=2, path=3f0050154946
>> card-cardos.c:396:cardos_select_file: called
>> card-cardos.c:224:cardos_check_sw: ins invalid
>> iso7816.c:464:iso7816_select_file: returning with: -1204
>> card-cardos.c:400:cardos_select_file: returning with: -1204
>> card.c:554:sc_select_file: returning with: -1204
>> profile.c:317:sc_profile_load: Trying profile file
>> /usr/local/share/opensc/pkcs15.profile
>> profile.c:325:sc_profile_load: profile
>> /usr/local/share/opensc/pkcs15.profile loaded ok
>> profile.c:317:sc_profile_load: Trying profile file
>> /usr/local/share/opensc/cardos.profile
>> profile.c:325:sc_profile_load: profile
>> /usr/local/share/opensc/cardos.profile loaded ok
>> About to create PKCS #15 meta structure.
>> New Security Officer PIN (Optional - press return for no PIN).
>> Please enter Security Officer PIN:
>> Please type again to verify:
>> Unblock Code for New User PIN (Optional - press return for no PIN).
>> Please enter User unblocking PIN (PUK):
>> Please type again to verify:
>> card.c:532:sc_select_file: called; type=2, path=3f00
>> card-cardos.c:396:cardos_select_file: called
>> card-cardos.c:224:cardos_check_sw: ins invalid
>> iso7816.c:464:iso7816_select_file: returning with: -1204
>> card-cardos.c:400:cardos_select_file: returning with: -1204
>> card.c:554:sc_select_file: returning with: -1204
>> Failed to create PKCS #15 meta structure: Unsupported INS byte in APDU
>> card.c:236:sc_disconnect_card: called
>> card.c:251:sc_disconnect_card: returning with: 0
>> ctx.c:736:sc_release_context: called
>> reader-openct.c:180:openct_reader_release: called
>> reader-openct.c:180:openct_reader_release: called
>> reader-openct.c:180:openct_reader_release: called
>> reader-openct.c:180:openct_reader_release: called
>> reader-openct.c:180:openct_reader_release: called
>> reader-openct.c:165:openct_reader_finish: called
>>
>>
>> So, what gives? It appears that opensc can't find some file on the
>> smartcard, but I am unsure about that. If anyone can give me some
>> insight into what went wrong, I'll be glad to try and produce a
>> patch.
>>
>> regards,
>> Daniel
>> ------------------------------------------------------------------------
>>
--
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
Dipl.-Inform. Sandro Wefel Tel : ++49 +345 5524766
Universitätszentrum Informatik Fax : ++49 +345 5527009
Martin Luther Universitaet Halle
D-06099 Halle (Saale), Germany
email: [EMAIL PROTECTED]
WWW : http://informatik.uni-halle.de/wefel
Fingerprint : BBF3 CBD8 BC9D F1FE 18BF F67E 486A 6101 44D4 9263
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
