On Mar 22, 2009, at 11:36 AM, Henry B. Hotz wrote: > > On Mar 21, 2009, at 2:26 AM, Martin Paljak wrote: > >> On 21.03.2009, at 2:34, Henry B. Hotz wrote: >> >> >>> I'm willing to do some debugging, if someone will tell me what to >>> look at. Maybe where to put syslog calls in a custom build? >> >> You can run the PIV tokend in debug mode but that won't help you, as >> there is no way you can modify the PIV tokend. > > > How do I run the OpenSC tokend in "debug mode"? I just found a log > file in /tmp that seems relevant, but it doesn't seem to contain > anything that looks like a smoking gun. Should I look more > carefully? Maybe truncate it before the relevant test?
Been looking at /tmp/opensc-tokend.log some. When I just try to unlock the card from the keychain icon in the menu bar it shows this: In OpenSCToken::getAcl() In OpenSCKeyRecord::getOwner() In OpenSCKeyRecord::getAcl, tag is: (null) DB read for a reference key object is always OK auth_id for PIN: 01, pinNum = 1 retuning 2 ACL entries In OpenSCKeyHandle:: OpenSCKeyHandle() In OpenSCToken::getAcl() ...which gives no errors, but doesn't change any of the lock icons. When I try to use it to log in it shows this: In OpenSCToken::getAcl() In OpenSCToken::verifyPIN(1) In OpenSCToken::_verifyPIN(), PIN num is: 1 sc_pkcs15_get_objects(pin_id=01): 2 In OpenSCToken::verify returned -1304 for pin 1 In OpenSCToken::getAcl() In OpenSCToken::getAcl() In OpenSCToken::verifyPIN(1) In OpenSCToken::_verifyPIN(), PIN num is: 1 sc_pkcs15_get_objects(pin_id=01): 2 In OpenSCToken::verify returned 0 for pin 1 About to call BEGIN() In OpenSCKeyRecord::getOwner() In OpenSCKeyRecord::getAcl, tag is: (null) DB read for a reference key object is always OK auth_id for PIN: 01, pinNum = 1 retuning 2 ACL entries In OpenSCKeyHandle:: OpenSCKeyHandle() In OpenSCKeyRecord::getOwner() In OpenSCKeyRecord::getAcl, tag is: (null) retuning 2 ACL entries In OpenSCToken::getAcl() In OpenSCKeyHandle::generateSignature() type == CSSM_ALGCLASS_SIGNATURE algorithm == CSSM_ALGID_RSA Using SHA1, length is 20 PKCS#1 padding sc_pkcs15_compute_signature(): rv = -1303 In OpenSCToken::getAcl() ...which is different. Login fails and it shakes the dialog box. The debug security log info is: Mar 22 20:40:25 laphotz com.apple.SecurityServer[24]: token inserted into reader SCM SCR 331 00 00 Mar 22 20:40:25 laphotz com.apple.SecurityServer[24]: reader SCM SCR 331 00 00 inserted token "PIV_II" (PIV_IId08210d84144ed90a11315a1685835e67286a2a1808289d7ed) subservice 4 using driver com.apple.tokend.opensc Mar 22 20:40:26 laphotz SecurityAgent[62517]: Showing Login Window Mar 22 20:40:30 laphotz SecurityAgent[62517]: User info context values set for hotz Mar 22 20:40:30 laphotz com.apple.SecurityServer[24]: securityd ignoring SIGPIPE received Mar 22 20:40:30 laphotz authorizationhost[62516]: failed to sign data (-2147416054) Mar 22 20:40:32 laphotz com.apple.SecurityServer[24]: reader SCM SCR 331 00 00 removed token "PIV_II" (PIV_IId08210d84144ed90a11315a1685835e67286a2a1808289d7ed) subservice 4 ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. henry.b.h...@jpl.nasa.gov, or hbh...@oxy.edu _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
