Re: [opensc-devel] SCA for Snow Leopard built yet?

Thu, 10 Sep 2009 11:17:54 -0700 


On Sep 10, 2009, at 1:06 PM, Miller, Timothy J. wrote:



On Sep 4, 2009, at 1:50 PM, Ludovic Rousseau wrote:


This is not directly related to the problem but Apple now provides a
PKCS#11 in /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so
It's this tokend module that's failing for me causing me to want to put OpenSC *back* on the system. Any signing attempt with tokendPKCS11.so gives me the following (output from Firefox running with NSS_DEBUG_PKCS11_MODULE set): 

-1335791616[1a63a0e0]: C_OpenSession
-1335791616[1a63a0e0]:   slotID = 0x0
-1335791616[1a63a0e0]:   flags = 0x4
-1335791616[1a63a0e0]:   pApplication = 0x1a99800
-1335791616[1a63a0e0]:   Notify = 0x10af9b3
-1335791616[1a63a0e0]:   phSession = 0xb061667c
-1335791616[1a63a0e0]:   *phSession = 0x2
-1335791616[1a63a0e0]:   rv = CKR_OK
-1335791616[1a63a0e0]: C_SignInit
-1335791616[1a63a0e0]:   hSession = 0x2
-1335791616[1a63a0e0]:   pMechanism = 0xb06166cc
-1335791616[1a63a0e0]:   hKey = 0x2
-1335791616[1a63a0e0]:       mechanism = CKM_RSA_PKCS
-1335791616[1a63a0e0]:   rv = CKR_OK
-1335791616[1a63a0e0]: C_Sign
-1335791616[1a63a0e0]:   hSession = 0x2
-1335791616[1a63a0e0]:   pData = 0xb061679c
-1335791616[1a63a0e0]:   ulDataLen = 36
-1335791616[1a63a0e0]:   pSignature = 0x1b8c9240
-1335791616[1a63a0e0]:   pulSignatureLen = 0xb06166d8
-1335791616[1a63a0e0]:   *pulSignatureLen = 0x80
-1335791616[1a63a0e0]:   rv = CKR_FUNCTION_FAILED
-1335791616[1a63a0e0]: C_CloseSession
-1335791616[1a63a0e0]:   hSession = 0x2
-1335791616[1a63a0e0]:   rv = CKR_OK

This results in SSL_ERROR_SIGN_HASHES_FAILURE.

Also:
stovetop:bin tmiller$ ./pkcs11-tool --module /usr/libexec/ SmartCardServices/pkcs11/tokendPKCS11.so -L 
Available slots:
Slot 0           Apple Tokend
 token label:   CAC-4070-5072-3446-0000-6368
 token manuf:   unknown
 token model:   unknown
 token flags:   readonly, token initialized
 serial num  :  0
Slot 1           (empty)
Slot 2           (empty)
Slot 3           (empty)
stovetop:bin tmiller$ ./pkcs11-tool --module /usr/libexec/ SmartCardServices/pkcs11/tokendPKCS11.so -M 
Supported mechanisms:
 RSA-PKCS, sign, decrypt
 RSA-X-509, sign, decrypt
stovetop:bin tmiller$ ./pkcs11-tool -tl --module /usr/libexec/ SmartCardServices/pkcs11/tokendPKCS11.so 
C_SeedRandom() and C_GenerateRandom():
 seeding (C_SeedRandom) not supported
 ERR: C_GenerateRandom failed: CKR_FUNCTION_NOT_SUPPORTED (0x54)
Digests: not implemented
Signatures (currently only RSA signatures)
 testing key 0 (Identity Private Key)
 Note: C_SignUpdate(), SignFinal() not supported
error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)

Aborting.
Interestingly, this is now working with the PIV.tokend in control where it wasn't earlier. FF did update today, so maybe something changed there. Anyway, same commands, same card:
stovetop:bin tmiller$ ./pkcs11-tool --module /usr/libexec/ SmartCardServices/pkcs11/tokendPKCS11.so -L 
Available slots:
Slot 0           Apple Tokend
  token label:   PIV-MILLER.TIMOTHY.J.1019052784
  token manuf:   unknown
  token model:   unknown
  token flags:   readonly, token initialized
  serial num  :  0
Slot 1           (empty)
Slot 2           (empty)
Slot 3           (empty)
stovetop:bin tmiller$ ./pkcs11-tool --module /usr/libexec/ SmartCardServices/pkcs11/tokendPKCS11.so -M 
Supported mechanisms:
  RSA-PKCS, sign, decrypt
  RSA-X-509, sign, decrypt
stovetop:bin tmiller$ ./pkcs11-tool --module /usr/libexec/ SmartCardServices/pkcs11/tokendPKCS11.so -tl 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  ERR: C_GenerateRandom failed: CKR_FUNCTION_NOT_SUPPORTED (0x54)
Digests: not implemented
Signatures (currently only RSA signatures)
  testing key 0 (PIV Authentication Private Key)
  Note: C_SignUpdate(), SignFinal() not supported
  testing signature mechanisms:
    RSA-X-509: ERR: verification failed
    RSA-PKCS: OK
testing key 1 (1024 bits, label=Key Management Private Key) with 1 signature mechanism 
    RSA-PKCS: OK
Verify: not implemented
Unwrap: not implemented
Decryption (RSA)
  testing key 0 (PIV Authentication Private Key)
    RSA-PKCS: OK
    RSA-X-509: OK
  testing key 1 (Key Management Private Key)
    RSA-PKCS: OK
    RSA-X-509: OK
Testing card detection
Please press return to continue, x to exit:
Available slots:
Slot 0           Apple Tokend
  token label:   PIV-MILLER.TIMOTHY.J.1019052784
  token manuf:   unknown
  token model:   unknown
  token flags:   readonly, token initialized
  serial num  :  0
Slot 1           (empty)
Slot 2           (empty)
Slot 3           (empty)
Please press return to continue, x to exit: x
Testing card detection using C_WaitForSlotEvent
Please press return to continue, x to exit: x
2 errors
stovetop:bin tmiller$

-- Tim

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to