[opensc-devel] OpenSC Mac tokend on snow leopard

Sun, 25 Apr 2010 14:00:37 -0700 

I'm trying to use the opensc tokend in OS X 10.6.2. The first step is to 
compile a working Tokend. By following instructions at [1] I was able to build 
the Tokend project, then incorporate the OpenSC.tokend source into that project 
and build it also, for x84_64 arch, using libopensc from the sca 0.3.0-pre3 
release and applying the patches from [2].

The tokend built in this way can't use a signing certificate from a smartcard 
to sign e-mail as it fails with the same error, "CSSM_SignData returned: 
8001082E" as seen in [3]. It looks like the card is never actually asked to 
sign the data, as the tokend never logs messages relating to the 
OpenSCKeyHandle::generateSignature() method being called and the light on the 
card reader never blinks.
I tried the fix described in [4], adding a "PIN1" tag to the key record's ACL, 
which improves things slightly - generateSignature() is now called, but fails 
due to the card's security status not being satisfactory. The relevant part of 
the tokend's log file is:

In OpenSCKeyHandle::generateSignature()
  type == CSSM_ALGCLASS_SIGNATURE
  algorithm == CSSM_ALGID_RSA
  Using SHA1, length is 20
  PKCS#1 padding
  Signing buffers: inlen=20, outlen=256
  not (longer) logged in, trying to do it now (again)
  OpenSCToken::verifyCachedPin(): r = 0
  sc_pkcs15_compute_signature(): rv = -1211

Looking at the code [5], the tokend seems to try a sc_pkcs15_compute_signature 
operation, see that it failed due to SC_ERROR_SECURITY_STATUS_NOT_SATISFIED, 
then locks the card with sc_lock, performs a verify pin operation with a cached 
PIN (which returns 0) then tries another sc_pkcs15_compute_signature operation. 
Given that the verify pin operation returned 0, I'd expect the second try to 
succeed but it also fails and returns SC_ERROR_SECURITY_STATUS_NOT_SATISFIED.
The card is a Feitian-PKI card using the entersafe driver and pkcs15+onepin 
profile. There's only one each of PIN, certificate and associated private key 
on the card, I'm trying to get the tokend working with the simplest case 
possible to start with. Is there anything that the tokend might be 'forgetting' 
to do when signing... or anything in the arguments to 
sc_pkcs15_compute_signature that could cause it to fail even after successfully 
verifying the PIN?

[1] http://smartcardservices.macosforge.org/trac/wiki/documentation/building
[2] 
http://www.opensc-project.org/pipermail/opensc-devel/2009-September/012746.html
[3] http://lists.macosforge.org/pipermail/tokend-dev/2009-September/000015.html
[4] 
http://lists.macosforge.org/pipermail/smartcardservices-changes/2010-February/000109.html
[5] 
http://www.opensc-project.org/sca/browser/trunk/opensc.tokend/OpenSC/OpenSCKeyHandle.cpp#L136
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to